Cybersecurity: MHLW Notification on Legacy Device (医薬機審発0417第１号)

The Ministry of Health, Labour and Welfare (MHLW) Japan issued a notification on April 17, 2025, regarding the provision of information on cybersecurity measures for medical devices marketed (製造販売) before March 31, 2024. These devices may exist in medical institutions and may not have been confirmed to conform to Article 12, Paragraph of the "Essential Principles (基本要件)" and their cybersecurity measures during design and development may not be sufficient, making them vulnerable to cyberattacks.

This notification aims to ensure patient safety in medical institutions, and requires manufacturers (製造販売業者) etc. to conduct cyber risk assessments and implement countermeasures for these medical devices. It also requires appropriate information sharing with medical institutions regarding cyber risks in the intended use environment, vulnerability management, preparation for providing SBOM (Software Bill of Material), provision of product lifecycle (End of Life/End of Service) information, provision of information on support, implementation of security patch applications in collaboration in medical institutions.

For more information, please inquire us to help you.