Applicability of Cybersecurity EU MDR 2017/745 Annex 1 23.4(ab), 14.2(d)

Kuldeep Singh

Involved In Discussions
#1
Hello Everyone,

Can anyone help me by discussing the scope of Cybersecurity for X-Ray medical devices. On what basis , one can define the applicability of this requirement to a manufacturer?

Our devices have USB, CD/DVD Drive ports for communication (normally used by doctors to collect patient image data). Although no internet connectivity is allowed for communication. is it still applicable to us or we can alter this requirement with a suitable justification.

We have to complies with below requirement of EU MDR,
14.2 (d)the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts;

23.4 (ab) for devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.

Thanks in advance, your help will be appreciated.
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
Consider these scenarios (and this wouldn't be a complete list):
  • Can just anyone walk up with a thumb drive or CD/DVD and pull data out?
  • Can someone insert a thumb drive and update the software?
  • Can someone insert a thumb drive and change the delivery profile?
  • Can someone attach a computer via the USB port and do anything malicious?
  • Could someone attach a thumb drive or computer, drop a virus, and subsequent connections get infected (possibly infecting the rest of the hospital network)?
Those just jump to mind. Even if none are possible, it would be good to go through the brainstorming exercise and identify the controls that ensure cybersecurity.
 

Kuldeep Singh

Involved In Discussions
#3
Hello Yodon,

Can you guide me for below query.
Is this requirement mean to unauthorize activities such as access , use , disclosure , modification , destruction etc. or it is only applicable to internet connectivity? My team consider this requirement only mean to internet connectivity which tend to cyber attacks. they didn't consider it as unauthorize access. Can you correct us.

Basically our devices have inbuilt software for diagnosis. There is wired communication ports as discussed in above thread. There is no internet connection required for normal use of device.
 

yodon

Staff member
Super Moderator
#4
Right - if you don't have possibility of external access then "hacking" is not a concern. However, these aspects still need to be considered, IMO. You'll note that the requirement from the MDR includes "IT security measures, including protection against unauthorised access" so I believe the expectation goes beyond hacking.
 
Thread starter Similar threads Forum Replies Date
K Applicability of eIFU as per EU MDR 2017/745 Annex 1 23.1 CE Marking (Conformité Européene) / CB Scheme 0
R MDD x PPE Directive - Statement of Non-Applicability EU Medical Device Regulations 3
B Exclusions or justification for non-applicability of IEC standards Reliability Analysis - Predictions, Testing and Standards 1
DuncanGibbons Understanding the applicability of Design of Experiments to the IQ OQ PQ qualification approach Reliability Analysis - Predictions, Testing and Standards 0
A Software as Medical Device (SaMD) definition and its applicability Other Medical Device and Orthopedic Related Topics 4
N EU MDR - Applicability Article 22 Systems and Procedure Packs CE Marking (Conformité Européene) / CB Scheme 4
R Applicability of new non-harmonized standards (MDD/MDR) EU Medical Device Regulations 8
A MDR Article 22 applicability - Legal manufacturer EU Medical Device Regulations 6
K Diagnostic X-ray devices - Applicability of Biocompatibility Testing per ISO 10993-1 Manufacturing and Related Processes 7
V Applicability of IEC 62366-1 usability to resorbable bone substitutes IEC 62366 - Medical Device Usability Engineering 9
E Commission Regulation (EU) No. 207/2012 E-IFU Applicability EU Medical Device Regulations 3
M ROHS : Applicability for AIMDs RoHS, REACH, ELV, IMDS and Restricted Substances 2
L Dying a slow SCOPE death - NEW ISO APG Paper on Scope and Applicability May 2020. AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
M Applicability of Means of Protection, working voltage in an Automated External Defibrillator IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
M Applicability of IEC 60950-1 Table K2 - Minimum clearances between circuits Various Other Specifications, Standards, and related Requirements 0
R Applicability of ISO 14708-3 RF Transmitter and Implantable RF Receiver Other Medical Device Related Standards 1
R Applicability of ISO 14708-3 - RF transmitter and implantable RF receiver Other Medical Device and Orthopedic Related Topics 1
M Oxygen enriched environment applicability - Operating table used in general surgeries in hospital IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
E CB scheme applicability for battery powered medical devices CE Marking (Conformité Européene) / CB Scheme 0
I IATF 16949 - 8.4.2.3 - Applicability to Shipping Suppliers IATF 16949 - Automotive Quality Systems Standard 11
S CQI-12 - Applicability to Raw Materials Customer and Company Specific Requirements 1
C Applicability of ISO 9001:2015 Section 8.5 - Engineering company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
H Applicability of EN 13795 for Incise Drape EU Medical Device Regulations 0
S Applicability of the standard IEC 60601-2-18 to an arthroscopy pump IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Q Partial non applicability of ISO 9001 Cl. 7.1.5 (not having services)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
M User Interface of Unknown Provenance (UOUP) applicability IEC 62366 - Medical Device Usability Engineering 7
E Applicability of Low Voltage Directive (LVD) for 12V equipment CE Marking (Conformité Européene) / CB Scheme 4
Y Counterfeit Parts - AS9100 D Cl. 8.1.4 - Can I claim no applicability? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
M IEC 62304 Applicability - GUI Control Software IEC 62304 - Medical Device Software Life Cycle Processes 3
D Clarification of Applicability of TS 16949 Requirements to a Non-Automotive Business IATF 16949 - Automotive Quality Systems Standard 13
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
G Not quite old news: Statement of Applicability IEC 27001 - Information Security Management Systems (ISMS) 3
G Question on Statement of Applicability (SOA) IEC 27001 - Information Security Management Systems (ISMS) 2
L TS 16949 applicability for Supplier's Supplier IATF 16949 - Automotive Quality Systems Standard 8
R ISO 22000:2005 Clause 7.10.4 Withdrawal - Applicability and documentation required? Food Safety - ISO 22000, HACCP (21 CFR 120) 3
A Applicability of electrical safety standards to a dedicated PC IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
A Help me understand the applicability of 21 CFR Part 820.198 (Customer Complaints) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
Y New Draft FDA Guidance for Applicability of GLP in Medical Device Submission Other US Medical Device Regulations 2
G TS 16949 applicability for Bulk Material Product IATF 16949 - Automotive Quality Systems Standard 25
Q Two AS9102 Applicability and Interpretation Questions AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
R HIPAA (Health Insurance Portability and Accountability Act) applicability Other US Medical Device Regulations 3
E Applicability of Defibrillator Energy Test to Implantable Devices IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
S OEM Supplier of Accessories Registration and 21 CFR 820 QSR Controls Applicability 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 11
P 7.1, 7.3 and APQP Requirements Applicability in Transfer Case IATF 16949 - Automotive Quality Systems Standard 1
A EN 60601-2-51 applicability to an ECG Event Recorder IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
K Applicability of ISO/TS 16949:2009 to Automotive Parts Manufacturers IATF 16949 - Automotive Quality Systems Standard 13
A AS9100C Clause 7.5 Applicability for Design House AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
Richard Regalado Definition SOA - Statement of Applicability Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 0
X Foreign Manufacturer Accreditation Certificate Applicability Japan Medical Device Regulations 8
S Applicability of REACH Requirements RoHS, REACH, ELV, IMDS and Restricted Substances 7

Similar threads

Top Bottom