Brazilian regulatory expectations for connected medical devices

Renata Fialho de Oliveira
Veirano Advogados, São Paulo
renata.oliveira@veirano.com.br

Isabel Hering
Veirano Advogados, São Paulo 
isabel.hering@veirano.com.br

Thais Cristina de Jesus
Veirano Advogados, São Paulo
thais.jesus@veirano.com.br

Introduction

The rapid advancement and widespread adoption of connected medical devices is transforming healthcare, offering unprecedented opportunities for precision and the continuity of care. However, this digital revolution simultaneously introduces complex challenges related to cybersecurity and data protection, demanding a cohesive regulatory and operational response. This article examines the critical interplay between cybersecurity measures and data protection obligations for connected medical devices within the Brazilian legal framework, specifically focusing on the intersection between the Brazilian Health Regulatory Agency’s (Agência Nacional de Vigilância Sanitári or ANVISA) regulatory guidance and the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD).

However, this broad digitalisation of healthcare is accompanied by a growing threat from cyberattacks in terms of both their potential scale and complexity. The range of targets is expanding, increasingly encompassing connected medical devices that can become vulnerable to malicious actions. In 2023, the healthcare sector recorded the highest average cost per cyberattack incident among all the segments analysed globally, namely $ 5.3m, according to the 26th edition of PwC’s Global Digital Trust Insights.^[1] In Brazil, the scenario is equally alarming: IBM’s Cost of a Data Breach report^[2] revealed that the average cost per data breach in 2024 reached R$ 6.75m, reflecting the growing impact of these attacks.

These figures are more than mere statistics; they reveal operational and strategic gaps with the potential to broadly affect the sector, directly impacting patients who rely on medical devices for the continuity of their treatment and therapeutic care. Despite the sensitivity of the issue, only 24 per cent of the 2,000 healthcare executives interviewed by PwC reported having an integrated resilience plan in place that includes cybersecurity efforts.

Cybersecurity risks and regulatory responses to connected medical devices

To provide context, connected medical devices can serve various purposes and fall into different categories, such as pacemakers, infusion pumps, glucose sensors and imaging diagnostic software. These products often incorporate firmware, programmable logic controllers and, increasingly, artificial intelligence (AI). Their goal is to ensure faster diagnoses, provide continuous monitoring and deliver personalised treatment. However, the vulnerabilities are real: security flaws can compromise device integrity, alter clinical data or even interfere with the operation of the device. The level of complexity increases when dealing with software as a medical device (SaMD), which refers to software intended to be used for medical purposes without being part of a hardware medical device, but with a direct impact on patient health.

In the United States, the Food and Drug Administration (FDA)^[3] has adopted a proactive stance in regard to regulating the cybersecurity of medical devices. The agency works in partnership with manufacturers, hospitals, service providers, patients and government entities, such as the Cybersecurity and Infrastructure Security Agency (CISA), to ensure that these devices are designed securely from the outset. The FDA recommends continuous monitoring of potential vulnerabilities, the proactive disclosure of identified flaws and the implementation of effective solutions. Specific guidelines have been created to help developers incorporate secure practices from the design phase, promoting a ‘security by design’ approach.

In Brazil, ANVISA has also made progress in regard to regulating medical devices with digital components. Guide No. 38/2020 provides recommendations for manufacturers, healthcare services and users on how to mitigate cybersecurity risks and ensure patient safety and device performance. The requirements include the submission of technical reports on databases used for AI training, methodological justifications, training history, risk classification, clear instructions for use and continuous monitoring of potential vulnerabilities and security updates.

The LGPD and security by design for connected medical devices

Connected medical devices pose significant challenges in regard to the intersection between technology, health regulation and data protection. In Brazil, these challenges are governed by the LGPD, which classifies most data processed by such devices as sensitive personal data. This includes health information generated or inferred through sensors, firmware, SaMD and platforms within the Internet of Medical Things (IoMT). The sensitive nature of this data demands that the allocation of the role of data controllers and processors is clear, reflected in the relevant contracts and privacy notices.

Data processing in this context typically relies on the LGPD’s legal bases, such as for the protection of health, compliance with legal obligations, consent and, in some cases, contract performance. Each scenario must be mapped to a specific basis and purpose, with data minimisation and privacy by design embedded into technical specifications and default settings.

