Skip to content
A tablet showing medical information lies on a desk with medical instruments around it. Royalty-free stock photo ID: 572383276.
A tablet showing medical information lies on a desk with medical instruments around it. Royalty-free stock photo ID: 572383276.

News -

Future regulatory framework for medical devices in the UK

With the connected revolution, the Internet of Things (IoT) is having an increasingly large part to play in healthcare.

The possibilities of new, evolving and interconnected medical devices know no bounds; but the implications of poor cyber security could have quite the impact, particularly if that security is overlooked or simply bolted on at the last minute.

As the UK Medicines and Healthcare products Regulatory Agency (MRHA) requests views on how medical devices could be regulated across the UK in the future, Stuart Kurutac, Senior Security Consultant at NCC Group shares thoughts on the key elements to consider.

“Data privacy is a major concern. Meanwhile, loss of life is a very real possibility if connected devices are not secure. We therefore welcome MHRA’s intention to establish regulatory requirements relating to security measures and protection against unauthorised access for medical devices.

As well as being clear about what the requirements are and how they can be achieved, the MHRA should avoid adding any further fragmentation or complexity and utilise the wealth of established standards and frameworks already in existence, ensure alignment with other government department’s efforts to secure connected products such as the Department for Digital, Culture, Media and Sport’s (DCMS) ‘Secure by Design’ programme and focus on harmonising its frameworks with global practice.

Other stand out points that we recommend include:

  • The importance of embedding a true understanding of the threat and risk landscape

    Developers and manufacturers should be required to embed a true understanding of threats and risks in their organisations and promote continuous mitigation throughout the product design, development, and post-market lifecycle, avoiding a ‘tick-box’ compliance approach. Thorough threat modelling and risk assessments are essential steps in the development process.

    Continuous post-market assurance should also be undertaken, including (but not limited to): security testing, both automated and manual, and in real-world connected healthcare settings; support for security patching; an up-to-date Software Bill of Materials (SBOM) allowing vendors to keep track of third-party software contained in their applications and devices; and, a responsible disclosure process.

    Manufacturers and developers should also be required to establish the links between technical risks and clinical risks, using standards such as DCB0129 and DCB0160, existing risk scoring tools and collaborating with Clinical Safety Officers. This will enable them to prioritise discovered vulnerabilities throughout the product lifecycle.

  • The importance of building in flexibility and future-proofing from the outset

    This should include periodic reviews and regular engagement with industry– to accommodate future advancements. MHRA should also consider how it can support continuous security research and testing.

    More broadly, we note that there is a significant regulatory gap in the fast-evolving field of brain computer interfaces (BCI). There is a myriad of potential applications for BCIs in the health sector, including health monitoring, alleviating mental illness and easing physical disabilities. However, there are also significant security, safety and privacy concerns that need to be addressed before this emerging technology is adopted more broadly, and, at present, there is currently no regulation in the UK which does this, taking into account the specific challenges associated with BCIs.

Good, evidence-based and data-driven regulation can play a key role in ensuring the right steps are taken by manufacturers and developers to minimise risks and maximise cyber security.”

Link to Consultation

Image: Shutterstock: Royalty-free stock photo ID: 572383276



Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom