Australia’s Therapeutic Goods Administration (TGA) has implemented final guidance on pre- and post-market cybersecurity regulatory recommendations for medical device, software and IVD manufacturers and sponsors.

The TGA guidance applies to software as a medical device (SaMD) as well as medical devices and IVDs incorporating components that may be vulnerable to cyber threats.

Towards a harmonized regulatory approach to cybersecurity

The TGA guidance aligns closely with regulatory approaches developed by the US Food and Drug Administration and Health Canada, based on total product lifecycle (TPLC) principles for risk and quality management. Convergence of TGA cybersecurity requirements with US FDA draft pre-market guidance and final post-market guidance on cybersecurity risk management, Health Canada cybersecurity guidance finalized in June 2019, and South Korean MFDS cybersecurity guidelines shows an increasingly harmonized regulatory response to  emerging cybersecurity risks and threats to connected healthcare environments.

Key components of the TGA cybersecurity guidance

TGA has divided its new cybersecurity guidance into three key sections: TPLC, pre-market and post-market.

TPLC

Under TPLC guidance, the agency covers Essential Principles and appropriate cybersecurity measures to comply with those Principles; such compliance is required in order for a device or SaMD to be listed on the Australian Register of Therapeutic Goods (ARTG) for legal sale in the country.

Examples of Essential Principles and corresponding cybersecurity measures include:

• Essential Principle: Use of a medical device should not compromise public health or safety
  • A manufacturer should consider whether and how a device’s intended use exposes the product to cyber risks, as well as how those risks should be managed.
• Essential Principle: Conformance of a device’s design and construction to safety principles
  
  • A manufacturer should factor cybersecurity considerations into the design of its product, and utilize principles of inherently safe design to reduce cybersecurity risks to patients and users.
• Essential Principle: Long-term safety
  
  • A manufacturer should develop a plan for regular maintenance of a device’s cybersecurity components, including how updates will be delivered and verified and whether accessories are required for such maintenance.

Under TPLC guidance, TGA also identifies several relevant standards manufacturers may implement in order to demonstrate compliance to Essential Principles from a cybersecurity perspective:

• ISO 14971 for application of risk management to medical devices
• ISO 13485 quality management system requirements for regulatory compliance
• IEC 60601 standards for safety and performance of medical electrical equipment
• UL 2900-2-1 software cybersecurity requirements for network-connectable healthcare system components
• AAMI/UL 2800 safety and security requirements for interoperable medical devices and systems

Finally, the guidance’s TPLC section includes cybersecurity risk monitoring recommendations. Manufacturers of ARTG-listed products should develop and maintain a Software Bill of Materials (SBOM) to collect and monitor data to identify emerging cyber vulnerabilities and assess risks.

Pre-market requirements

In terms of pre-market cybersecurity requirements for Australian medical device and IVD market registrants, the TGA guidance recommends two design and development approaches to cyber risk management. These include “secure by design” early assessments of potential cyber risks, and “quality by design” for mitigating risks involved with each function of a device.

TGA pre-market recommendations also identify baseline standards to which the regulator expects compliance in order to satisfy Essential Requirements: ISO 14971, ISO 13485, IEC 60601 and IEC 62304 for medical device software lifecycle processes.

Additional pre-market cybersecurity-related recommendations include:

• Risk management strategies based on the US National Institute of Standards and Technology (NIST) cybersecurity framework;
• Managing manufacturing and supply chains according to Essential Principle parameters;
• Technical considerations such as modular architecture, penetration testing and operating platform security.

Post-market requirements

TGA’s post-market requirements for devices and software to maintain their ARTG listings come down to ongoing compliance to Essential Principles, including for cybersecurity.

The perpetually evolving nature of cybersecurity risk requires both pre- and post-market management, according to the guidance, which means cyber risk monitoring and management processes must be included in manufacturers’ ongoing post-market plans and activities.

Learn more about Australian TGA and cybersecurity regulations at Emergo by UL:

• Cybersecurity risk management and procurement support
• Australian TGA medical device registration consulting
• TGA registration consulting for IVD manufacturers
• Australian TGA Sponsor in-country representation for medical device companies
• Webinar: Mapping UL 2900 standards to FDA guidance