Contact
QR code for the current URL

Story Box-ID: 1160132

TÜV SÜD AG Westendstraße 199 80686 München, Germany http://www.tuvsud.com/de
Contact Mr Dirk Moser-Delarami +49 89 57911592
Company logo of TÜV SÜD AG

TÜV SÜD tests the cyber security of IVD medical devices

New white papers

(PresseBox) (Munich, )
The increasingly widespread digital connectivity of medical infrastructure is giving rise to complex systems with hosts of different interfaces that are potentially vulnerable to attacks. The IVDR requests manufacturers to furnish proof of cyber security before they place their products on the market. The transitional periods for already certified IVD medical devices will expire in stages from 26 May 2025 onwards. However, bottlenecks in conformity assessment procedures may lie ahead owing to the limited number of Notified Bodies to perform them. TÜV SÜD offers support in the form of comprehensive testing services and provides new white papers.

“Cyber security concerns all equipment that can be connected to a network. Hospital laboratories and hospital wards have numerous IVD medical devices that are connected with medical devices and information systems”, says Dr Alexander Stock, Project Manager IVD Medical Device Testing at TÜV SÜD, and warns, “Unauthorised access can result in loss of confidential data and may jeopardise patient safety – or even public health.” The manipulation of test data may lead to misdiagnoses and thus to incorrect or unsuitable therapies, but also to wrong conclusions in cases such as assessment of the infection incidence in a pandemic. Manufacturers and operators of non-secure IVD medical devices need to expect both financial risks and reputation damage.

The race for patient safety is on
Cyber security risks should be considered from an early stage, and then continuously throughout the product life cycle – from design and development to production, installation, and servicing and maintenance. The reason for this requirement is that new vulnerabilities that may leave IVD instruments open to cyber-attacks are identified and published on a daily basis. These vulnerabilities stem from sources such as modules or libraries of programming languages and operating systems. Manufacturers consequently need to engage in continuous risk analyses, permanently offer updates for their instruments, keep their instruments in line with the state of the art and take quick action if necessary.

IVD instruments require the same cyber-security assessment as connected medical devices do, including threat modelling and threat analyses. The methods from cyber-risk management are aimed at identifying threats at an early stage and deriving measures therefrom. The mandatory regulatory basis is the IVDR, which sets forth the essential cyber-security requirements in its Annex I. Further guidance is provided by the “MDCG guidelines” published by the EU’s Medical Device Coordination Group, the position paper of the Notified Bodies, and the standards ISO 14971, governing risk management of medical devices, and IEC 81001-5-1, for safety-related activities throughout the software lifecycle.

On top of this, TÜV SÜD has developed three white papers benefiting both manufacturers and operators: one on the topic of cyber-security of medical devices in accordance with IEC 81001-5-1, a health-software standard; one addressing the product standard IEC TR 60601-4-5 for medical electrical equipment; and a highly topical one that directly addresses the cyber security of IVD instruments and medical devices.

Five-step approach to maximum safety
TÜV SÜD has accredited testing laboratories and offers comprehensive testing services for IVD instruments and devices, as well as product-specific cyber security tests. Depending on the IVD device’s stage in the product lifecycle, testing can comprise up to five steps:
1 Training on standards and regulatory requirements
2 Early-bird assessment
3 Fuzzing
4 Vulnerability scanning
5 Penetration test

Furthermore, TÜV SÜD operates the only accredited laboratory for testing and validation in accordance with IEC TR 60601-4-5. The experts are familiar with the various country-specific regulatory requirements. They support manufacturers in placing their IVD instruments and IVD medical devices on the market in a time-efficient manner, and know the details of the requirements regarding compliance of documentation.

IVD instruments and IVD medical devices that were already lawfully placed on the market before the entry into force of the IVDR may currently continue to be placed on the market temporarily under certain conditions (IVDR, Article 110). However, depending on the risk classes of the respective IVD, the transition periods may end in the near future. The transition period ends on 26 May 2025 for risk class D,  on 26 May 2026 for class C, and on 26 May 2027 for class B as well as for class A IVD medical devices that need to be placed on the market in sterile condition. Dr Alexander Stock warns, “It is already becoming apparent that there will be a high demand for conformity assessments, which will result in bottlenecks at the (few) Notified Bodies. Given this, we urgently recommend manufacturers start looking for a Notified Body today. They should lose no time in raising their Technical Documentation from the predecessor directive to the level of the IVDR applicable today.”

Further information:

Website Promotion

Website Promotion

TÜV SÜD AG

Founded in 1866 as a steam boiler inspection association, the TÜV SÜD Group has evolved into a global enterprise. More than 26,000 employees work at over 1.000 locations in about 50 countries to continually improve technology, systems and expertise. They contribute significantly to making technical innovations such as Industry 4.0, autonomous driving and renewable energy safe and reliable. www.tuvsud.com

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2024, All rights reserved

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.