+41 32 513 6767 | Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!

For a while now, cybersecurity incidents in the healthcare sector have been increasing and can no longer be dismissed as random incidents, vandalism by script kiddies or collateral damage of general malware campaigns. The healthcare sector, specifically health delivery organizations and their supply chain, have become a prime target for cybercrime and cyberwar actors. Legislators and regulators are reacting, as usual, by creating new legislation, guidelines and requirements, but focusing on health delivery organizations as operators of medical IT-networks (critical infrastructure). As security is only ever as strong as its weakest link, this also impacts medical device manufacturers. While the “what” is being defined by the regulators, figuring out the “how” remains with the operators and manufacturers.

So far, guidance and standardization have focused on (cyber)risk management in general (e.g. AAMI TIR 57) and left manufacturers with a lack of technical standards on how to actually mitigate identified risks. This lack of support on the technology side made many manufacturers turn to other industries, leading e.g. the IEC 62443 family to become a de facto standard for cybersecurity across multiple domains. While these standards have garnered widespread acceptance (e.g. some parts are listed as FDA recognized consensus standards) they don’t necessarily meet all the requirements of the healthcare sector. In recognition of this situation, the ISO and IEC started work on several new standards addressing the issue.

As part of that effort, the IEC has recently published IEC TR 60601-4-5:2021 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications.

The technical report reinforces the idea that security is a burden shared by the manufacturer and the operator of a medical device. It defines a scheme with which this burden can be assessed, documented and communicated between parties; it defines four security levels and a list of technical capabilities that need to be implemented by a medical device to reach a specific security level. The capabilities are based on those defined by IEC 62443-4-2:2019 (and IEC TR 80001-2-2:2012) and brought into alignment with the basic tenet of medical device development: patient safety.

As a member of the IEC 60601 standards family for electrical medical devices, it defines requirements to the medical device itself (product standard). But unlike the other standards in the family, the scope explicitly mentions that it can be applied to any medical device software, including SaMD.

The technical report's stated goal is to define testable security properties for a medical device; currently, no official test report form (TRF) exists. It is likely that one will be published in the near future, and that test labs will offer relevant tests.

The technical report is planned to be harmonized for the MDR.

For medical device manufacturers, the technical report thus provides guidance on how to address the security vs safety challenge when implementing the security mechanisms defined in IEC 62443-4-2:2019. It further helps assessing/attaining security levels of a device and identify the security measures external to the device to reach a specific target security level of an operator. It thus also defines information that needs to be provided to the operator for the secure use of the device. In that, it is expected to help the manufacturers meet the general safety and performance requirements (GSPR) 17.2, 17.4, 23.4 (ab) of the MDR.

Note that the report is essentially a wrapper around the IEC 62443-4-2:2019 standard, which is required reading for anyone trying to implement the security measures listed in the report. Also neither the report nor the standard go down to the “bits and bytes” level of engineering, which is left to the relevant technical standards or state-of-the-art knowledge of the engineer.

At the moment it is still too early to tell if the health delivery organizations/operators of medical IT-networks will apply a security-level scheme, as proposed by the IEC 60601-4-5 and IEC 62443-4-2 when purchasing medical devices. But with the relevant IEC and ISO committees collaborating on the topic, and the technical report being targeted for harmonization under the MDR, it seems likely that this might happen sooner or later.

In order to access the Brazilian market, medical devices have to be notified or registered with ANVISA, depending on their risk class. With RDC No. 423/2020, the Brazilian regulator has recently eliminated the Cadastro pathway for the registration of Class II medical devices and IVDs. This was a considerable reduction of the registration requirements for the manufacturers of these devices. The process of registration in Brazil can be very burdensome because certain products are subject to additional certification requirements, depending on their characteristics. Most electro-medical devices, independent of their risk class, have to be certified by the National Institute of Metrology, Standardization and Industrial Quality (INMETRO). Following the trend towards simplifying some regulatory hurdles in Brazil, Ordinance No. 384/2020 has introduced significant changes for manufacturers of devices that require INMETRO certification and will reduce the effort to obtain and maintain this certification.

The new ordinance was published on 18 December 2020 and took effect 10 days later. It included a transition period for certificates issued under previous ordinances. Existing certificates issued under Ordinance No. 54/2016 will have to be reviewed and revised, based on the new ordinance, during the next maintenance audit, once the transition period of six months has passed. Existing certificates issued under the repealed Ordinance No. 350/2010 (and issued before 30 April 2018) may be audited and renewed until the certificate expires.

