The increasingly widespread digital connectivity of medical infrastructure is giving rise to complex systems with hosts of different interfaces that are potentially vulnerable to attacks. The IVDR requests manufacturers to furnish proof of cyber security before they place their products on the market. The transitional periods for already certified IVD medical devices will expire in stages from 26 May 2025 onwards. However, bottlenecks in conformity assessment procedures may lie ahead owing to the limited number of Notified Bodies to perform them. TÜV SÜD offers support in the form of comprehensive testing services and provides new white papers.
“Cyber security concerns all equipment that can be connected to a network. Hospital laboratories and hospital wards have numerous IVD medical devices that are connected with medical devices and information systems”, says Dr Alexander Stock, Project Manager IVD Medical Device Testing at TÜV SÜD, and warns, “Unauthorised access can result in loss of confidential data and may jeopardise patient safety – or even public health.” The manipulation of test data may lead to misdiagnoses and thus to incorrect or unsuitable therapies, but also to wrong conclusions in cases such as assessment of the infection incidence in a pandemic. Manufacturers and operators of non-secure IVD medical devices need to expect both financial risks and reputation damage.
The race for patient safety is on
Cyber security risks should be considered from an early stage, and then continuously throughout the product life cycle – from design and development to production, installation, and servicing and maintenance. The reason for this requirement is that new vulnerabilities that may leave IVD instruments open to cyber-attacks are identified and published on a daily basis. These vulnerabilities stem from sources such as modules or libraries of programming languages and operating systems. Manufacturers consequently need to engage in continuous risk analyses, permanently offer updates for their instruments, keep their instruments in line with the state of the art and take quick action if necessary.
IVD instruments require the same cyber-security assessment as connected medical devices do, including threat modelling and threat analyses. The methods from cyber-risk management are aimed at identifying threats at an early stage and deriving measures therefrom. The mandatory regulatory basis is the IVDR, which sets forth the essential cyber-security requirements in its Annex I. Further guidance is provided by the “MDCG guidelines” published by the EU’s Medical Device Coordination Group, the position paper of the Notified Bodies, and the standards ISO 14971, governing risk management of medical devices, and IEC 81001-5-1, for safety-related activities throughout the software lifecycle.
On top of this, TÜV SÜD has developed three white papers benefiting both manufacturers and operators: one on the topic of cyber-security of medical devices in accordance with IEC 81001-5-1, a health-software standard; one addressing the product standard IEC TR 60601-4-5 for medical electrical equipment; and a highly topical one that directly addresses the cyber security of IVD instruments and medical devices.
Five-step approach to maximum safety
TÜV SÜD has accredited testing laboratories and offers comprehensive testing services for IVD instruments and devices, as well as product-specific cyber security tests. Depending on the IVD device’s stage in the product lifecycle, testing can comprise up to five steps:
1 Training on standards and regulatory requirements
2 Early-bird assessment
3 Fuzzing
4 Vulnerability scanning
5 Penetration test
Furthermore, TÜV SÜD operates the only accredited laboratory for testing and validation in accordance with IEC TR 60601-4-5. The experts are familiar with the various country-specific regulatory requirements. They support manufacturers in placing their IVD instruments and IVD medical devices on the market in a time-efficient manner, and know the details of the requirements regarding compliance of documentation.
IVD instruments and IVD medical devices that were already lawfully placed on the market before the entry into force of the IVDR may currently continue to be placed on the market temporarily under certain conditions (IVDR, Article 110). However, depending on the risk classes of the respective IVD, the transition periods may end in the near future. The transition period ends on 26 May 2025 for risk class D, on 26 May 2026 for class C, and on 26 May 2027 for class B as well as for class A IVD medical devices that need to be placed on the market in sterile condition. Dr Alexander Stock warns, “It is already becoming apparent that there will be a high demand for conformity assessments, which will result in bottlenecks at the (few) Notified Bodies. Given this, we urgently recommend manufacturers start looking for a Notified Body today. They should lose no time in raising their Technical Documentation from the predecessor directive to the level of the IVDR applicable today.”
