Software in Medical Devices, by MD101 Consulting

To content | To menu | To search

Tag - Cybersecurity

Entries feed - Comments feed

Friday, 8 March 2024

Templates: Security Risk Management Plan and Security Risk Assessment Report

Cybersecurity guidances and standards have quite evolved the last few months.
It's time to push new templates!

Continue reading...

Friday, 23 February 2024

IEC 81001-5-1 Right Here Right Now

IEC 81001-5-1 is now the standard for cybersecurity in medical devices. But is this standard asking too much for?

Continue reading...

Friday, 6 October 2023

Final 2023 FDA Premarket Cybersecurity guidance released

The final version of the FDA guidance titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions was published the 27th September 2023.

Continue reading...

Monday, 20 February 2023

Maintained software, Supported software, Required software, and SOUP

These three concepts come from IEC 62443 and were adopted in IEC 80001-5-1. SOUP isn't present in IEC 81001-5-1.
What are the differences between SOUP and Maintained software, Supported software, and Required software?

Continue reading...

Monday, 9 January 2023

IEC 81001-5-1 was added to the list of recognized consensus standards

The FDA added late December 2022 IEC 81001-5-1 to the list of recognized consensus standards.
That's it. After beating around the bush on this blog on whether UL 2900-x or IEC 81001-5-1 would be applicable to 510(k) submissions and other regulatory clearances, we now have the answer.

We can use IEC 81001-5-1 as:

A good way to make thing (a bit) more simple.

Remark: UL 2900-x can still be applied in the US!

Friday, 30 September 2022

NIS2 Directive: are you involved or concerned?

That’s the story of the pig and the hen for breakfast: the pig is involved (ham) and the hen is concerned (eggs). With the NIS2 directive in preparation, a medical device manufacturer will be in either situation.

Continue reading...

Friday, 10 June 2022

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submission

The FDA issued in April a new draft guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This guidance will supersede the guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices of 2014, when it is finalized. There’s no word about the draft guidance of 2018. We can suppose that one is obsolete.

Continue reading...

Thursday, 13 January 2022

IEC 81001-5-1, final version published

IEC 81001-5-1 was published in December 2021. We already talked about the draft version here. Combined with IEC/TR 60601-4-5, published in February 2021, these two standards constitute the state of the art in cybersecurity of medical devices in Europe.

The final version is very close to the draft version, apart from a few changes to the organizational requirements; formerly clause 10 present in the draft, but removed and copied to clause 4 in the final version.

Be prepared to apply these two standards for your MDR CE Mark submissions, when they are harmonized. Most probably by 2024.

Friday, 9 July 2021

Cybersecurity standards: IEC 81001-5-1 and IEC/TR 60601-4-5

The draft list of harmonized standards for the MDR regulation was published in May 2021. In this document, we find the references to the following cybersecurity standards:

  • IEC 80001-1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software - Part 1: Application of risk management,
  • IEC 81001-5-1 (not published): Health Software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product lifecycle,
  • IEC/TR 60601-4-5: Medical electrical equipment - Part 4-5: Guidance and interpretation - Safety-related technical security specifications.

Continue reading...

Sunday, 3 May 2020

MDCG 2019-16 Guidance on cybersecurity for medical devices

So we have a new guidance on cybersecurity for medical devices: the MDCG 2019-16. This is not the one we expected so quickly, but we're not going to complain about the existence of this guidance! It was published in December 2019. At last I found time to write a review.
This guidance covers a broad range of topics applicable to all stakeholders in the medical device supply chains, and to end-users. It explains a bit why it is 46 pages long.

Continue reading...

Friday, 16 August 2019

Cybersecurity in medical devices: a short review of UL 2900-1

We continue this series of articles on cybersecurity with a free and non-exhaustive review of UL 2900-1 standard.
What is UL 2900-1? This standard was published in 2017 by Underwriters Laboratory (UL). It contains technical requirements on cybersecurity for network connectable products. A collateral UL 2900-2-1 focuses on connectable healthcare and wellness systems. UL 2900-1 and UL 2900-2-1 are FDA recognized standards. Thus, applicable to medical devices.

Continue reading...

Thursday, 24 January 2019

Cybersecurity - Draft guidances from FDA and Health Canada

The US FDA published in October 2018 a new draft version of its guidance on the content of premarket submissions for management of cybersecurity in medical devices. Two months later, Health Canada published in December 2018 a draft guidance document on pre-market requirements for medical device cybersecurity.

Continue reading...

Monday, 15 October 2018

Cybersecurity - Part 5 Templates

Hi there! Long time no see once again. I dig up our series of posts on cybersecurity.
In this post I publish two new templates for cybersecurity risk management.

Continue reading...

Monday, 3 July 2017

Cybersecurity in medical devices - Part 4 Impact on Software Development Process

We continue this series of posts on cybersecurity with some comments on impacts of cybersecurity on the software development documentation.

Continue reading...

Tuesday, 16 May 2017

Cybersecurity in medical devices - Part 3 AAMI TIR57:2016

After a long pause, we continue this series about cybersecurity in medical devices with a discussion on AAMI TIR57:2016 Principles for medical device security — Risk management.

Continue reading...

Friday, 10 February 2017

Final FDA Guidance on Postmarket Management of Cybersecurity in Medical Devices - Final version released

This article is a follow-up of the previous article on the Draft guidance on Postmarket Management of Cybersecurity in Medical Devices.

Continue reading...

Final FDA Guidance on Medical Device Accessories: Defining Accessories and Classification Pathway for New Accessory Types

This article is a follow-up of the article on the Draft guidance on Medical Device Accessories: Defining Accessories and Classification Pathway for New Accessory Types.

Continue reading...

Tuesday, 20 December 2016

Cybersecurity in medical devices - Part 2 Stakeholders

After a long interruption, we continue this series on cybersecurity in medical devices with a review of stakeholders involved or concerned by cybersecurity requirements, and the consequences on architectural choices.

Continue reading...

Monday, 24 October 2016

Cybersecurity in medical devices - Part 1 Regulations

We begin today a series of posts on cybersecurity in medical devices. Cybersecurity was not a subject before the advent of computerized medical devices. Now that every manufacturer wants its connected medical device, cybersecurity matters!
Let's start with the regulations.

Continue reading...