MDCG 2019-16 - Documentation and Instruction for use

What is it? 

MDCG 2019-16 - Documentation and Instruction for Use is a set of guidelines issued by the European Commission to ensure the cybersecurity of medical devices. Adhering to these guidelines helps businesses to provide safe and secure medical devices to their customers, as well as protect sensitive patient information. Implementing these guidelines can bring numerous benefits to businesses, including improved data protection, increased customer trust, and a competitive advantage in the market. By providing clear documentation and instructions for use, businesses can demonstrate their commitment to upholding high standards of security and quality in the medical device industry. Achieving MDCG 2019-16 compliance is a key step for any business looking to protect its operations and maintain a positive reputation in the eyes of customers and stakeholders.

The controls and step by step guide how to meet them: 

1. Management of Cybersecurity in the Life Cycle of Medical Devices:This heading covers the principles for managing cybersecurity risks in the life cycle of medical devices, from development to decommissioning.

How to meet it:

  • Develop a cybersecurity plan: Develop a plan that outlines the steps you will take to manage cybersecurity risks in the life cycle of your medical devices.

2. Security Requirements for Medical Devices:This section outlines the security requirements that medical devices should meet in order to ensure their safe use, including the use of encryption, secure boot, and secure software updates.

How to meet it:

  • Assess your current security posture: Assess the current security posture of your medical devices and identify any areas of weakness.

3. Information and Communication Technology (ICT) Security Risk Management:This heading covers the process for managing cybersecurity risks in medical devices, including the use of risk assessment, risk management, and security testing.

How to meet it:

  • Implement ICT security risk management: Implement a process for managing cybersecurity risks in your medical devices, including risk assessment, risk management, and security testing.

4. Incident Management:This section outlines the procedures for responding to cybersecurity incidents in medical devices, including reporting, investigation, and containment.

How to meet it: 

  • Establish incident response procedures: Establish procedures for responding to cybersecurity incidents in your medical devices, including reporting, investigation, and containment.

5. Cybersecurity in Supply Chain Management:This heading covers the principles for managing cybersecurity risks in the supply chain of medical devices, including the selection of suppliers and the implementation of security controls.

How to meet it: 

  • Manage your supply chain: Manage the cybersecurity risks in your medical device supply chain by selecting suppliers who have strong security controls in place.

6. Post-Market Surveillance of Medical Devices:This section outlines the procedures for monitoring and reporting cybersecurity incidents in medical devices after they have been placed on the market.

How to meet it: 

  • Manage your supply chain: Manage the cybersecurity risks in your medical device supply chain by selecting suppliers who have strong security controls in place.

7. Conformity Assessment and Market Surveillance:This heading covers the processes for assessing the cybersecurity of medical devices and monitoring the market for cybersecurity incidents.

How to meet it: 

  • Conduct post-market surveillance: Conduct ongoing post-market surveillance to monitor for cybersecurity incidents in your medical devices.

Overall, the Medical Device Cybersecurity Guidance (MDCG 2019-16) provides a comprehensive framework for managing cybersecurity risks in medical devices and ensuring their safe and secure use. Please note that this is a general guide and may need to be adjusted based on the specific needs of your business and the medical devices you develop and manufacture. It is also important to stay up to date with the latest cybersecurity guidance and best practices to ensure that your medical devices are secure and safe for use.

Showing evidence to an auditor:

Showing evidence to an auditor that you meet the controls outlined in the Medical Device Cybersecurity Guidance (MDCG 2019-16) can be done in several ways:

  1. Documentation: Provide documentation that demonstrates the steps you have taken to meet the controls, including your cybersecurity plan, risk assessments, incident response procedures, and conformity assessment reports.
  2. Demonstrations: Provide demonstrations to the auditor that show how your medical devices meet the security requirements outlined in the MDCG 2019-16, such as encryption, secure boot, and secure software updates.
  3. Test results: Provide test results that demonstrate the security of your medical devices, including security testing and vulnerability assessments.
  4. Certifications: Provide certifications from third-party organizations that demonstrate that your medical devices meet the security requirements outlined in the MDCG 2019-16.
  5. Training records: Provide records of employee training programs that demonstrate that your employees understand the importance of cybersecurity and are trained on the procedures for managing cybersecurity risks in your medical devices.
  6. Audit logs: Provide audit logs that demonstrate that you have monitored and responded to cybersecurity incidents in your medical devices.
  7. Market surveillance reports: Provide reports from market surveillance activities that demonstrate that you are monitoring the market for cybersecurity incidents in your medical devices.

Overall, the key to showing evidence to an auditor that you meet the controls outlined in the MDCG 2019-16 is to have clear documentation and evidence that demonstrates the steps you have taken to manage cybersecurity risks in your medical devices and ensure their safe and secure use.

How Periculo can help: 

Our team of experts can assist with developing a comprehensive cybersecurity plan, conducting risk assessments, implementing security controls, and conducting conformity assessments. We can also provide training for your employees on the importance of cybersecurity and best practices for managing cybersecurity risks in medical devices. By partnering with Periculo, you can be confident that your medical devices meet the security requirements outlined in the MDCG 2019-16 and are secure for use. Our goal is to provide our customers with peace of mind and the assurance that their medical devices are protected from cybersecurity threats.

More from our security wiki

Continuous learning for your organisation, our knowledge base to help you grow

Cyber Essentials Self Assessment: Password-Based Authentication
This security wiki provides guidelines for implementing password-based authentication practices within your organisation. Follow these recommendations to enhance the security of user accounts and protect against unauthorised access.
Cyber Essentials Self Assessment: Administrative Accounts
This security wiki provides guidelines for the proper management and control of administrative accounts within your organisation. Follow these recommendations to establish secure administrative account practices.
Cyber Essentials Self Assessment: Malware Protection
This security wiki provides guidelines for implementing malware protection measures across your organisation's devices. Follow these recommendations to safeguard your desktop computers, laptops, tablets, and mobile phones from malware threats.
Cyber Essentials Self Assessment: Security Update Management
This security wiki provides guidelines for effective security update management to ensure that your organisation's devices and software remain protected against known vulnerabilities. Follow the recommendations below to establish a robust security update management process.
Cyber Essentials Self Assessment: Device Locking
This security wiki provides guidelines for implementing device locking mechanisms to enhance the security of your organisation's devices. Follow the recommendations below to protect against unauthorised access to software and services.
Cyber Essentials Self Assessment: Secure Configuration
This security wiki provides guidelines for achieving secure configuration of devices and services within your organisation. Follow the recommendations below to minimise potential vulnerabilities and enhance the overall security posture.
Now we're partners, you have unlocked:
Threat reports
1 Vuln scan
Security Wiki
Templates
Cyber Essentials logoCyber Essentials logo
©Periculo
Your Security Partner