The increasingly digital networking of medical infrastructure leads to complex systems with many different interfaces that are potentially vulnerable to attack. According to the IVDR, manufacturers must prove cybersecurity before placing devices on the market. The transition periods for already certified products will expire on a staggered basis from 26 May 2025. However, due to the limited number of Notified Bodies, there may be bottlenecks in the conformity assessment procedures. TÜV SÜD is providing support with comprehensive inspection and testing services and making new white papers available.
“The issue affects all devices that can be connected to a network. In hospital laboratories and wards, there are numerous IVD medical devices that are networked with medical devices and information systems,” says Dr Alexander Stock, Project Manager IVD Medical Device Testing at TÜV SÜD. “Unauthorised access, in addition to the loss of confidential data, can primarily endanger patient safety and even public health.” The manipulation of test data can lead to an incorrect diagnosis and thus to an incorrect therapy, but also to incorrect conclusions, for example, in the assessment of the incidence of infection in a pandemic. In addition to the financial risks, manufacturers and operators of unsafe devices must also reckon with damage to their image.
Race for patient safety
Cybersecurity risks should be considered early and continuously throughout the product life cycle – from the development phase, through manufacturing, installation and maintenance phases. This is because new vulnerabilities are found and published daily that can make IVD devices vulnerable. These vulnerabilities come, for example, from modules or libraries of programming languages and operating systems. As a result, manufacturers must conduct continuous risk analyses, permanently offer updates for their devices, keep them up to date and react at short notice if necessary.
IVD devices require the same cybersecurity consideration as networked medical devices. This includes threat modelling or threat analysis – procedures for cybersecurity risk management – with the aim of identifying threats at an early stage and deriving measures from them. The mandatory regulatory basis is the IVDR, Annex I of which contains basic cybersecurity requirements. Further assistance is provided by the so-called MDCG Guidelines of the Medical Device Coordination Group of the EU, position paper of the Notified Bodies, as well as ISO 14971 for the risk management of medical devices and IEC 81001-5-1 for the security-related activities in the software life cycle.
TÜV SÜD has also prepared three white papers for the benefit of manufacturers and operators: one on the cybersecurity of medical devices according to IEC 81001-5-1, a health software standard, and one on the IEC TR 60601-4-5 product standard for medical electrical devices, as well as a very recent one directly on the cybersecurity of IVD devices and products.
Five-step approach for best possible safety
TÜV SÜD has accredited testing laboratories and offers comprehensive testing services for IVD devices and products as well as product-specific cybersecurity tests. Depending on the stage of the product in its life cycle, this comprises five stages:
- 1. training on standards and regulatory requirements
- 2. early bird assessment
- 3. fuzzing
- 4. vulnerability scanning
- 5. penetration testing (simulated cyber attack).
TÜV SÜD also operates the only accredited testing and validation laboratory for IEC TR 60601-4-5. The experts are familiar with the different country-specific regulatory requirements. They support manufacturers in placing their devices and products on the market safely and time-efficiently and also know about the requirements for legally compliant documentation.
IVD devices and products that were already lawfully placed on the market before the IVDR came into force may currently continue to be placed on the market for a limited period under certain conditions (IVDR, Article 110). However, depending on the risk class of the product, the transitional periods will soon expire: for risk class D it is 26 May 2025, for class C it is 26 May 2026, for class B and for class A devices placed on the market in a sterile condition it is 26 May 2027.
Dr Alexander Stock: “Already today, a high demand for conformity assessments and thus bottlenecks at the (few) Notified Bodies are becoming apparent. We therefore strongly recommend manufacturers to look for a Notified Body already today. They should lose no time in raising their technical documentation from the level of the predecessor directive to the level of the IVDR valid today.”
Further information in German language:
- – IVD Testing whitepaper Whitepaper zum Thema IVD Testing
- – Whitepaper Cybersecurity for medical devices according to IEC 81001 Whitepaper Cybersicherheit für Medizinprodukte nach IEC 81001
- – Whitepaper Understanding the IEC TR 60601-4-5: Medical Electrical Equipment Whitepaper Understanding the IEC TR 60601-4-5: Medical Electrical Equipment
- – EU Regulation on In Vitro Diagnostic Medical Devices IVDR EU-Verordnung über In-vitro-Diagnostika IVDR