Understanding Cybersecurity’s role in the PSUR: Unpacking EU Medical Device Mandates


The European medical device industry is already struggling to adjust to a broad swath of changes enacted in the EU’s new Medical Device Regulation (MDR 2017/745) and In Vitro Diagnostic Device Regulation (IVDR 2017/746). One fundamental change that merits extra attention regarding cybersecurity is the introduction of the Periodic Safety Update Report (PSUR), a requirement under these regulations and a component of the Post-Market Surveillance (PMS) system.

This article will provide a detailed explanation of the PSUR requirements and discuss how tailored vulnerability management for MedTech can enhance this crucial area of compliance with the medical device regulation.

What is PSUR? 

The PSUR serves as a part of the technical documentation and should be clear, organized, readily searchable and unambiguous. It is designed to summarize key actions and conclusions from PMS activities. PSURs must be submitted at specified intervals, which vary depending on the device classification. The following table outlines the submission frequency for PSURs based on different device classifications.

The submission frequency for PSURs based on different device classifications

Figure 1: Submission frequency for both PSUR and the post-market surveillance report by device classification under MDR and IVDR

Access European Database on Medical Devices (EUDAMED)

What is included in a PSUR? 

The PSUR encapsulates various elements that include the data collected, their assessment, benefit-risk determination conclusions, main findings of the Post-Market Clinical Follow-up (PMCF) and other significant findings. To prepare an effective PSUR, elements like information concerning serious incidents, field safety corrective actions, non-serious incidents and more should be considered.

Sources and types of data collected for PSUR preparation

Figure 2: Sources and types of data collected for PSUR preparation

Access Clinical Evaluation Report 

What is the cybersecurity requirement for PSUR? 

Medical Device Manufacturers (MDMs) are obligated to maintain an up-to-date PMS system that includes cybersecurity considerations. An effective cybersecurity PMS program will incorporate various aspects such as operational environment, information sharing, vulnerability remediation and incident response.

To meet these requirements, a robust vulnerability management system is indispensable. Such a system will continuously identify and assess security vulnerabilities, enabling MDMs to take corrective actions swiftly. With real-time monitoring, in-depth software bill of materials analytics and trend reporting capability, an effective vulnerability management platform can make the maintenance of a PMS system more straightforward and efficient.

The links between PSUR, incident response and trend reporting

Figure 3: Diagram outlining the links between PSUR, incident response and trend reporting

What is incident response and vulnerability management? 

An effective vulnerability management program is both a preventative and remediating tool for incident response. Investigations of exploited vulnerabilities related to cybersecurity are essential for understanding and evaluating the impact.

MDMs have access to reporting tools that use International Medical Device Regulators Forum codes to index a range of factors like the device problem, the related health impact and the cybersecurity related incident root causes. Reporting tools specialized for medical device cybersecurity can help simplify this process.

What is the relationship between trend reporting and cybersecurity? 

Trend reporting is another vital component. According to MDR Article 88, incidents rooted in cybersecurity issues are obligatory inclusions in trend reporting. MDMs have a duty to elaborate on key details such as the methodology used for detecting a significant increase in incident frequency or severity, how to manage these incidents and the period of observation.

A robust vulnerability management system is particularly useful here. Such a platform will provide deep insight into vulnerabilities, offering critical metrics on risks and trends. It also ensures automated logging and produces trend reports, enabling MDMs to comply with MDR Article 88 more efficiently. Compiling this data is also critical for trend reporting as it provides a comprehensive picture of the device’s cybersecurity posture over time, helping to meet regulatory requirements.

Following a guided checklist for integrating cybersecurity within PSURs 

To ensure the practical implementation of cybersecurity in PSUR, a structured approach is needed. Below is an optimized checklist tailored for MDMs to ensure that all facets of cybersecurity are meticulously covered in their PSURs.

  • Identification of cybersecurity risks: Has the MDM detected any cybersecurity vulnerabilities or threats concerning the medical device since the last reporting period? Provide specific details about these vulnerabilities and the corrective actions implemented.
  • Incident and breach reporting: Were any cybersecurity incidents or breaches reported during this period? If yes, describe how these incidents were managed and specify any modifications made to bolster the device’s cybersecurity.
  • Cybersecurity risk assessment: Did the MDM perform a cybersecurity risk assessment, consider potential threats, vulnerabilities and the possible impacts on patient safety and data security? Summarize key findings and actions undertaken.
  • Software updates and patches: Have there been any software updates or patches released during this reporting period specifically to tackle cybersecurity vulnerabilities?
  • Risk profile modification: Have any alterations been made to the risk profile of the device due to cybersecurity considerations? Specifically, note any changes in the identified risks or the severity level associated with cybersecurity vulnerabilities.
  • Incident response plan: Has an incident response strategy tailored for cybersecurity events been established by the MDM? Outline the procedure that would be followed in case of a cybersecurity breach or incident.

This checklist ensures that every facet of cybersecurity is addressed comprehensively in the PSUR, thereby aiding MDMs in maintaining rigorous standards of safety and compliance.

What are the key take-aways? 

Producing accurate and comprehensive PSURs is a critical activity for MDMs, which now explicitly encompasses cybersecurity. Compliance with regulatory mandates is a given, but the real value lies in effectively fortifying security with cost, operational efficiency and seamless integration with your current process in mind.

A well-designed vulnerability management process empowers MDMs with a streamlined approach to achieving regulatory compliance. It elevates the standard PSUR process by enhancing visibility into vulnerabilities, providing critical risk metrics and generating automated logging and trend reports. This added layer of security amplifies the efficacy of PSURs, making them not just a regulatory requirement but also a tool for proactive device management and patient safety.

Take the next step 

Do not merely settle for regulatory compliance. Elevate your PSUR process into a robust security strategy. With the increasing complexity of medical devices and growing cybersecurity threats, it is time to proactively manage vulnerabilities and enhance device security.

Contact us today to learn how Irdeto’s Post-Market Vulnerability Management Platform can make a meaningful difference in your post-market surveillance activities and simplify your PSUR reporting.