The Crosswalk

    § 05 · Glossary

    The acronyms, decoded.

    80 terms across 42 jurisdictions (35 covered + 7 emerging) and the cross-cutting standards. Linkable — share /glossary#SBOM.

    Last updated ·
    §524BFD&C Act Section 524BUS
    Statutory cybersecurity requirements added by the Consolidated Appropriations Act 2023. Applies to 'cyber devices' and is enforced through RTA.
    AAMI TIR57Principles for Medical Device Security — Risk Management
    Technical Information Report describing how to apply ISO 14971 risk management to cybersecurity. FDA and Health Canada cite it as state of the art.
    ADHICSAbu Dhabi Healthcare Information and Cyber Security StandardAE
    Mandatory cyber/info-security control set for healthcare entities in Abu Dhabi; flows down to connected device suppliers.
    AMARMedical Devices Division, Israeli MoHIL
    Israel's medical device registrar. Cybersecurity expectations follow the MoH Director-General circular on connected medical devices.
    ANMATAdministración Nacional de Medicamentos, Alimentos y Tecnología MédicaAR
    Argentina's regulator. Disposición 8054/2010 (and successors) governs medical devices; cybersecurity follows IMDRF N60 in practice.
    ANVISAAgência Nacional de Vigilância SanitáriaBR
    Brazil's regulator. RDC 751/2022 and RDC 657/2022 carry the device and software/cyber expectations.
    BSSNBadan Siber dan Sandi NegaraID
    Indonesia's National Cyber and Crypto Agency. Sets cyber-resilience expectations that apply to healthcare providers and connected devices.
    CDSCOCentral Drugs Standard Control OrganisationIN
    India's national medical device regulator under the Medical Devices Rules 2017 (and 2024 amendments).
    CERT-InIndian Computer Emergency Response TeamIN
    National CERT. The 2022 Directions impose 6-hour incident reporting and log retention duties that affect connected devices and SaMD operators in India.
    CH-REPSwiss Authorised RepresentativeCH
    Mandatory in-Switzerland representative since the EU-CH MRA lapsed.
    Circular 30 (Vietnam)VN
    Vietnam MoH circular setting medical device classification, registration and post-market duties — including reporting obligations relevant to cybersecurity incidents.
    COFEPRISComisión Federal para la Protección contra Riesgos SanitariosMX
    Mexico's health risk regulator. Recognises FDA, Health Canada and MHLW dossiers via the equivalence pathway (Acuerdo de Equivalencia).
    CRACyber Resilience ActEU
    EU regulation introducing horizontal cybersecurity requirements for products with digital elements. Applies from Dec 11 2027.
    CSACyber Security Agency of SingaporeSG
    Operates the Cybersecurity Act and CII regime that may apply to healthcare providers using the device.
    CSLCybersecurity Law (China)CN
    2017 foundational cyber law. Establishes MLPS, critical information infrastructure protection and data localisation duties.
    CVDCoordinated Vulnerability Disclosure
    A documented process for receiving, validating and responding to security reports from researchers and users.
    CVSSCommon Vulnerability Scoring System
    FIRST.org severity scoring (0-10). Medical device guidance increasingly asks for CVSS plus a clinical/patient-harm modifier (e.g. AAMI TIR57 or the Rubric for Applying CVSS to Medical Devices).
    CWECommon Weakness Enumeration
    MITRE taxonomy of software weakness types. Threat models and root-cause analyses commonly map findings to CWE IDs.
    DHADubai Health AuthorityAE
    Dubai's regulator. Operates the Information Security Regulation (ISR) for health entities in Dubai.
    DICTDepartment of Information and Communications Technology (Philippines)PH
    Operates the National Cybersecurity Plan that contextualises healthcare cyber expectations.
    DMP / HelsedirektoratetNorwegian Medical Products Agency / Norwegian Directorate of HealthNO
    Norway implements EU MDR via EEA. DMP (formerly Legemiddelverket) and Helsedirektoratet handle device oversight; Helsetilsynet oversees clinical use.
    DoH (Abu Dhabi)Department of Health — Abu DhabiAE
    Abu Dhabi health regulator. Operates ADHICS, the emirate-wide healthcare information security standard.
    DPDP ActDigital Personal Data Protection Act 2023IN
    India's data protection law. Applies to processing of patient data by device manufacturers and operators.
    DSLData Security LawCN
    China's law classifying data by importance and imposing security and cross-border controls. Applies alongside PIPL and the Cybersecurity Law.
