Machine Spirits Logo

MDR CYBERSECURITY

The MDR Demands "State of the Art" Security.
We Provide the Evidence.

Don't let cybersecurity be the blocker for your CE marking. We guide you through the chaos of IEC 81001-5-1 and provide the deep, technical proofs your Notified Body requires.

Get Your MDR Pentest QuoteSee How We Audit

Cybersecurity Doesn't Have to Be a "Black Box"

If you are reading this, you are likely preparing a Class IIa or IIb medical device for market access, or you are in the middle of a surveillance audit. You know the MDR inside and out—clinical evaluation, risk management (ISO 14971), and biocompatibility.

But then there is Annex I, Section 17.2.

The requirement to ensure "Information Security" according to the "State of the Art" often feels vague and threatening. Auditors are asking for "penetration tests," "fuzzing," or "verification of security," and generic IT providers often don't understand the difference between a patient monitor and a web shop.

You don't need a hacker. You need a partner who speaks "Regulatory."

Decoding the Requirements: What Your Auditor Wants to See

The Medical Device Regulation (MDR) has shifted cybersecurity from a "nice-to-have" to a General Safety and Performance Requirement (GSPR). Here is what that means in plain English, without the jargon:

1It's Not Just About "Bugs" – It's About Safety

The MDR doesn't care if your website is hackable; it cares if a patient can be harmed. We align our testing strictly with ISO 14971. We don't just report "Critical Vulnerabilities"; we map them to "Unacceptable Risks" in your device's safety context.

2"State of the Art" is Defined by Standards

Your auditor uses specific standards to judge you. A generic pentest is often rejected because it ignores these frameworks. Our testing is built directly upon:

  • MDCG 2019-16: The EU guidance document that explicitly lists Penetration Testing as a required verification method.
  • IEC 81001-5-1: The standard for Health Software Security, which mandates dynamic testing and vulnerability analysis.
  • IEC 62304: We verify that your software lifecycle has actually produced secure code.

3Verification vs. Validation

You need technical evidence (Verification) that your security measures—like encryption and authentication—actually work. A paper design isn't enough. We provide the independent, third-party validation that proves your security architecture is robust.

We Bridge the Gap Between Engineering and Compliance

Machine Spirits is not a generalist IT security firm. We are a specialized consultancy focused on Medical Device Security. We combine the academic rigor of PhD-level research with the practical reality of veteran software engineering.

Our Promise:

No False Positives

We understand medical workflows. We won't flag a necessary emergency override feature as a "security risk."

Auditor-Ready Reports

You don't get a messy list of hacks. You get a structured technical report designed to be attached directly to your Technical Documentation.

Focus on Class IIa/IIb

We specialize in connected systems (SaMD, AI Diagnostics, Embedded MedTech).

Your Path to Certified Security

We take you by the hand and lead you through the process, minimizing disruption to your development team.

1

Scoping & Intended Use

We start by understanding your device's Intended Use. A cloud-based AI has different risks than a Bluetooth-connected glucose monitor (CGM).

2

The "Greybox" Approach

We don't guess. We ask for architecture diagrams and API documentation. This allows us to find deep logic flaws that "Blackbox" hackers miss—satisfying the rigorous depth required by Notified Bodies.

3

Execution

We test your APIs, mobile apps, firmware, and cloud infrastructure using the IEC 81001-5-1 methodology.

4

The Report

You receive a detailed technical assessment categorizing findings by their impact on Patient Safety and Data Integrity.

5

Re-Verification

Once your team fixes the issues, we re-test to issue a clean bill of health for your submission.

Clarifying the Chaos

Common questions from manufacturers navigating MDR cybersecurity requirements.

Do we need a pentest if we use a secure cloud provider (AWS/Azure)?

Yes. The MDR holds you responsible for the configuration and the application running on that cloud. AWS secures the server; you must secure the patient data and the software logic.

How long does an MDR Pentest take?

Typical engagements range from 5 to 15 days, depending on complexity (e.g., number of APIs, mobile apps, or hardware interfaces).

Can you write our Technical Documentation for security?

No. To maintain our independence as testers, we cannot author your documentation. However, our reports serve as the primary evidence you reference in your Security Risk Management Plan and Verification Reports.

Ready to Close Your Security Gaps?

Don't wait for the auditor's non-conformity report. Meaningful security verification takes time.

Contact Us for a Scoping Call

Speak directly to a Technical Expert, not a salesperson.