Does cybersecurity apply to my product?


Starting to get Involved

According to the MDR Annex 1, the regulation requires medical devices to be safe to use, cybersecurity is therefore required to adress/implement, but it is not clear to me if it applies to my product, and therefore if there is a need to fullfill by example:
- risk related action(s) regarding cybersecurity;
- actions regarding instructions for use to the user (related to cyber security);
and all the other requirements.

I have tried to understand the MDCG-2019-16 guidance but i am not sure if there is a need to fullfill the requirements and therefore if there is a need to implement cybersecurity in our risk management system and other documentation (such as IFU etc).

Maybe someone knows more?

Background of current setting:

We have a medical Device on the market (under MDD / CE certificate currently) but we have to transit to MDR.

This medical device is a handheld ECG monitor which performs a measurement (internal firmware) and gives a result to the user regarding any irregularities in the measured ECg.
This result should "ALWAYS" be verified by a medical professional. This can only be done by reading out the device via USB to a PC by use of our software (to visualise an ECG for evaluation of the result). This software is installed locally on a user's PC with a local Database. No internet connection is required (only on the moment of installation of the software).

I hope that someone can give me a little clarification, thank you very much in advance!

Best regards,

Patrick z.


Quite Involved in Discussions
Can your device communicate wirelessly (wifi, Bluetooth etc) or can it only communicate via a USB cable?

Can the device's firmware be updated using the USB cable (or other means), or is it not possible for the user to update the firmware?


Starting to get Involved
The device does only communicate to the PC via the USB connection.

The firmware is installed at manufacturing via the USB connection. There will be no need for updating the firmware. But if it should be, then the firmware can be updated via the USB (only by the manufacturer, but therefore the device should be returned to the manufacturer) Once the product is at the user/customer, there is no need for updating the firmware, and there is also no possibility for the user to do this, so the answer to your 2nd question will be: no :)


Quite Involved in Discussions
In which case as far as I can determine, "No additional cybersecurity procedures are required by the user/purchaser of the product over and above what they should already be following in order to comply with current guidelines/recommendations/legislation and good business practice"


Trusted Information Resource
One more thing to consider. Can someone other than the manufacturer access the USB port (it wasn't clear in your post)?
If yes, then how do you protect the device from someone accessing it via this port and potentially making changes to device configuration or accessing the data.


Starting to get Involved
Good morning,

i am sorry i did not quite follow this up due to the amount of regulatory investigations...

The usb port is accessibly by everybody, however, the configuration can only be set by the programming software in production, also the data cab only be read-out via dedicated software we supply (the device is configured as HID device, and not mass storage). so in a normal case nothing happens when the usb connector is connector, only when the correct communication software is installed. I hope this clarifies my thoughts, thank you :)
Top Bottom