Cybersecurity Requirements for Connected Devices
MFDS has issued initial cybersecurity guidance for connected medical devices and is developing binding requirements.
Which devices are affected?โ
Connected medical devices include:
- Devices with wireless connectivity (Wi-Fi, Bluetooth, cellular)
- Devices connected to hospital networks or electronic health record systems
- Devices with remote monitoring or software update capabilities
- Implantable devices with external programming interfaces
Current MFDS cybersecurity guidance expectationsโ
| Area | Expectation |
|---|---|
| Threat modelling | Identify cybersecurity threats relevant to the device's connectivity |
| Vulnerability assessment | Assess risk of identified threats |
| Security controls | Implement proportionate security controls (encryption, authentication, access control) |
| Security testing | Test cybersecurity controls before market entry |
| Post-market monitoring | Monitor for new cybersecurity vulnerabilities and patch management |
| Incident response | Define procedure for responding to a cybersecurity incident |
| Disclosure | Define how cybersecurity vulnerabilities will be communicated to users/MFDS |
Alignment with international frameworksโ
MFDS cybersecurity guidance aligns with:
- IMDRF Cybersecurity principles and practices
- FDA cybersecurity guidance (used as a reference)
- IEC 81001-5-1 (Health software and health IT systems safety, effectiveness, and security)