    DSPTData Security and Protection ToolkitUK
    Annual self-assessment NHS suppliers complete to demonstrate compliance with the National Data Guardian's standards.
    DTACDigital Technology Assessment CriteriaUK
    NHS England framework assessing clinical safety, data protection, technical assurance and interoperability.
    EUDAMEDEuropean Database on Medical DevicesEU
    EU-wide database for device, certificate, vigilance and market surveillance data under MDR/IVDR.
    FDA-PHFood and Drug Administration of the PhilippinesPH
    Philippine device regulator. Has issued draft Guidelines on the Regulation of Medical Device Software (MDSW).
    FSCAField Safety Corrective Action
    Manufacturer-initiated action to reduce risk in already-marketed devices, including security patches.
    GSPRGeneral Safety and Performance RequirementsEU
    Annex I of the EU MDR. GSPR 17.2 contains the cybersecurity-specific requirements.
    HSAHealth Sciences AuthoritySG
    Singapore's device regulator. Publishes the Regulatory Guidelines for Software Medical Devices including cybersecurity.
    IEC 62304Medical device software — Software life cycle processes
    Software life-cycle standard required for any medical device containing software. Sets the baseline that 81001-5-1 layers security activities onto.
    IEC 62443-4-1Secure product development life-cycle requirements
    IEC standard from the industrial automation series, frequently cited alongside 81001-5-1 for the SSDLC component of medical device cybersecurity.
    IMDRF N60Principles and Practices for Medical Device Cybersecurity
    International Medical Device Regulators Forum guidance harmonising cybersecurity expectations across jurisdictions. Referenced by FDA, Health Canada, TGA, MFDS, HSA, ANVISA and others.
    INCDIsrael National Cyber DirectorateIL
    Sets national cyber doctrine. Publishes the Healthcare Cybersecurity Methodology applied to hospitals and connected devices.
    INVIMAInstituto Nacional de Vigilancia de Medicamentos y AlimentosCO
    Colombia's regulator for medical devices and other health technologies.
    ISAO / ISACInformation Sharing & Analysis Organization / Center
    Trusted communities for sharing threat intel. H-ISAC is the dominant healthcare ISAC globally.
    ISO 14971Application of risk management to medical devices
    Foundational risk management standard. Cybersecurity risk must be integrated into the same risk file (see AAMI TIR57 and ISO/IEC 81001-5-1).
    ISO/IEC 81001-5-1Health software — Security activities in the product life cycle
    International standard for secure development of health software. Harmonised under EU MDR and adopted/recognised by HSA, MFDS, TGA, Health Canada, MHRA and others.
    ISPInstituto de Salud Pública de ChileCL
    Chile's public health institute and device regulator.
    K-GMPKorean Good Manufacturing PracticeKR
    MFDS QMS scheme; cybersecurity evidence integrates with K-GMP audits.
    KemenkesKementerian Kesehatan (Ministry of Health, Indonesia)ID
    Indonesia's device registrar via InfoAlkes.
    KEVKnown Exploited Vulnerabilities (CISA catalog)
    CISA-maintained list of CVEs with confirmed in-the-wild exploitation. Increasingly referenced by FDA and ENISA as priority patch targets.
    KomdigiKementerian Komunikasi dan DigitalID
    Indonesia's renamed Ministry of Communications and Digital Affairs (formerly Kominfo). Co-regulates UU PDP.
    KVKKKişisel Verilerin Korunması KanunuTR
    Turkey's Personal Data Protection Law (Law 6698). Applies to patient data processed by device makers and operators.
    Ley 21.541CL
    Chile's framework law on cybersecurity and critical information infrastructure (2024). Establishes ANCI and incident-reporting duties relevant to healthcare operators.
    MDA (Malaysia)Medical Device AuthorityMY
    Malaysia's device regulator under the Medical Device Act 2012. Note: distinct from the EU MDR's references.
    MDCGMedical Device Coordination GroupEU
    EU-level body that publishes guidance on how to apply MDR in practice. MDCG 2019-16 is the cybersecurity guidance.
    MDSAPMedical Device Single Audit Program
    One QMS audit accepted by Australia, Brazil, Canada, Japan and the US. Streamlines the QMS evidence portion of cybersecurity assessments.
    MedsafeNZ
    New Zealand's medicines and medical devices safety authority within the Ministry of Health.
    MFDSMinistry of Food and Drug SafetyKR
    Korea's device regulator. Issues medical device cybersecurity review guidelines harmonised with IMDRF N60.
