The new article highlights the aspects related to cybersecurity for software-based medical devices intended to be marketed and used in the UK. 

The Medicines and Healthcare Products Regulatory Agency (MHRA), a UK regulating authority in the sphere of healthcare products, has published a roadmap describing the proposed changes to the existing regulatory framework for software -and artificial intelligence (AI)-based products subject to regulation as medical devices. By virtue of this document, the authority outlines the key issues to be addressed and also describes the proposed solutions. The document is intended to provide additional clarification regarding the future development of a medical device regulatory framework to be considered by medical device manufacturers and other parties involved. 

The scope of the changes covers, inter alia, the aspects related to cybersecurity. In this respect, the authority acknowledges that the existing regulatory framework for software-based medical devices does not reflect all the latest developments in the sphere of cybersecurity and protection against the respective risks. Furthermore, there are certain risks associated with legacy software medical devices – the ones that are still in use even though not being supported by their original manufacturers/developers. 

According to the document, the main objectives are to:

  • Articulate how cybersecurity issues translate to SaMD issues;
  • Ensure that cybersecurity is adequately reflected in SaMD requirements and in post-market surveillance requirements;
  • Work closely with other bodies, for instance, through the Connected Medical Device Security Steering Group to ensure SaMD cybersecurity policy capitalizes on synergies. 

The document further describes the changes to be implemented to specific pieces of legislation in order to ensure the goals outlined hereabove are achieved.

Secondary Legislation

First of all, the document describes the changes to be implemented to the secondary legislation in order to ensure that cybersecurity-related matters are addressed properly, and the respective risks are duly mitigated. The authority acknowledges that many medical devices containing software should be connected to a network in order to operate properly. This exposes the product to risks associated with potential inferences in their normal operations. 

A similar question has been raised by the authority in the course of respective public consultations, and feedback from the industry has been obtained. In order to make sure the risks identified are addressed properly, the authority intends to develop and implement secondary legislation that will:

  • Align with the Connected Medical Device Security Steering Group principles;
  • Be consistent with and build upon complementary requirements such as the Department of Culture, Media, and Sport’s Product Security and Telecommunications Infrastructure Bill, NHS DCB (Data Coordination Board) standards, and NHS Digital Technology Assessment Criteria requirements;
  • Be harmonized with international best practice. 

Apart from introducing secondary legislation, the authority intends to issue additional guidance documents in order to assist medical device manufacturers/software developers in ensuring compliance with the respective regulatory requirements. These guidance documents will describe the way provisions of underlying legislation should be interpreted and also provide additional recommendations to be followed. In particular, the authority mentions that in these guidance documents to be developed:

  • The matters related to cybersecurity will be described in the context of the entire product lifecycle;
  • It will be explicitly stated that the cybersecurity matters are within the shared responsibility of all the parties involved in operations with medical devices and require joint efforts;
  • Additional clarifications will be provided with respect to the responsibilities of and requirements for medical device manufacturers as set forth under the applicable legislation;
  • Additional clarifications will also be provided with respect to cybersecurity vulnerabilities that are common for general and in vitro diagnostic medical devices. 

The authority also mentions that the key stakeholders will be involved in the development of the aforementioned guidance documents. 

Best Practices 

The authority intends to pay special attention to best practices to be followed by medical device manufacturers in order to ensure the safety and proper performance of their products. In particular, the MHRA emphasizes the importance of risks associated with products that are no longer supported by their manufacturers but are still in use. This creates unique risks to be duly mitigated. For this purpose, the authority intends to issue a separate guidance document describing in detail the best practices to be followed in this respect. 


The roadmap also covers the aspects related to reporting cybersecurity vulnerabilities identified. In this respect, the authority intends to take steps to improve the existing reporting procedures in order to ensure all the vulnerabilities identified are flagged in a timely manner. The intent is to improve consistency and make the reporting requirements clear for the parties involved to follow. 

In summary, the present document outlines the key points MHRA will pay attention to in the context of the further improvement of the existing regulatory framework for medical devices containing software, as well as AI-based products. The document highlights the most critical issues identified by the authority and also describes the particular steps to be taken to make sure they are addressed properly. 

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.