EU Cyber Resilience Act Guide for Healthcare IT & Clinical Software Vendors

Healthcare IT products within CRA scope as products with digital elements include: electronic health record (EHR) systems distributed as installed software, clinical decision support platforms, laboratory information management systems (LIMS), picture archiving and communication systems (PACS), hospital information systems (HIS), patient monitoring integration platforms, and health data interoperability middleware.

Pure Software as a Service (SaaS) platforms — where the vendor hosts the software and the hospital accesses it via a browser — may fall primarily under NIS2 digital service provider obligations rather than strict CRA product scope. However, on-premise installed software and hybrid platforms with installed components are within CRA scope. Products that interface with medical devices (connecting EHR to infusion pumps, for example) may be assessed as Important Class I given the patient safety implications. Vendors should conduct a scope assessment for each product line.

Clinical software vendors must satisfy Annex I requirements that address the specific vulnerabilities exploited in the numerous ransomware and data breach incidents targeting healthcare organisations:

• Authentication: Access to patient data and clinical functions must require strong authentication. Shared ward logins and default administrative credentials are prohibited under CRA's secure default configuration requirement.
• Role-based access control: Clinical software must enforce role-based access to ensure that clinical staff access only the patient data relevant to their care role.
• Encryption: Patient health data at rest and in transit must be encrypted. HL7 FHIR API endpoints must use TLS with current cipher suites.
• Security update delivery: Vendors must provide security updates for critical vulnerabilities and deliver them to all active installations within a reasonable timeframe.
• SBOM maintenance: Clinical software frequently embeds healthcare-specific libraries (HL7 FHIR, DICOM, openEHR) alongside general-purpose components. A comprehensive SBOM must be maintained for each software version.

Healthcare IT vendors have been prominent targets for ransomware and data breach attacks, with several major incidents demonstrating the life-threatening consequences of clinical system downtime. Article 13 requires a formal, publicly accessible CVD policy — essential infrastructure that many healthcare IT vendors currently lack in structured form.

• Define the scope of covered products clearly
• Provide a submission channel accessible to healthcare security researchers and hospital IT security teams
• Commit to acknowledgement within 5 business days and to security update delivery within reasonable timeframes for confirmed vulnerabilities
• Address the sensitivity of healthcare disclosures — some healthcare vulnerabilities have immediate patient safety implications requiring urgent notification to hospital customers before public disclosure

CVD Portal's triage functionality supports routing of high-severity disclosures to immediate internal escalation workflows, critical for clinical software vendors where a vulnerability may require emergency communication to hospital customers.

Article 14 incident reporting obligations for healthcare IT vendors intersect with GDPR data breach notification (Article 33 GDPR — 72 hours to supervisory authority), NIS2 obligations for healthcare operators (significant incident reporting to national authority), and healthcare-specific national regulations in some member states.

1. ENISA under CRA Article 14 (24-hour initial notification)
2. National data protection authority if patient data is exposed (GDPR Article 33 — 72 hours)
3. National competent authority for healthcare operators (NIS2 — for healthcare organisations themselves, but vendors should notify customers to enable their compliance)
4. Hospital customers directly — given patient safety implications, direct customer notification must occur simultaneously with regulatory reporting

Vendors should maintain pre-agreed emergency contact protocols with all major hospital customers so that Article 14-level incidents trigger immediate direct communication without waiting for customer discovery.

Class I healthcare IT software products require third-party conformity assessment under Article 24. Vendors should leverage existing healthcare IT security certifications as supporting evidence:

• ISO 27001 certification for the vendor's information security management system demonstrates operational security maturity and can support the Annex I Part II vulnerability management assessment.
• HL7 FHIR security conformance testing supports the technical security requirements assessment for API-based products.
• IHE Integration Profiles security-relevant profiles (ATNA — Audit Trail and Node Authentication) provide additional conformity evidence.

1. Authentication and access control mechanisms (reflecting the elevated risk of clinical data unauthorised access)
2. Security update delivery capability and historical update record
3. SBOM completeness for all embedded components
4. CVD policy operational status

Vendors serving NHS, NHS Digital, or other national health service customers may also face national cybersecurity assessment requirements. Align CRA conformity assessment with these national assessment timelines where possible.