    MHRAMedicines and Healthcare products Regulatory AgencyUK
    UK competent authority for medical devices. Operates the UKCA route alongside continued recognition of CE marking.
    MLPSMulti-Level Protection SchemeCN
    China's tiered cybersecurity grading framework. Most connected medical devices fall in Level 2 or 3 and must complete a registration with public security organs.
    MOHAPMinistry of Health and Prevention (UAE federal)AE
    Federal UAE health authority that registers medical devices outside Abu Dhabi and Dubai.
    NIS2Network and Information Security Directive 2EU
    EU directive obliging essential and important entities (including medical device manufacturers in scope) to manage cyber risk and report incidents.
    NMPANational Medical Products AdministrationCN
    China's device regulator. Issues the Technical Review Guideline for Cybersecurity of Medical Devices.
    PIPLPersonal Information Protection LawCN
    China's GDPR-equivalent. Restricts cross-border transfers of personal information including patient data.
    PMD ActPharmaceuticals and Medical Devices ActJP
    Japan's primary law governing devices (formerly PAL). Cybersecurity expectations are layered via PMDA notifications.
    PMDAPharmaceuticals and Medical Devices AgencyJP
    Japan's review agency. Issues cybersecurity guidance and operates the STED-based dossier review.
    POPIAProtection of Personal Information ActZA
    South Africa's data protection law. Applies to patient data processed by devices and SaMD.
    PSIRTProduct Security Incident Response Team
    Manufacturer team responsible for receiving, triaging and disclosing security vulnerabilities under a CVD program (ISO/IEC 30111, FIRST PSIRT framework).
    PSURPeriodic Safety Update ReportEU
    EU MDR requirement; cybersecurity incidents and trends should be reflected.
    RTARefusal to AcceptUS
    FDA action when a submission is missing required cybersecurity content under §524B.
    SAHPRASouth African Health Products Regulatory AuthorityZA
    South Africa's medical device regulator under the Medicines and Related Substances Act.
    SBOMSoftware Bill of Materials
    Inventory of every software component in a device, including version, supplier and known vulnerabilities. SPDX and CycloneDX are the dominant machine-readable formats.
    SDLC / SSDLC(Secure) Software Development Life Cycle
    End-to-end process for building software with security activities at each stage. FDA's SPDF and IEC 81001-5-1 are concrete SSDLC frameworks for medical devices.
    SFDASaudi Food and Drug AuthoritySA
    Saudi regulator. Publishes MDS-G42, the medical device cybersecurity guidance, plus MDS-REQ1 for general requirements.
    SPDFSecure Product Development Framework
    FDA-named umbrella for the activities a manufacturer performs to design, build and maintain secure devices.
    STEDSummary Technical Documentation
    Common dossier format used by PMDA and several other regulators.
    SwissmedicCH
    Swiss agency for therapeutic products. Recognises EU MDR conformity but enforces Swiss-specific representation and labelling.
    TFDATaiwan Food and Drug AdministrationTW
    Taiwan's device regulator. Issues the Guidance for Industry on Management of Cybersecurity in Medical Devices, modelled on FDA/IMDRF.
    TGATherapeutic Goods AdministrationAU
    Australia's regulator. Publishes the Medical device cyber security guidance for industry.
    Thai FDA / MoPHThailand Food and Drug Administration / Ministry of Public HealthTH
    Thailand's device regulator. Cybersecurity expectations align with ASEAN Medical Device Directive and IMDRF.
    TİTCKTürkiye İlaç ve Tıbbi Cihaz KurumuTR
    Turkish Medicines and Medical Devices Agency. Mirrors EU MDR with national overlays.
    TPLCTotal Product Life Cycle
    Holistic regulatory philosophy that treats pre-market and post-market activities as a continuum.
    UDIUnique Device Identifier
    Standardised device identifier required by FDA, EU MDR and others. SBOMs often reference UDIs.
    ÜTSÜrün Takip SistemiTR
    Turkey's product tracking system; mandatory device registration and traceability platform.
    UU PDPUndang-Undang Pelindungan Data PribadiID
    Indonesia's Personal Data Protection Law (Law 27/2022). Applies to patient data processing by device makers and operators.
    VEXVulnerability Exploitability eXchange
    Companion document to an SBOM that states whether a known CVE actually affects the product (e.g. 'not_affected', 'fixed'), so operators don't chase irrelevant vulnerabilities.
    WANDWeb-Assisted Notification of DevicesNZ
    NZ Medsafe's online device notification database — currently the primary regulatory entry point pending the new Therapeutic Products regime.