Cybersecurity Vulnerabilities in Medical Devices: FDA Alerts on Contec and Epsimed Monitors

Dr Clare Dixon

The FDA recently issued a safety communication to raise awareness of cybersecurity vulnerabilities in the Contec CMS8000 patient monitor and the Epsimed MN-120 patient monitor which may put patients at risk when connected to the internet.

These vulnerabilities, which include a software backdoor, could compromise digital security and pose significant risks to patients when the devices are connected to the internet. As more medical devices become internet-connected, this development underscores the critical importance of robust cybersecurity measures in protecting patient safety and data.

While the FDA’s warning highlights the risks, the EU Medical Device Regulations (MDR) and In-Vitro Diagnostic Medical Device Regulation (IVDR) introduced stricter safety requirements to address such challenges. These regulations apply to medical devices that incorporate electronic programmable systems and software, which are now classified as medical devices themselves. Manufacturers must design and manufacture devices in accordance with the state of the art by applying risk management principles, including information security. Additionally, the regulations establish minimum IT security requirements, including protection against unauthorised access.

In this article we discuss cybersecurity requirements of the EU MDR and IVDR and summarise the Medical Device Coordination Group (MDCG) guidance document - MDCG 2019-16 Rev 1: Guidance on Cybersecurity for medical devices.

What is cybersecurity?

In ISO 81001-1, cybersecurity is defined as:

a state where information and systems are protected from unauthorised activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the life cycle”.

What guidance does the MDCG 2019-16 Rev 1 provide?

The MDCG 2019-16 Rev 1 provides guidance on fulfilling the general safety and performance requirements of Annex I of the EU MDR and IVDR concerning cybersecurity. It emphasises a “secure by design” approach, integrating cybersecurity into every stage of a medical device’s lifecycle. This includes:

  • Security Risk Management: Manufacturers must establish a process to identify, evaluate, and mitigate cybersecurity risks, aligning with the overall risk management system required by the MDR.
  • Security Capabilities: Devices should incorporate essential security features such as authentication, encryption, and malware protection, tailored to their intended use and operational environment.
  • Minimum IT Requirements: Manufacturers must define and communicate the minimum IT security requirements for the device’s operating environment, including hardware and network characteristics, to ensure baseline protection.

The guidance also addresses the complex medical device supply chain, providing supplementary considerations for actors other than manufacturers. Additionally, it includes an annex outlining other EU and global legislation and guidance relevant to cybersecurity.

What are the cybersecurity requirements contained in MDR Annex I?

Basic Cybersecurity Requirements

Annex I of the MDR and IVDR emphasise the importance of cybersecurity in maintaining the general safety and performance requirements of medical devices with a focus on cybersecurity. The requirements are categorised into three key areas:

  • IT Security: Protecting the information technology systems of medical devices is crucial. This includes safeguarding against unauthorised access and ensuring data integrity (referencing sections 17.4, 23.4ab).
  • Operation Security: Devices must operate securely under all conditions. This involves ensuring that the device functions as intended without compromising safety (referencing sections 14.1, 14.2, 17.1).
  • Information Security: Protecting sensitive data is a top priority. Medical devices must ensure that patient data and other critical information are secure from breaches (referencing section 17.2).

Requirements for the Secure Design and Manufacture of Medical Devices

Diagram illustrating the components considered for the cybersecurity of medical devices.
Cybersecurity considerations for the design and manufacturing of medical devices

Cybersecurity must be integrated into every stage of a medical device’s lifecycle. Annex I of the MDR and IVDR highlights several critical aspects of secure design and manufacture:

  • Risk Management: Risks must be identified, assessed, and managed throughout the device’s lifecycle (sections 3, 14.4, 14.5, 19.3).
  • Protection Against Risks: Devices must be designed to protect against risks during both intended use and foreseeable misuse (sections 3c, 8).
  • Unauthorised Access: Measures must be in place to prevent unauthorised access to the device and its data (sections 17.4, 18.8).
  • Threats and Vulnerabilities: Manufacturers must identify and address security threats, vulnerabilities, and risks (section 4b).
  • Risk Control Measures: Effective risk control measures must be established to mitigate identified risks (section 4).
  • Minimum IT Security Requirements: Devices must meet minimum IT security standards to ensure baseline protection (sections 17.4, 14.5).

A key driver of secure design and manufacturing is the state of the art (sections 1, 4, 17.2). Manufacturers should consider the state of the art when designing developing and upgrading medical devices across their life cycle. This involves incorporating the latest advancements, technologies, and best practices into their decision-making processes to address security risks proportionally and appropriately. By aligning with the state of the art, manufacturers can ensure that their devices are not only compliant with regulatory requirements but also resilient against emerging threats, safeguarding patient safety and data security over the long term.

How are the cybersecurity requirements under MDR interrelated to the other relevant EU legislations (Cybersecurity Act, GDPR and NIS)?

