Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance
The increasing use of connected medical devices has led to substantial cybersecurity challenges, putting patient safety and the integrity of healthcare infrastructures at risk. This study examines regulatory guidance on medical device cybersecurity in the European Union (guidance document of Medical...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Elsevier
2025-01-01
|
| Series: | Computational and Structural Biotechnology Journal |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S2001037025002892 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850096657499160576 |
|---|---|
| author | Max Ostermann Rebecca Mathias Fatemeh Jahed Mitchell B. Parker Florence D. Hudson William C. Harding Stephen Gilbert Oscar Freyer |
| author_facet | Max Ostermann Rebecca Mathias Fatemeh Jahed Mitchell B. Parker Florence D. Hudson William C. Harding Stephen Gilbert Oscar Freyer |
| author_sort | Max Ostermann |
| collection | DOAJ |
| description | The increasing use of connected medical devices has led to substantial cybersecurity challenges, putting patient safety and the integrity of healthcare infrastructures at risk. This study examines regulatory guidance on medical device cybersecurity in the European Union (guidance document of Medical Device Coordination Group MDCG 2019–16 revision 1) and the United States (US Food and Drug Administration Guidance on Cybersecurity) and identifies their strengths and weaknesses. First, the study compares these documents with a baseline requirements framework derived from international standards and best practices, revealing gaps in the thematic areas of “Cryptography,” “Authentication & Access Control,” and “Source Code/Software Development.” Second, the guidance documents were compared with real-world cybersecurity incidents, showing that the current guidance documents would help to mitigate the weaknesses of important vulnerability examples, while recommendations are missing in both guidance documents, but more so in MDCG 2019–16, for the most important weaknesses. In conclusion, both guidance documents are inadequately formulated in certain aspects, have an unclear scope, inconsistent levels of detail, and contain thematic gaps. These gaps could result in manufacturers failing to sufficiently address cybersecurity concerns in their products, thereby creating vulnerabilities. This study highlights the need for future guidance documents to be clearer in scope and to close existing gaps to ultimately allow safer medical devices. |
| format | Article |
| id | doaj-art-b6fe1f80f9d94309be3d05de9d02cb9e |
| institution | DOAJ |
| issn | 2001-0370 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | Elsevier |
| record_format | Article |
| series | Computational and Structural Biotechnology Journal |
| spelling | doaj-art-b6fe1f80f9d94309be3d05de9d02cb9e2025-08-20T02:41:10ZengElsevierComputational and Structural Biotechnology Journal2001-03702025-01-012825926610.1016/j.csbj.2025.07.024Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidanceMax Ostermann0Rebecca Mathias1Fatemeh Jahed2Mitchell B. Parker3Florence D. Hudson4William C. Harding5Stephen Gilbert6Oscar Freyer7Else Kröner Fresenius Center for Digital Health, TUD Dresden University of Technology, Dresden, GermanyElse Kröner Fresenius Center for Digital Health, TUD Dresden University of Technology, Dresden, GermanyElse Kröner Fresenius Center for Digital Health, TUD Dresden University of Technology, Dresden, GermanyInformation Security and Compliance, Indiana University Health, Indiana University Health University Hospital, Indianapolis, IN, USANortheast Big Data Innovation Hub, Data Science Institute, Columbia University, FDHint LLC, New York, USACollege of Graduate and Professional Studies, Trine University, Angola, IN, USAElse Kröner Fresenius Center for Digital Health, TUD Dresden University of Technology, Dresden, GermanyElse Kröner Fresenius Center for Digital Health, TUD Dresden University of Technology, Dresden, Germany; Corresponding author.The increasing use of connected medical devices has led to substantial cybersecurity challenges, putting patient safety and the integrity of healthcare infrastructures at risk. This study examines regulatory guidance on medical device cybersecurity in the European Union (guidance document of Medical Device Coordination Group MDCG 2019–16 revision 1) and the United States (US Food and Drug Administration Guidance on Cybersecurity) and identifies their strengths and weaknesses. First, the study compares these documents with a baseline requirements framework derived from international standards and best practices, revealing gaps in the thematic areas of “Cryptography,” “Authentication & Access Control,” and “Source Code/Software Development.” Second, the guidance documents were compared with real-world cybersecurity incidents, showing that the current guidance documents would help to mitigate the weaknesses of important vulnerability examples, while recommendations are missing in both guidance documents, but more so in MDCG 2019–16, for the most important weaknesses. In conclusion, both guidance documents are inadequately formulated in certain aspects, have an unclear scope, inconsistent levels of detail, and contain thematic gaps. These gaps could result in manufacturers failing to sufficiently address cybersecurity concerns in their products, thereby creating vulnerabilities. This study highlights the need for future guidance documents to be clearer in scope and to close existing gaps to ultimately allow safer medical devices.http://www.sciencedirect.com/science/article/pii/S2001037025002892Medical devicesCybersecurityRegulatory science |
| spellingShingle | Max Ostermann Rebecca Mathias Fatemeh Jahed Mitchell B. Parker Florence D. Hudson William C. Harding Stephen Gilbert Oscar Freyer Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance Computational and Structural Biotechnology Journal Medical devices Cybersecurity Regulatory science |
| title | Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance |
| title_full | Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance |
| title_fullStr | Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance |
| title_full_unstemmed | Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance |
| title_short | Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019–16 and FDA premarket cybersecurity guidance |
| title_sort | cybersecurity requirements for medical devices in the eu and us a comparison and gap analysis of the mdcg 2019 16 and fda premarket cybersecurity guidance |
| topic | Medical devices Cybersecurity Regulatory science |
| url | http://www.sciencedirect.com/science/article/pii/S2001037025002892 |
| work_keys_str_mv | AT maxostermann cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT rebeccamathias cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT fatemehjahed cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT mitchellbparker cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT florencedhudson cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT williamcharding cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT stephengilbert cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance AT oscarfreyer cybersecurityrequirementsformedicaldevicesintheeuandusacomparisonandgapanalysisofthemdcg201916andfdapremarketcybersecurityguidance |