Further information:
“Cyber security concerns all equipment that can be connected to a network. Hospital laboratories and hospital wards have numerous IVD medical devices that are connected with medical devices and information systems”, says Dr Alexander Stock, Project Manager IVD Medical Device Testing at TÜV SÜD, and warns, “Unauthorised access can result in loss of confidential data and may jeopardise patient safety – or even public health.” The manipulation of test data may lead to misdiagnoses and thus to incorrect or unsuitable therapies, but also to wrong conclusions in cases such as assessment of the infection incidence in a pandemic. Manufacturers and operators of non-secure IVD medical devices need to expect both financial risks and reputation damage.
The race for patient safety is on
Cyber security risks should be considered from an early stage, and then continuously throughout the product life cycle – from design and development to production, installation, and servicing and maintenance. The reason for this requirement is that new vulnerabilities that may leave IVD instruments open to cyber-attacks are identified and published on a daily basis. These vulnerabilities stem from sources such as modules or libraries of programming languages and operating systems. Manufacturers consequently need to engage in continuous risk analyses, permanently offer updates for their instruments, keep their instruments in line with the state of the art and take quick action if necessary.
IVD instruments require the same cyber-security assessment as connected medical devices do, including threat modelling and threat analyses. The methods from cyber-risk management are aimed at identifying threats at an early stage and deriving measures therefrom. The mandatory regulatory basis is the IVDR, which sets forth the essential cyber-security requirements in its Annex I. Further guidance is provided by the “MDCG guidelines” published by the EU’s Medical Device Coordination Group, the position paper of the Notified Bodies, and the standards ISO 14971, governing risk management of medical devices, and IEC 81001-5-1, for safety-related activities throughout the software lifecycle.
On top of this, TÜV SÜD has developed three white papers benefiting both manufacturers and operators: one on the topic of cyber-security of medical devices in accordance with IEC 81001-5-1, a health-software standard; one addressing the product standard IEC TR 60601-4-5 for medical electrical equipment; and a highly topical one that directly addresses the cyber security of IVD instruments and medical devices.
Five-step approach to maximum safety
TÜV SÜD has accredited testing laboratories and offers comprehensive testing services for IVD instruments and devices, as well as product-specific cyber security tests. Depending on the IVD device’s stage in the product lifecycle, testing can comprise up to five steps:
1 Training on standards and regulatory requirements
2 Early-bird assessment
3 Fuzzing
4 Vulnerability scanning
5 Penetration test
Furthermore, TÜV SÜD operates the only accredited laboratory for testing and validation in accordance with IEC TR 60601-4-5. The experts are familiar with the various country-specific regulatory requirements. They support manufacturers in placing their IVD instruments and IVD medical devices on the market in a time-efficient manner, and know the details of the requirements regarding compliance of documentation.
IVD instruments and IVD medical devices that were already lawfully placed on the market before the entry into force of the IVDR may currently continue to be placed on the market temporarily under certain conditions (IVDR, Article 110). However, depending on the risk classes of the respective IVD, the transition periods may end in the near future. The transition period ends on 26 May 2025 for risk class D, on 26 May 2026 for class C, and on 26 May 2027 for class B as well as for class A IVD medical devices that need to be placed on the market in sterile condition. Dr Alexander Stock warns, “It is already becoming apparent that there will be a high demand for conformity assessments, which will result in bottlenecks at the (few) Notified Bodies. Given this, we urgently recommend manufacturers start looking for a Notified Body today. They should lose no time in raising their Technical Documentation from the predecessor directive to the level of the IVDR applicable today.”
Further information:
- White Paper on IVD Testing (currenty only available in German)
- White Paper on Cyber Security for Medical Devices in accordance with IEC 81001 (currenty only available in German)
- Whitepaper Understanding the IEC TR 60601-4-5: Medical Electrical Equipment
- EU Regulation on In-Vitro Diagnostic Devices IVDR
