Medical Device Regulation

The EU regulations on medical devices (MDR, EU 2017/745) and in-vitro diagnostics (IVDR, EU 2017/746) require manufacturers to demonstrate the IT and cybersecurity of their products. Attacks on medical devices and healthcare institutions are increasing sharply – patient data and the integrity of device software must be reliably protected.

For a free initial consultation and a no-obligation quote, contact us via our contact form or by email at info@softscheck.com.

Free Self-Assessment

MDR Kompass

Assess your cybersecurity coverage under EU-MDR and IVDR. Our free online tool shows in minutes which requirements apply to your medical device and where your gaps are.
mdr-kompass.de
MDR Cybersecurity Requirements

The MDR and associated MDCG guidelines (in particular MDCG 2019-16) require manufacturers to demonstrate, among other things:

  • A documented Secure Development Lifecycle (SDL) for software in medical devices
  • Risk analysis and threat modeling in accordance with the state of the art
  • Protection against unauthorized access to device software and patient data (GDPR)
  • Integrity protection for device software and firmware in accordance with the state of the art
  • Penetration testing and vulnerability analysis as part of the technical documentation and security verification
  • Post-market surveillance and patch management throughout the entire product lifecycle
Our Services
  • Consulting: We support you in interpreting MDR/IVDR requirements and implementing a compliant security process
  • Threat analysis: Systematic identification of attack vectors and risks for your medical device
  • Security testing: Static source code analysis, penetration testing, and fuzzing in accordance with IEC 62304, IEC 81001-5-1, and IEC 62443
  • Documentation: Creation of audit-ready evidence for regulatory authorities and notified bodies
Our Approach

  1. Analysis: We assess the product profile, connectivity, and security-relevant interfaces of your medical device.

  2. Threat modeling: Identification of relevant threats and risk assessment in accordance with MDR Annex I and MDCG guidelines.

  3. Security testing: Execution of penetration tests, source code analysis, and fuzzing tests in line with the state of the art.

  4. Reporting: Creation of a detailed test report with concrete recommendations and approval-relevant documentation.

Further Reading

For a concrete look at our work in practice: Use Case: Cybersecurity Testing of an AED DefibrillatorsoftScheck tested a medical device under MDR/IVDR, identifying and closing security vulnerabilities.

Request MDR Consulting Now!

Medical device manufacturers seeking market authorization in the EU must meet the cybersecurity requirements of the MDR and IVDR. We accompany you from the initial risk analysis through to audit-ready documentation.

Contact us via our contact form or by email at info@softscheck.com.