Cybersecurity for Connected Medical Devices
Why cybersecurity matters for Brazilian regulatory compliance
Connected medical devices — devices that transmit, receive or store clinical data via wireless or wired connections — face specific cybersecurity risks that ANVISA considers part of the overall risk management framework under ISO 14971 and RDC 752/2022.
ANVISA's cybersecurity expectations
ANVISA expects manufacturers of connected medical devices and SaMD to address cybersecurity in the technical dossier, including:
- Threat modelling — systematic identification of cybersecurity threats relevant to the device;
- Security controls — technical measures implemented to mitigate identified threats (encryption, authentication, access controls, secure update mechanisms);
- Vulnerability management — process for identifying and responding to newly discovered vulnerabilities post-market;
- Software bill of materials (SBOM) — list of software components to enable rapid assessment of newly disclosed vulnerabilities; and
- Patch and update management — mechanism for securely delivering security patches to deployed devices.
Key international standards
| Standard | Topic |
|---|---|
| AAMI TIR57 | Principles for medical device security |
| IEC 81001-5-1 | Health software and health IT systems security |
| NIST Cybersecurity Framework | General cybersecurity framework referenced by ANVISA |
| ISO/IEC 27001 | Information security management systems |
ANVISA has not issued a specific mandatory cybersecurity standard, but references AAMI TIR57 and NIST as acceptable frameworks in guidance documents.
Post-market cybersecurity obligations
After a device is on the market, manufacturers must:
- Monitor for newly discovered vulnerabilities (CVEs) in device software and components;
- Assess the clinical impact of vulnerabilities;
- Deploy patches via the secure update mechanism; and
- Report vulnerabilities that could constitute a safety risk via NOTIVISA if clinical harm is possible.
Official sources
Verify all information against official ANVISA sources before making regulatory decisions.