Choose another country to see content specific to your location

//Select Country

Cybersecurity for Medical Devices

Comprehensive assessments and tests related to the cybersecurity of your medical device

About Cybersecurity For Medical Devices

There are multiple regulatory, ethical and business reasons to ensure that all digital healthcare and medical devices are thoroughly tested and secure, including:

  • Compliance with regulatory requirements such as the In Vitro Diagnostic Medical Device Regulation (IVDR), the In Vitro Diagnostic Medical Device Directive (IVDD), the Medical Device Regulation (MDR), Medical Device Directive (MDD), and the Active Implantable Medical Device Directive (AIMDD) in the EU; as well as the regional requirements of the US FDA, China FDA and the Japan Ministry of Health and Welfare
  • Unauthorized access to medical devices could result in death or severe injury, so manufacturers and medical device procurement teams must ensure the technology is secure
  • Privacy is extremely important for patient confidentiality – a breach would undermine that privacy

Failing to ensure medical device cybersecurity could lead to significant reputational damage for device manufacturers and healthcare organization that use insecure technology 

What yoU need to know about Vulnerability scans and penetration tests

The FDA, EU and Health Canada are working on standards and guidance documents that will indicate the need to consider vulnerability scans and penetration tests during the development of medical devices. To prevent the need for rework; some of the requirements should be tested early in the process. We address some frequently asked questions here to keep you informed on the latest developments.

our cybersecurity testing and assessment services

TÜV SÜD’s test labs offer you a comprehensive set of assessment and testing activities related to the cybersecurity of your medical device. These include:

Concept assessment

  • Assessment of the cybersecurity concept against requirements from UL-2900-2-1, IEC 62443-4-2 or TÜV SÜD Johner checklist
  • Written report covering the concept
  • Optional vulnerability scan

Compliance assessments

  • Validate compliance standard(s)
    • UL 2900-2-1
    • IEC 62443-4-2 (the basis of the upcoming IEC/TR 60601-4-5)
  • Detailed test report
  • Optional: report against FDA pre-market-requirements
  • Compliance audit
  • Vulnerability scan including manual tests
  • Penetration tests based on OWASP IoT (e.g. insufficient privacy protection, lack of secure update mechanism, insecure network services, insecure data transfer and storage)

Customized solutions

  • Identify additional requirements for the products that are not covered in the standards
  • Develop customized test methods
  • Assess vendor specific security solutions e.g. for hospitals

TÜV SÜD is a world leader in cybersecurity testing and has worked with medical device manufacturers around the world to assess the quality and safety of their devices. We have extensive experience of conducting testing on a wide range of networked medical devices. Our assessments are based on IEC 62443-4-2, UL-2900-2-1 (based on UL-2900-1), a TÜV SÜD internal checklist and the FDA guidance; thus aiding your compliance to regulations and access to global markets.

FAQ on Cybersecurity for Medical Devices



Cybersecurity of medical devices

The digitization of the medical sector brings with it countless opportunities.

MDCG Cybersecurity Webinar

MDCG 2019/16 Cybersecurity

Fulfill requirements of Annex I to the MDR

Learn More

Security in Medical Artificial Intelligence

Security in Medical AI

Fulfill general safety and performance requirements

Learn More

Artificial Intelligence in Medical Devices

AI in Medical Devices

Learn the key features of AI in the medical field as well as the current global AI regulation framework

Learn More


Next Steps

Select Your Location





Middle East and Africa