+420 266 104 111 (8:00-16:30, Mo-Fr)
Order

Healthcare

We are medical device manufacturers – how should we address cybersecurity?

If you develop or market medical devices with digital components, you are subject to MDR (EU 2017/745) and, in the near future, to the Cyber Resilience Act (CRA). CRA introduces cybersecurity obligations—including mandatory incident reporting from September 2026, and full applicability from December 2027.

We recommend developing your products in accordance with:

  • IEC 62443-4-1 (secure development)

  • IEC 81001-5-1 (for medical software)

  • IEC 62443-4-2 (security of technical components)

These standards define clear requirements for development processes, system architecture, updates, and resistance to vulnerabilities.

Additionally, manufacturers must understand the deployment environment of their products. Hospitals should inform you of which security zones your products will enter (e.g., high-trust zone, security perimeter, open network).
Based on this, you can determine the required security level—which influences configuration, logging, encryption, updates, or integration into the hospital’s SIEM system.

We are a hospital – how should we approach cybersecurity?

Cybersecurity in healthcare is no longer optional—it is a mandatory part of risk and operational management in healthcare facilities. Hospitals are regulated entities under the new Cybersecurity Act (ZoKB), effective November 1, 2025, based on the NIS2 directive.

Cybersecurity in hospitals should be based on three key pillars:

  • ISO/IEC 27001 – An ISMS to manage risks, define policies, train staff, and handle incidents

  • ZoKB (NIS2) – A legislative framework requiring operational, technical, and organizational security measures, incident reporting, and auditability

  • IEC 62443-2-1 – A standard for designing and managing cybersecurity in operational (OT) environments, including healthcare settings

IEC 62443-2-1 should serve as a methodological framework for dividing hospital infrastructure into security zones. Each zone (e.g., critical systems, public networks, lab devices) has a designated security level, which determines the technical and organizational measures required—along with the security standards for products entering that zone.
Hospitals should apply this zoning approach in communication with suppliers and demand information on product security levels accordingly.

What legislation and standards apply to healthcare?

Healthcare is one of the most strictly regulated sectors—both in terms of handling sensitive data and the operation and safety of systems and devices. Regulations and standards affect not only care providers but also their suppliers, IT developers, and medical device manufacturers.

Legislation:

  • Cybersecurity Act (ZoKB) – Effective from November 1, 2025; implements NIS2. Applies to hospitals, healthcare facilities, public institutions, and IT vendors.

  • GDPR – Protection of personal data for patients, staff, and users of healthcare systems.

  • MDR (EU 2017/745) – Regulation of medical devices, including software with diagnostic or therapeutic functions.

  • MDSG 2019/16 – European Commission recommendation on cybersecurity for medical devices, especially networked ones.

  • Cyber Resilience Act (CRA) – Will apply to all products with digital elements, including medical software. Incident reporting will be required starting September 2026.

Standards:

  • ISO/IEC 27001 – Information Security Management System (ISMS)

  • ISO 13485 – Quality management system for medical device manufacturers

  • ISO 27799 – Protection of personal health data within an ISMS

  • IEC 81001-5-1 – Cybersecurity for medical software and IT systems in healthcare

  • IEC 62443 – Cybersecurity for industrial control systems; also applicable in hospitals/labs using OT technologies (e.g., lab automation, connected diagnostics)

  • ISO/IEC 62304-1 – Lifecycle management of medical software (development, maintenance, changes)

  • ISO/IEC 82304-1 – Quality and safety of health software products

  • ISO/IEC 42001 – Management of AI systems (recommended for organizations developing or operating AI in clinical or operational settings)

How to address cybersecurity in healthcare?

Cybersecurity in healthcare must be approached comprehensively—at the organizational/hospital level (IT systems, processes, staff) and at the level of technologies and medical devices that handle patient data or communicate with other systems.

It is essential to distinguish between management systems (e.g., ISO/IEC 27001, ISO 13485, or the new Cybersecurity Act based on NIS2), which apply solely to the organization, its processes, and quality management.
These systems do not demonstrate or prove the cybersecurity of specific products or medical devices—this must be addressed separately through technical standards and specialized assessments.

Ensuring the security of medical devices and information systems requires:

  • Secure development and system management (e.g., according to IEC 81001-5-1 or IEC 62443-4-1)

  • Vulnerability testing and penetration testing (e.g., according to IEC 62443-4-2)

  • Implementation of an Information Security Management System (ISMS according to ISO/IEC 27001)

  • Assessment of compliance with NIS2, the Cybersecurity Act (ZoKB), GDPR, and MDR (Medical Device Regulation)

  • Preparation of technical documentation and compliance for notification or CE marking

EZÚ offers both organizational and product-related services, supporting hospitals, public institutions, and healthcare technology providers in managing the full process of cybersecurity—from GAP analysis and tailored training to pre-assessments, audits, and certification based on relevant standards and regulations.