Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance

Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance

The increasing use of connected medical devices has led to substantial cybersecurity challenges, putting patient safety and the integrity of healthcare infrastructures at risk. This study examines regulatory guidance on medical device cybersecurity in the European Union (guidance document of Medical...

Full description

Saved in:
Bibliographic Details
Main Authors: Max Ostermann, Rebecca Mathias, Fatemeh Jahed, Mitchell B. Parker, Florence D. Hudson, William C. Harding, Stephen Gilbert, Oscar Freyer
Format: Article
Language:English
Published: Elsevier 2025-01-01
Series:Computational and Structural Biotechnology Journal
Subjects:
Medical devices
Cybersecurity
Regulatory science
Online Access:http://www.sciencedirect.com/science/article/pii/S2001037025002892
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The increasing use of connected medical devices has led to substantial cybersecurity challenges, putting patient safety and the integrity of healthcare infrastructures at risk. This study examines regulatory guidance on medical device cybersecurity in the European Union (guidance document of Medical Device Coordination Group MDCG 2019–16 revision 1) and the United States (US Food and Drug Administration Guidance on Cybersecurity) and identifies their strengths and weaknesses. First, the study compares these documents with a baseline requirements framework derived from international standards and best practices, revealing gaps in the thematic areas of “Cryptography,” “Authentication & Access Control,” and “Source Code/Software Development.” Second, the guidance documents were compared with real-world cybersecurity incidents, showing that the current guidance documents would help to mitigate the weaknesses of important vulnerability examples, while recommendations are missing in both guidance documents, but more so in MDCG 2019–16, for the most important weaknesses. In conclusion, both guidance documents are inadequately formulated in certain aspects, have an unclear scope, inconsistent levels of detail, and contain thematic gaps. These gaps could result in manufacturers failing to sufficiently address cybersecurity concerns in their products, thereby creating vulnerabilities. This study highlights the need for future guidance documents to be clearer in scope and to close existing gaps to ultimately allow safer medical devices.
ISSN:2001-0370

Similar Items