Applicability of Cybersecurity EU MDR 2017/745 Annex 1 23.4(ab), 14.2(d)

[Kuldeep Singh]

Hello Everyone,

Can anyone help me by discussing the scope of Cybersecurity for X-Ray medical devices. On what basis , one can define the applicability of this requirement to a manufacturer?

Our devices have USB, CD/DVD Drive ports for communication (normally used by doctors to collect patient image data). Although no internet connectivity is allowed for communication. is it still applicable to us or we can alter this requirement with a suitable justification.

We have to complies with below requirement of EU MDR,
14.2 (d)the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts;

23.4 (ab) for devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.

Thanks in advance, your help will be appreciated.

 

[yodon]

Consider these scenarios (and this wouldn't be a complete list):

• Can just anyone walk up with a thumb drive or CD/DVD and pull data out?
• Can someone insert a thumb drive and update the software?
• Can someone insert a thumb drive and change the delivery profile?
• Can someone attach a computer via the USB port and do anything malicious?
• Could someone attach a thumb drive or computer, drop a virus, and subsequent connections get infected (possibly infecting the rest of the hospital network)?

Those just jump to mind. Even if none are possible, it would be good to go through the brainstorming exercise and identify the controls that ensure cybersecurity.

 

[Kuldeep Singh]

Hello Yodon,

Can you guide me for below query.
Is this requirement mean to unauthorize activities such as access , use , disclosure , modification , destruction etc. or it is only applicable to internet connectivity? My team consider this requirement only mean to internet connectivity which tend to cyber attacks. they didn't consider it as unauthorize access. Can you correct us.

Basically our devices have inbuilt software for diagnosis. There is wired communication ports as discussed in above thread. There is no internet connection required for normal use of device.

 

[yodon]

Right - if you don't have possibility of external access then "hacking" is not a concern. However, these aspects still need to be considered, IMO. You'll note that the requirement from the MDR includes "IT security measures, including protection against unauthorised access" so I believe the expectation goes beyond hacking.