Cyber Security Is Now a Patient Safety Obligation

“The vendors who act now go into the mandate with a current assurance output — not a queue position”

“A cyber incident without independent assurance evidence is both a regulatory and a legal exposure — not just an IT problem.”

MHRA post-market surveillance regulations came into force in June 2025. A cyber vulnerability in your connected device is now a notifiable safety event and not an IT issue. Independent assessment gives you the evidence to demonstrate you have it under control.

MHRA PMS regulations in force June 2025. Serious cyber incidents must be reported within 15 days. NHS DSPT Version 8 deadline: 30 June 2026

The regulatory bar for medical device cybersecurity has moved

Manufacturers must now proactively monitor device security and report cyber-related incidents within 15 days. NHS procurement already requires evidence of cybersecurity readiness. And the MHRA is publishing dedicated SaMD cybersecurity guidance in 2026. Self-declaration is no longer credible evidence.

What your clients are asking

Your device connects to our network and processes patient data. What independent evidence do you have of its cybersecurity posture?"

NHS procurement teams are asking this question now. MHRA will require it in regulation by 2027. Independent CRTF assessment provides the structured, credible evidence to answer it.

What Our Product Assessment Covers

Security by Design

Threat modelling from requirements

Secure development evidence

Connected Attack Surface

Network interfaces

Data transmission security

Cloud backend security

Software Lifecycle

Update mechanisms

Version control integrity

OTA security

Post-Market Surveillance

Vulnerability monitoring

Incident response process

MHRA reporting alignment

Supply Chain Integrity

Third-party components

SBOM visibility

Dependency risk management

Operational Security

Clinical environment integration

Access controls

Audit trail evidence

The Timeline You Need to Know

Jun 2025

MHRA PMS regulations in force. 15-day cyber incident reporting.

Jun 2026

NHS DSPT v8 deadline. Independent audit requirements.

2026

MHRA AI medical device framework and SaMD cybersecurity guidance published.

2027–28

Independent assurance expected as condition of NHS procurement and MHRA registration.

WHY SECURLAB?

FULL ACCREDITATION STACK

ISO 17020 (Pending) | ISO 27001 | ISO 9001 | CE+

The most comprehensive assurance credential set available from an independent specialist.

INDEPENDENT

We do not consult for the clients we assess.

Our output is credible because our independence is structural, not claimed.

NCSC-LISTED CRTF

One of the only independent specialist CRTFs in the UK.

Listed on the NCSC website — the credential procurement teams recognise.

FASTER AND CLEARER

Workflow platform reduces delivery time without reducing quality.

You know what we are assessing, what evidence we need, and what the output will look like.

FAQs