ICR International Certification Registrar

Introduction to the Test

Medical Device Cybersecurity Testing Guide
Modern medical devices incorporate various digital elements such as wireless communication, network connectivity, and software-based functions, which increase their potential exposure to security vulnerabilities and threats.
ICR specializes in evaluating the security and safety of medical devices and medical software based on the guidelines of international regulatory bodies.

Testing Objectives

- Objective verification of security vulnerabilities, such as cyber attacks, unauthorized access control, and the possibility of data fabrication·tampering
- Assessment of the appropriateness and effectiveness of the security functions implemented by the manufacturer
- Pre-confirmation of security performance and securing documentation completeness for compliance with FDA · CE · MFDS regulations

Target Devices

- Medical devices with wired or wireless communication functions (e.g., Wi-Fi, Bluetooth, USB, Cellular).
- SaMD (Software as a Medical Device).
- SiMD (Software in a Medical Device).
- Network-based equipment that interfaces with hospital networks (e.g., HIS/PACS).

Industry sector

Medical Devices and IVD

Test Standard

Key Testing Items

- Vulnerability Assessment
- Penetration Testing
- Source Code Security Analysis
- Fuzz Testing
- Attack Surface Analysis &Vulnerability Chaining
- Security Requirements Testing
- Software Composition Analysis (SCA - SBOM based)

Deliverable Documents

Cybersecurity Risk Management Report
- Threat Modeling
- Cybersecurity Risk Assessment
- Vulnerability Assessment and Software Support
- Analysis and Evaluation of Residual Threats
Security Measures and Metrics
Architecture View
Labeling Documents
Cybersecurity Management Plan Document

Testing Procedure

1. Contract and Scope Finalization
2. Security Requirements Analysis
3. 1st Security Test Execution
4. Provision of 1st Test Results Report
5. Support for Remediation of Identified Vulnerabilities
6. 2nd Test Execution
7. Issuance of Test Report
8. Certification Support

Strengths of ICR

Promptness / Reliability / Experientiality / Professionalism
- Specialized Security Testing Organization for Medical Devices and Software.
- Evaluation Sys based on International Regulatory Requirements.
- Testing experience across diverse fields, including SaMD,SiMD and Network Equipment.

Contact Person: Cybersecurity; jasen0519@icrqa.com

Gimpo Division (Zip code) 10048: 112, Hwanggeum 3-ro 7beon-gil, Yangchon-eup, Gimpo-si, Gyeonggi-do, KoreaTEL : 02-6351-9002 FAX : 02-6351-9005

Seoul Division (Zip code) 08510: 1501, Daerung post tower 6th, 50-3, Gasan-dong, Geumcheon-gu, Seoul, KoreaTEL : 02-6351-9001 FAX : 02-6351-9007

Pyeongtaek Division (Zip code) 17791: 120 Deurimsandan-ro Cheongbuk-eup Pyeongtaek-si Gyeonggi-doTEL : 02-6351-9003 FAX : 02-6351-9006

E-mail : icr@icrqa.com

????

Introduction to the Test

Industry sector

Test Standard