§17 MPBetreibV
IT Security Testing per §17 MPBetreibV.
Independent. Standards-Compliant. Audit-Ready.
Since August 1, 2025, healthcare facilities are legally required to conduct IT security assessments for Class IIb and III medical device software every two years. We combine technical penetration testing with medical device regulatory expertise, delivering an assessment report that stands up in your medical device logbook and before regulatory authorities.
Why Implementation Fails in Practice
§17 MPBetreibV mandates IT security assessments "according to generally accepted rules of technology" for Class IIb and III medical device software. A documented assessment protocol must be available at least every two years.
The dilemma in practice: three hurdles block implementation.
Independence Requirement (§5 MPBetreibV)
Assessors must be free from professional instructions regarding their technical judgment. Internal IT departments, embedded in the hospital hierarchy, typically cannot demonstrate this independence. Independent external assessors are required.
Missing Dual Competence
A pure IT security assessment falls short. §17 requires assessment in the application context, considering manufacturer specifications, network integration per §4(6) MPBetreibV, and the regulatory requirements of the EU MDR. This demands competence in both IT security and medical device regulation.
The Manufacturer Gap
Manufacturers see the responsibility with the operator: "It is a requirement of the operator regulation." They typically decline application-specific assessments in the individual infrastructure context of your facility. Yet you, as the operator, are obligated to implement and document the manufacturer’s specifications for secure network integration.
Closing this responsibility gap between manufacturer and operator, with the technical depth of a penetration test and the regulatory precision your medical device logbook demands, that is our approach.
The Assessment Process
From inventory to completed protocol.
Scoping & Inventory
Identification of software medical devices subject to assessment (Class IIb/III), review of manufacturer documentation, and analysis of your network architecture.
Assessment Planning
Development of an assessment catalog based on manufacturer specifications, IEC 80001-1, IEC 81001-5-1, and the B3S. Coordination of assessment scope, time windows, and safety measures, particularly for patient-critical systems.
Technical Assessment
Execution of the IT security assessment: configuration audits, network analysis, interface tests, and, where justifiable, active security tests. For life-sustaining systems in operation, we prefer testing in staging environments or passive analysis.
Risk Assessment & Report
Evaluation of identified vulnerabilities using CVSS. Creation of a checklist based on the applied standards. Documentation that integrates seamlessly into your existing quality management system.
Assessment Protocol for the Medical Device Logbook
Delivery of the legally compliant assessment protocol per §17(3) MPBetreibV with all mandatory information: date, assessment subject, assessor qualifications, results. Ready for entry into the medical device logbook and presentation to regulatory authorities.
Our Assessment Approach
An IT security assessment that unifies three perspectives.
Assess Operator Risks
We analyze how the medical device is integrated into your infrastructure: network segmentation, access controls, interface security. Not the device in isolation, but the device in your network.
Validate Manufacturer Specifications
We verify whether the manufacturer’s safety-related instructions are actually implemented: configurations, patch management, update status, network integration requirements per §4(6) MPBetreibV.
Identify Unknown Risks
Beyond documented requirements, we search for vulnerabilities that neither manufacturer nor operator have on their radar, through technical penetration testing and configuration audits.
For non-cooperative manufacturers: network-level tests, configuration audits, and environment assessments can be performed without touching the device firmware. We adapt our approach to the manufacturer’s willingness to cooperate and the system’s criticality, mindful that even minor interventions can cause erratic behavior in medical devices.
Your Audit is Led by Senior Experts
Not juniors. Not generalists. Specialists in medical device security.
Dr. rer. nat. Simon Weber
Senior Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
The Legal Requirements at a Glance
What your assessment protocol must contain, and what we test beyond that.
The Assessment Protocol per §17(3)
Identify the Assessment Subject
Unique identification of the assessed medical device: device type, manufacturer, serial number, exact software version. Documentation of the operating environment and network integration.
Document Assessor Qualifications
Documented proof of professional qualification per §5 MPBetreibV. Proof of professional independence from instructions for the executing assessors.
Conduct and Document the Assessment
IT security assessment according to generally accepted rules of technology. Identified vulnerabilities with risk assessment (CVSS). Exact date of execution. Results enabling entry into the medical device logbook.
Ensure Record Keeping
Tamper-proof retention until the next assessment (minimum two years). Formal entry into the medical device logbook.
Standards Basis
Our assessments are based on the relevant standards and frameworks:
IEC 80001-1:2021
Risk management for IT networks incorporating medical devices
IEC 81001-5-1:2021
Security activities in the product lifecycle of health software
B3S Medical Care (v1.3)
Industry-specific security standard of the German Hospital Federation (DKG)
Manufacturer-Specific Requirements
Instructions for use, safety-related information, and maintenance instructions per §17(1)
Frequently Asked Questions
What operators need to know about IT security assessments under §17 MPBetreibV.
Which software falls under §17 MPBetreibV?
Software as a medical device of Classes IIb and III under the EU MDR (Regulation 2017/745), as well as in-vitro diagnostic software of Classes C and D under the EU IVDR (Regulation 2017/746), operated in a healthcare facility. Digital health applications (DiGA) under §33a SGB V and digital care applications under §78a SGB XI are explicitly excluded.
How often must the assessment be conducted?
At least every two years, calculated from installation or the last assessment. If defects can be expected earlier due to specific usage and environmental conditions, the operator must arrange the assessment before the two-year period expires.
Can our internal IT department conduct the assessment?
In principle yes, provided the assessors meet the requirements of §5 MPBetreibV: current professional knowledge, relevant professional experience, and, critically, independence from professional instructions regarding their technical judgment. In practice, this independence is difficult to demonstrate for internal staff. External assessors fulfill this requirement structurally.
What happens if the manufacturer does not cooperate?
We can conduct the assessment without active manufacturer involvement. Network-level tests, configuration audits, and environment assessments are possible without touching the device firmware. We use the manufacturer documentation (instructions for use, safety-related information) as the assessment basis, regardless of whether the manufacturer participates in the process. That said, manufacturer cooperation naturally makes the process significantly easier and allows for a more thorough assessment.
How does §17 MPBetreibV relate to NIS2 requirements?
Under the NIS2 Implementation Act (in force since December 2025), hospitals generally fall under NIS2 obligations as important or particularly important facilities, depending on their size. §17 MPBetreibV specifically addresses medical device software as an OT domain. This is a separate regulatory track that overlaps with NIS2 obligations but is not replaced by them. Our assessment fulfills the specific MPBetreibV requirements while also producing evidence applicable in the NIS2 context.
Assessment Obligation Recognized? Talk to Us.
In a brief conversation, we will clarify which of your systems fall under §17 and provide you with a concrete assessment proposal, tailored to your infrastructure and documentation requirements.
Phone
+49 221 65031192Response Time
We typically respond to all inquiries within 24 hours during business days.
Average response time: 6-12 hours