Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019-16 and FDA premarket cybersecurity guidance.

The increasing use of connected medical devices has led to substantial cybersecurity challenges, putting patient safety and the integrity of healthcare infrastructures at risk. This study examines regulatory guidance on medical device cybersecurity in the European Union (guidance document of Medical Device Coordination Group MDCG 2019-16 revision 1) and the United States (US Food and Drug Administration Guidance on Cybersecurity) and identifies their strengths and weaknesses. First, the study compares these documents with a baseline requirements framework derived from international standards and best practices, revealing gaps in the thematic areas of "Cryptography," "Authentication & Access Control," and "Source Code/Software Development." Second, the guidance documents were compared with real-world cybersecurity incidents, showing that the current guidance documents would help to mitigate the weaknesses of important vulnerability examples, while recommendations are missing in both guidance documents, but more so in MDCG 2019-16, for the most important weaknesses. In conclusion, both guidance documents are inadequately formulated in certain aspects, have an unclear scope, inconsistent levels of detail, and contain thematic gaps. These gaps could result in manufacturers failing to sufficiently address cybersecurity concerns in their products, thereby creating vulnerabilities. This study highlights the need for future guidance documents to be clearer in scope and to close existing gaps to ultimately allow safer medical devices.