The increasing use of closed-loop systems in medical technology brings with it a new class of challenges for cybersecurity. Unlike traditional medical devices, where medical professionals make the final treatment decisions, closed-loop systems operate largely autonomously. They continuously measure physiological parameters, interpret them and trigger therapeutic measures as required, without any human intervention. The software thus becomes the central player in the therapy context and at the same time a potential target.

A closed-loop medical device is essentially based on three functional components:

• Sensors that continuously record physiological data
• Controllers who evaluate the incoming data and make treatment decisions
• Actuators that implement the resulting measures

This closed control chain enables dynamic, often real-time adaptation of the therapy to the patient’s status. The increase in efficiency and safety is enormous, provided that the system is reliably protected against errors, manipulation and failures.

The EU Medical Device Regulation (MDR) classifies closed-loop systems as active therapeutic devices with built-in diagnostics. According to Annex VIII, Rule 22, they are subject to risk class III – the highest class. This results in extensive requirements for the safety, performance and – increasingly relevant – the cybersecurity of these systems.

In September 2023, the FDA published new guidelines for Physiological Closed-Loop Controlled (PCLC) systems. These explicitly address systems that intervene in the therapy process without human intervention. The key requirements are

• Clearly defined and comprehensible switching logic in the controller
• Safety mechanisms such as failsafe modes and redundancies
• High demands on data integrity and response times
• Robustness against artifacts, signal loss and external interference

For interoperable systems, the FDA also recommends compliance with the AAMI/UL standards.

The FDA guideline contains practical recommendations for the implementation of PCLC systems. Even if these are not explicitly prescribed in the MDR, they can be used as excellent guidelines for European developments, particularly in the early development phase.

Important aspects are:

Safety and security are inextricably linked in the development of PCLC systems. Measures from one area often have an effect on the other. For example, redundant calculations of critical algorithm steps increase both safety (in the sense of “safety”) and protection against manipulation (in the sense of “security”). Comprehensive logging also helps to precisely reconstruct the causes of system behavior later on.

A central question in development is: What should the system do in an emergency?

If the database breaks down or the controller detects an error, it must be clearly defined whether the system switches back to a basic medication, stops operation or takes alternative safety measures. This decision must be medically sound and documented as part of risk management.

A cloud backend offers decisive advantages, especially for PCLC systems. It enables:

• The continuous backup and analysis of logs
• Subsequent evaluation of system behavior, even in the event of device failure
• Early warning messages in the event of abnormal behavior, independent of the device itself
• Computationally intensive validation of critical algorithms for plausibility checks and tamper detection

All of this helps to increase confidence in the functionality and security of the system.

As PCLC systems are still comparatively new in regulatory terms, it is worth creating detailed documentation for the closed-loop part, especially at the beginning. As experience grows, this can be streamlined and adapted in a targeted manner. As with the introduction of the MDR, the right measure will emerge over time.

A holistic approach to security is essential – throughout the entire life cycle. Important measures include

Closed-loop medical devices offer enormous potential for precise and adaptive therapies, especially for critically ill or chronically unstable patients. However, the associated cybersecurity requirements are complex and should not be underestimated. Establishing clear security concepts at an early stage, complying with regulatory frameworks and understanding the special features of such systems creates the basis for sustainable success – technically, regulatory and clinically.