The security obligations under the LGPD require the adoption of technical and organisational measures proportionate to the risks. The National Data Protection Authority’s (Agência Nacional de Proteção de Dados or ANPD) guidance stresses that structured incident response plans should be compiled covering detection, containment, clinical impact assessments and notifications. For medical devices, these processes should integrate with ANVISA’s technovigilance requirements to align the relevant safety alerts, software updates and privacy notifications.

The principle of security by design spans the entire device lifecycle. ANVISA’s Guide 38/2020 and the International Medical Device Regulators Forum (IMDRF) standards advocate risk-based design, secure-by-default configurations, vulnerability management and transparency through the provision of a Software Bill of Materials (SBOM). These measures aim to mitigate the systemic risks posed by IoMT ecosystems, where interconnectivity amplifies potential attack surfaces.

International data transfers (common in IoMT architectures) must comply with the LGPD’s requirements, such as the use of standard contractual clauses or binding corporate rules, ensuring that onward transfer controls and auditability are maintained. Governance ties these elements together: appointing a data protection officer (DPO), maintaining accurate processing records, employee training and awareness and implementing data retention schedules. Transparency towards patients should include details on the firm’s cybersecurity practices, data subject rights, DPO designation and other compliance aspects in Portuguese and plain language.

National cybersecurity and healthcare resilience

The increasing digitalisation of healthcare demands a coordinated response from various stakeholders. In December 2023, the National Cybersecurity Policy was established through Decree No. 11.856, which also created the National Cybersecurity Committee. More recently, in August 2025, Decree No. 12.573 formalised the new National Cybersecurity Strategy (E-Ciber), focusing on the protection of critical infrastructure, including within the healthcare sector. These initiatives respond to a concerning scenario: between 2022 and 2024, the number of information security incidents involving federal public agencies rose from 3,402 to 5,302, according to the Brazilian Federal Court of Accounts (Tribunal de Contas da União or TCU),^[4] highlighting the urgent need to strengthen the country’s digital sovereignty and protect strategic and personal data.

Building a secure digital health ecosystem requires collaboration by all of the involved actors. At a strategic level, manufacturers must integrate cybersecurity practices from the development stage, conduct rigorous vulnerability testing, ensure that secure and continuous updates are incorporated and must clearly disclose any known vulnerabilities. For healthcare services, implementing robust information security policies, developing comprehensive contingency and incident response plans and providing ongoing team training are crucial. Additionally, isolating medical devices on specific networks can significantly reduce the risk of attack propagation and enhance the device’s overall resilience.

Although ANVISA has already internalised the best practices established by the IMDRF/CYBER WG/N60, entitled the Principles and Practices for Medical Device Cybersecurity, it could further update its regulations and guidelines on medical device cybersecurity to promote greater safety and predictability for the sector. Users and patients, in turn, must be aware of the risks associated with connected devices, understand the value of keeping equipment updated, report suspicious behaviour and demand transparency regarding the use of their data.

Final considerations

Connected health is an irreversible reality, offering transformative potential for the advancement of precision, personalisation and efficiency within healthcare. However, realising this potential safely demands a fundamental shift: cybersecurity and data protection cannot be afterthoughts or secondary concerns. They must be intrinsically woven into the fabric of innovation, guiding design decisions, public policies and clinical practices from inception. This article has demonstrated how an integrated approach, aligning ANVISA’s device safety mandates with the LGPD’s data protection duties, is essential for mitigating risks and fostering trust in the digital health ecosystem.

Brazil is actively pursuing technological innovation, driven by initiatives such as the Brazilian Artificial Intelligence Plan (Plano Brasileiro de Inteligência Artificial or PBIA) and the Digital Health Strategy for Brazil (Estrategia de Saúde Digital Para o Brasil or ESD) 2020–2028. Yet, this progress is inherently linked to the urgent challenge, in this context, posed by the need to protect sensitive data, ensure the integrity and reliability of medical devices and preserve public trust. Building a secure and sustainable digital health ecosystem requires more than technology; it demands vision, multidisciplinary collaboration and unwavering ethical commitment. Manufacturers, regulators, healthcare professionals and patients must collectively work towards a future in which true innovation safeguards, respects and prioritises human wellbeing.