Integrating Cyber Security in Medical Device Management

Doctor pointing out the components of a medical device management system

Did you know that cybersecurity is addressed under ISO 13485:2016 Clause 7.3 requirements?

The Royal Academy of Engineering (RAE) report Cyber Safety and Resilience (March 2018) suggests that the healthcare sector can learn from other industries when it comes to guarding against ransomware attacks, data breaches and hacking of connected health devices.  That was just the beginning. Since then the cyber threat to medical devices and the data they control or access has exploded as the IoT (internet of things, i.e. the interconnectivity of devices and the cloud-based systems used to manage them) inexoraby grows.

Cyber Security Threats in the Context of Medical Device Management

Taking connected health devices as an example, the report suggests that there is a general lack of awareness in the healthcare sector on the threats posed, and even if they exist.  But exist they do.

In 2016, the FDA said that the threat of medical device hacking is a growing concern, urging companies to take a proactive approach to plan for, and assessing, the cybersecurity of products once they reach the market.

Last year researchers from the University of Leuven in Belgium and the University of Birmingham in the UK found a way to hack into implanted medical devices, steal medical information, drain the device’s battery and even cause it to malfunction.

Integrating Cyber Security with Medical Device Management

The RAE report makes a series of recommendations, including that the Medicines and Healthcare products Regulatory Agency (MHRA) and Food and Drug Administration(FDA) should join a task force to examine how the existing legislative framework can be strengthened. But action is required immediately, and you can do so as part of your ISO 13485 implementation project.


Path to ISO 13485 Certification Infographic



ISO 13485:2016 Clause 7.3 Requirements

Clause 7.3 of ISO 13485:2016 includes the sub-clause 7.3.3, Design and development inputs, which states:

‘Inputs relating to product requirements shall be determined and records maintained (see 4.2.5). These inputs shall include:

  1. a) functional, performance, usability and safety requirements, according to the intended use;
  3. b) applicable regulatory requirements and standards;
  5. c) applicable output(s) of risk management;
  7. d) as appropriate, information derived from previous similar designs;
  9. e) other requirements essential for the design and development of the product and processes.

These inputs shall be reviewed for adequacy and approved.

Requirements shall be complete, unambiguous, able to be verified or validated, and not in conflict with each other.’

You can be certain that your Certification Body/Notified Body will interpret ‘c) applicable output(s) of risk management’ as requiring that cybersecurity aspects be addressed where your device transmits, receives and/or stores data.


Table thumbnail showing a chart of available ISO 13485 training and certification courses and a button leading to the ISO 13485 courses overview page  
Click on the image thumbnail to see the image in full size or click the button on the other side to go to our ISO 13485 course overview page.

Post-market Surveillance and Regulatory Guidance

Regulatory Authorities globally are now keenly aware of the havoc that cybercriminals could cause and the near certainty that they will do so. At the very minimum, your future Post-Market Surveillance must include the issue of cybersecurity and the protection of information relating to devices, the persons using them in addition to patient data. The topic and associated threats are vast and  Regulators are struggling to prepare and issue official Guidance.  Meantime you must address the issue starting with ensuring that data protection is part of your Medical Device Risk Management system.

Other Actions to consider

While compliance with its requirements would likely be ‘overkill’ in many instances, we would recommend that you examine ISO 27001, the information security standard, (and the companion standard, ISO 27002) for ideas on the types of controls that should be in place to protect both your product and the end-user/patient.



View Our ISO 13485 Lead Implementer Course



Note: First published Mar 2018; revised and updated in Jul 2021.

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts