Cybersecurity Measures Have Become Mandatory: A Turning Point in Medical Device Regulation

Introduction

Effective April 1, 2023, a new regulatory requirement was introduced for companies manufacturing and marketing medical devices. Article 12, Paragraph 3 of the Essential Principles for Medical Devices (Kiban Yōken Kijun) was added, making cybersecurity measures for software-based medical devices legally mandatory. This amendment was developed based on the “Principles and Practices for Medical Device Cybersecurity” guidance document finalized by the International Medical Device Regulators Forum (IMDRF) in March 2020, representing a significant turning point for the medical device industry.

Content of the New Regulatory Requirements

The newly amended Article 12, Paragraph 3 of the Essential Principles for Medical Devices stipulates the following:

For software-based medical devices that are used in connection with other devices and networks, or for which unauthorized access and cyberattacks are anticipated, manufacturers must identify appropriate requirements based on the operational environment of the device and the network usage environment. They must identify and evaluate cybersecurity-related hazards that could result in device malfunction or patient safety concerns, and ensure that management measures are implemented to reduce such hazards. Additionally, the device must be designed and manufactured based on a plan to ensure cybersecurity throughout the entire lifecycle of the medical device.

With this requirement, manufacturers of software-based medical devices are now legally obligated—not merely encouraged—to implement cybersecurity measures.

Cybersecurity Assurance Requirements Based on IMDRF Guidance

The IMDRF guidance identifies three fundamental perspectives for ensuring medical device cybersecurity, which have been incorporated into Japan’s Essential Principles:

First, manufacturers must establish a plan for considering medical device cybersecurity throughout the entire product lifecycle. This means managing cybersecurity consistently across all processes, from development through post-market use.

Second, device design and manufacturing must be capable of reducing cyber risks. During the design phase of medical device software, known or foreseeable cybersecurity threats must be identified and incorporated into the risk management process with appropriate countermeasures implemented.

Third, manufacturers must establish minimum requirements for hardware, network, and IT security measures necessary for the appropriate operating environment. This emphasizes the importance of clearly identifying the usage environment of the device and defining minimum security requirements corresponding to that environment.

Measures Required from Both Manufacturers and Healthcare Facilities

Ensuring cybersecurity cannot be achieved without collaborative efforts between manufacturers and healthcare facilities. Specifically, measures are required at two stages:

Pre-Market Measures

Manufacturers must ensure pre-market that medical devices possess resilience to withstand cyberattacks. This means that security vulnerabilities (weaknesses) are addressed and the medical device operates correctly as intended. Simultaneously, from the pre-market design and manufacturing stages, manufacturers must employ appropriate defenses to prevent the device from becoming an infection source and, should a cybersecurity attack occur, prevent the spread of infection.

Medical device software designers must continuously collect the latest security information and maintain current awareness of known vulnerabilities. The discovery of security flaws shortly after a product launch represents a serious threat to patient safety, making careful development processes essential to prevent this occurrence.

Post-Market Measures

Post-market requires appropriate management by both the manufacturer and the healthcare facility, working cooperatively with each other. Manufacturers bear responsibility for ensuring that medical devices are safely used in their intended operating environments, and it is critical to rapidly develop and provide patches and updates when vulnerabilities are discovered. Furthermore, when cyber incidents occur, appropriate reporting and response measures must be implemented.

Healthcare facilities must also actively implement cybersecurity measures. Basic measures such as firewall installation and closure of unnecessary network ports are indispensable for ensuring safe use of medical devices within healthcare environments. Whether medical device software is installed on-site or provided through cloud-based services, similar network infrastructure-level security measures such as firewall implementation must be implemented.

Responding to Discovered Security Flaws Is Too Late: The Importance of a Preventive Approach

A critical understanding in medical device cybersecurity practice is that responding to security flaws after they are discovered is too late. Once a vulnerability is discovered and disclosed, cyber attackers rapidly develop methods to exploit it. Responding at that point may be insufficient to adequately protect patient safety.

Therefore, implementing protective measures at the network infrastructure level becomes essential. In other words, healthcare facilities must establish an environment where vulnerable medical devices are not directly exposed to cyberattacks through firewall implementation and appropriate network configuration. This defensive approach is an indispensable element of cybersecurity strategy.

Compliance Deadlines and Standards

Regarding the implementation status in Japan: Article 12, Paragraph 3 of the Essential Principles was applied beginning April 1, 2023, with a one-year transition period provided, allowing the previous approach to be followed until March 31, 2024. Currently, for medical devices with approval applications, certification applications, or notifications submitted on or after April 1, 2024, compliance with the amended Essential Principles is mandatory.

To demonstrate specific compliance, the Ministry of Health, Labour and Welfare notification directs reference to JIS T 81001-5-1 as the applicable standard. This JIS standard specifies cybersecurity-related efforts throughout the entire lifecycle of medical device software. In addition to risk management activities required by JIS T 14971, this standard details cybersecurity-specific requirements including threat modeling, security testing, vulnerability management, and incident response.

International Regulatory Trends

The regulatory amendment in Japan aligns with global regulatory developments. The U.S. Food and Drug Administration (FDA) has demonstrated a similar direction, issuing the final version of “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” in June 2025. This FDA guidance defines “cyber devices”—medical devices containing software—and imposes stringent cybersecurity requirements on all such devices to comply with Section 524B obligations. The FDA guidance requires submission of a Software Bill of Materials (SBOM), vulnerability monitoring and management plans, and threat surveillance throughout the product lifecycle, making conformance demonstration extremely specific and rigorous.

In Europe and other regulatory regions, cybersecurity requirements for medical devices are similarly being strengthened, with international regulatory harmonization advancing.

Practical Challenges and Directions for Implementation

The author regularly receives inquiries regarding cybersecurity measure implementation. Medical device manufacturers in practice face several of the following challenges:

Addressing security flaws (vulnerabilities) inherent in medical device software is fundamental to cybersecurity measures. Multiple layers of protection are required, including threat modeling during the design phase, secure coding practices during development, and penetration testing before release. Manufacturers must continuously collect the latest security information and maintain current status regarding known vulnerabilities.

Simultaneously, it is necessary to address the network infrastructure of healthcare facilities. Healthcare facilities frequently face compatibility issues with legacy systems and network management constraints, resulting in cases where basic measures such as firewall installation and closure of unnecessary network ports are not adequately implemented. Both manufacturers and healthcare facilities must recognize their respective areas of responsibility and establish a cooperative support structure.

Similarly, when services are provided through cloud infrastructure, cloud-based medical device services also require network-level security measures including firewalls, encryption, and access control.

Conclusion

Medical device cybersecurity measures are not merely an information technology department concern but an important design and quality management issue for ensuring device safety and effectiveness. Because response to discovered security flaws is insufficient, manufacturers and healthcare facilities must work collaboratively to implement comprehensive cybersecurity management encompassing security assurance from the design phase, continuous vulnerability surveillance, and rapid incident response. The establishment of defensive network infrastructure layers, combined with a multi-layered security approach, has become a prerequisite for maintaining patient safety and the trustworthiness of healthcare systems.