JMIR Publications

ABSTRACT

Background:

Software-based and artificial intelligence (AI)–enabled medical devices are increasingly networked and updateable, expanding the attack surface and making cybersecurity governance intersect with quality management and postmarket oversight. Yet regulated device risk management remains primarily oriented toward patient-safety harms under ISO 14971–style frameworks.

Objective:

To compare how Korea’s Ministry of Food and Drug Safety (MFDS), the US Food and Drug Administration (FDA), and the European Union/Medical Device Coordination Group (EU/MDCG) define and operationalize cybersecurity for medical device software across premarket review and postmarket surveillance, and to identify informatics-relevant gaps between safety vigilance and vulnerability-focused cybersecurity practice.

Methods:

We conducted a qualitative comparative document analysis of publicly available laws, regulations, guidance, and standards relevant to medical device cybersecurity and AI-enabled software. Using a common analytic framework, we mapped (1) conceptual scope (definitions and lifecycle boundaries), (2) premarket operationalization (required artifacts and evidence such as threat modeling, software bills of materials, and vulnerability management plans), and (3) postmarket operationalization (monitoring, reporting, and update governance).

Results:

We analyzed 10 jurisdiction-specific regulatory and guidance documents (MFDS: 2; FDA: 4; EU/MDCG: 4) and mapped requirements into three domains (conceptual scope, premarket operationalization, and postmarket operationalization) across the total product life cycle. Across jurisdictions, cybersecurity converged on protecting confidentiality, integrity, and availability of data and device functions but was embedded in different regulatory architectures. MFDS emphasized documentation completeness aligned with ISO 14971 risk management; the FDA framed cybersecurity as quality-system and design-control activities spanning the total product life cycle, including statutory requirements for “cyber devices”; and the EU treated cybersecurity as an extension of safety under MDR/IVDR interpreted through MDCG guidance, with additional cross-sector obligations for subsets of manufacturers and service providers. A common limitation was that vigilance pathways were largely triggered by patient-harm thresholds, whereas vulnerabilities and near-miss security events were often managed through parallel information-security processes.

Conclusions:

Regulatory approaches show definitional alignment but operational fragmentation at the interface between patient-safety vigilance and vulnerability-centric cybersecurity practice. Integrating cybersecurity as an interoperable process within the quality management system—linking vulnerability monitoring, incident response, and software update controls to CAPA and change control—and expanding postmarket surveillance to incorporate vulnerability and performance signals may support more trustworthy deployment of regulated AI-enabled medical software.