Cybersecurity requirements under the MDR are interconnected with other EU legislations, such as the Cybersecurity Act, General Data Protection Regulation (GDPR), and the Network and Information Security (NIS) Directive. While the EU MDR and IVDR focus on the safety and performance of medical devices, these additional legislations address broader aspects of cybersecurity, data protection, and network security. The MDCG 2019-16 Rev 1 guidance provides a detailed discussion of how these requirements overlap and complement each other.

What cybersecurity activities does the manufacturer need to carry out during the lifecycle of a medical device according to MDR?

Pre-market cybersecurity activities include:

  • Secure Design (Annex I)
  • Risk management (Annex I)
  • Establish Risk Control Measures (Annex I)
  • Validation, Verification, Risk Assessment, Benefit Risk Analysis (Annex I)
  • Technical Documentation (Annex II and III)
  • Conformity Assessment (Article 52)
  • Establish a Post-market Surveillance Plan and Post-market Surveillance System (Article 83 and 84)
  • Clinical evaluation process (Chapter VI)

Post-market activities include:

  • Risk management (Annex I)
  • Modify Risk Control Measures /Corrective Actions/Patches (Annex I)
  • Validation, Verification, Risk Assessment, Benefit Risk Analysis (Annex I)
  • Maintain and update a Post-market Surveillance Plan and Post-market Surveillance System (Article 83 and 84)
  • Trend Reporting (Article 88)
  • Analysis of Serious Incidents (Article 89)
  • Post-Market Surveillance Report (Article 85)
  • Periodic Safety Update Report (Article 86)
  • Update Technical Documentation (Annex II and III)
  • Inform the Electronic System on Vigilance (Article 92)

Cybersecurity is a critical aspect of ensuring the safety and performance of medical devices under the EU MDR and IVDR. By adopting a secure-by-design approach, prioritising risk management, and maintaining robust post-market surveillance, manufacturers can protect patients from potential threats and ensure compliance with regulatory standards.

If you need guidance on EU MDR and IVDR requirements or have concerns about cybersecurity compliance for your medical device, contact us today to arrange a free, no-obligation discussion.

Back to top

Related articles

  1. US and EU flags on poles alongside each other.

    Clinical Evidence under EU MDR: Leveraging FDA Clinical Data to Streamline EU MDR Compliance

    FDA approval alone is not sufficient for European market access - a theme we explore futher in this article and the accompanying webinar.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  2. An AI-generated image of 3 people in an office in front of a whiteboard with the words 'Medical Device Market Entry Strategy' written above a world map.

    EU MDR & NHS DTAC Cybersecurity Requirements for UK Market Entry

    This guest article from our partner Cyber Alchemy shows you how to build cybersecurity evidence for the EU MDR and NHS DTAC.

    Luke Hill Luke Hill Co-Founder of Cyber Alchemy
  3. An illustration showing a GPS-driven navigation route superimposed upon someone using a laptop.

    Where to Launch First? A MedTech Founder's Regulatory Roadmap to the EU, UK and US

    Cyber Alchemy × Mantra Systems — Episode 1: All three markets operate under different regulatory systems and place different demands on manufacturers.

    Ronghe Xu Ronghe Xu Regulatory Medical Writer & Strategic BD Lead China
  4. A woman uses an inhaler.

    Navigating EU MDR Article 117: A Practical Guide to Drug-Device Combination Product Submissions

    Implementation of the EU MDR 2017/745 has brought significant changes.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  5. Collage art showing a pair of binoculars, an analogy for surveillance.

    How EU MDR Post Market Surveillance differs from FDA post-market expectations

    We compare manufacturer-specific post-market obligations across both regulatory systems.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  6. An arrow arcs from the US over to Europe.

    How EU device classification differs from the US - Are you Prepared?

    Did you know an FDA Class II medical device could be immediately considered as a high-risk Class III device under European Union regulations?

    Gabriela Cardoso Gabriela Cardoso Regulatory Medical Writer
  7. A magnifying glass inspecting a number of wooden cubes with question marks upon them laid upon a blue table. The wooden cube under the magnifying glass has a lightbulb painted on it.

    Fixing the MDR and IVDR? The Commission’s Proposed Amendments and What They Mean for Manufacturers

    Exploring the key elements of this proposal.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  8. Two arms point at a sign and hold a question mark, in an abstract pop-art style.

    Regulatory Reset? The EU’s Proposed Changes to MDR and IVDR Explained

    Changes published in December 2025 aim to streamline EU medical device and in vitro diagnostics. We explain who is impacted and how.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  9. A pair of glasses rests on an eye test chart.

    Did You Know Your Glasses Were a Medical Device? A Regulatory Guide for Manufacturers

    The importance of correct classification and our recommended path to avoid common ophthalmic device 'gotchas'.

    Gabriela Cardoso Gabriela Cardoso Regulatory Medical Writer

More articles

Need help producing compliant CEPs & CERs? We are offering FREE CEPs to 5 qualifying applicants per week

Get your free CEP