Depending on when your INMETRO certificate was issued and based on the specific ordinance, the next maintenance audit will already use the new, eased requirements. Ordinance No. 384/2020 has introduced the following changes to the INMETRO certification process:

  • On-site inspections: The new ordinance changes the requirement for on-site inspections, which will no longer be required for all certification procedures. Whether an on-site audit will be required will be based on previous audits, including under MDSAP or ISO 13485. Should the auditing entity decide that an on-site audit is unnecessary, the certification will be based on a desktop audit.
  • Test reports: The new ordinance changes how recent test reports must be: for small and medium-sized equipment, test reports may be older than two years, while for large equipment, test reports may be older than four years. Test reports must reflect the current version of the device to be certified/under review. Changes to the device lead to new testing unless the manufacturer can provide a rationale as to why changes to the device do not justify further testing.
  • Duration of validity: The new ordinance changes the expiration of certificates, since they no longer expire. Maintenance audits have to be performed regularly (every 15 months or annually).

The changes reduce the burden on medical device manufacturers, particularly regarding the requirements for the actuality of test reports. To avoid unnecessary testing, we recommend checking the current certificates and using the applicable transition period to plan and adapt your renewal processes.


ISS AG, Integrated Scientific Services AG, participated to the 12th Global Entrepreneurship Week. With numerous events organised in 180 countries, the Global Entrepreneurship Week sets out to celebrate entrepreneurship and innovation.

The Campus Biotech Innovation Park and Geneus celebrated this event in the heart of Geneva in the form of a Café & Croissant including a virtual tour of the premises and short videos of the companies contributing to this ecosystem. The video recorded from the ISS AG Geneva-based office is here.

How ISS AG can support innovation? Please, read our offer for the Newcomers in Medtech.

ec logoToday, the EU Commission has published a notice in the OJ that notified bodies might temporarily perform QMS audits remotely in exceptional cases and on a case-by-case basis. Notified bodies can thus deviate from the IVDR and MDR requirement that QMS audits take place on-site.

Member States, notified bodies, industry and other stakeholders have insisted that travel and quarantine restrictions have significantly affected the ability of notified bodies to carry out-site audits at manufacturers' sites. As the inability of notified bodies to carry out on-site audits may increase the risk of a shortage of vital devices, the European Commission responds to requests for exceptional temporary measures, such as remote audits.

The European Commission allows these temporary extraordinary measures given the exceptional and unforeseen circumstances caused by the COVID-19 crisis, the need to ensure continuous access to safe and effective medical devices and medical in vitro diagnostics and the fact that remote audits performed under the Directives seem to show an adequate level of safety.

While reminding the Member States of their obligations to monitor notified bodies established in their territory, this notice gives them the possibility to allow notified bodies to carry out remote audits on a temporary basis. Notified bodies are required to identify and justify remote audits on a case-by-case basis, and the individual circumstances should be documented and duly substantiated. Member States are invited to inform the EU Commission of measures taken by individual notified bodies (including information to justify such measures).

We advise you to discuss your options for a remote audit with your notified body as soon as possible and use the already available MDCG documents (MDCG 2020-4 and MDCG 2020-17) on remote audits to prepare accordingly. A remote audit requires thorough preparation; this includes:

  • Scheduling mock remote audits;
  • Testing the connection and sound quality beforehand;
  • Ensuring that all audit participants are familiar with the required hard- and software;
  • Clarifying legal aspects in advance (consider data security and privacy issues in connection with sharing of documents, recordings, use of the camera, etc.);
  • If employees participate from their home office: ensuring that the connection, infrastructure etc. are sufficient;
  • Ensuring the IT department is ready to deal with possible technical problems (e.g. connection issues).

If you have questions regarding audit preparation (remote or on-site), our team of experts is always ready to help.

20201005 Flyer ILMAC 2020

BioAlps und ISS AG, Integrated Scientific Services organisieren in Zusammenarbeit mit der Swiss Biotech Association und der Swiss Chemical Society am Donnerstag, den 8. Oktober, ein Medtech-Symposium. Es geht darum Medtech-Firmen über den CE-Kennzeichnungsprozess zu informieren, insbesondere im Bereich der neuen EU MDR, welche aufgrund von Covid-19 auf Mai 2021 verschoben wurde.

In Form eines Roundtables, werden Experten der Schweizer Industrie ihre Erfahrungen und Empfehlungen zur Bewältigung der neuen Anforderungen und Zeitvorgaben austauschen. Es werden unter anderem die Herausforderungen bezüglich der Etablierung einer Produktregistrierungsstrategie, die geschäftlichen Auswirkungen der MDR, der Mangel an qualifizierten Ressourcen und die Generierung von klinischen Daten besprochen.

Kostenlose Anmeldung und weitere allgemeine Informationen, einschließlich des Covid-Schutzkonzepts finden Sie hier.