ISO 14971 is the key international standard for risk management of medical devices. In its current edition (3rd Edition), it includes explicit requirements for addressing risks related to cybersecurity. Manufacturers of medical devices are required under MDR/IVDR to systematically identify, assess, and control all relevant risks—including cyber risks—within their risk management systems.

How do ISO 14971 and Cybersecurity Interact?

• ISO 14971 mandates that risks associated with data and system security—such as attacks on connected devices or software—must be assessed as part of the overall risk management process.
• Cybersecurity risks must be identified, analyzed, and mitigated just like traditional technical risks. This includes threat modeling, vulnerability and impact assessment, protective measures, as well as continuous monitoring.
• Additional standards such as IEC 62304 (software lifecycle), IEC 81001-5-1 (cybersecurity requirements for health software and IT systems), and relevant FDA or MDCG guidelines require that security risk management is built and documented using principles equivalent to those in ISO 14971.
• Best practices include integrating cybersecurity considerations from the early development phase and throughout the entire product lifecycle—covering continuous monitoring, vulnerability management, and update capabilities.

Regulatory Context

• EU regulations (MDR, IVDR) and national recommendations (such as from BSI or MDCG documents) mandate the inclusion of cybersecurity in the risk management process.
• For market approval in the U.S., the FDA explicitly requires security