2019年 7月 24日
Australia’s Therapeutic Goods Administration (TGA) has implemented final guidance on pre- and post-market cybersecurity regulatory recommendations for medical device, software and IVD manufacturers and sponsors.
The TGA guidance applies to software as a medical device (SaMD) as well as medical devices and IVDs incorporating components that may be vulnerable to cyber threats.
The TGA guidance aligns closely with regulatory approaches developed by the US Food and Drug Administration and Health Canada, based on total product lifecycle (TPLC) principles for risk and quality management. Convergence of TGA cybersecurity requirements with US FDA draft pre-market guidance and final post-market guidance on cybersecurity risk management, Health Canada cybersecurity guidance finalized in June 2019, and South Korean MFDS cybersecurity guidelines shows an increasingly harmonized regulatory response to emerging cybersecurity risks and threats to connected healthcare environments.
TGA has divided its new cybersecurity guidance into three key sections: TPLC, pre-market and post-market.
TPLC
Under TPLC guidance, the agency covers Essential Principles and appropriate cybersecurity measures to comply with those Principles; such compliance is required in order for a device or SaMD to be listed on the Australian Register of Therapeutic Goods (ARTG) for legal sale in the country.
Examples of Essential Principles and corresponding cybersecurity measures include:
Under TPLC guidance, TGA also identifies several relevant standards manufacturers may implement in order to demonstrate compliance to Essential Principles from a cybersecurity perspective:
Finally, the guidance’s TPLC section includes cybersecurity risk monitoring recommendations. Manufacturers of ARTG-listed products should develop and maintain a Software Bill of Materials (SBOM) to collect and monitor data to identify emerging cyber vulnerabilities and assess risks.
Pre-market requirements
In terms of pre-market cybersecurity requirements for Australian medical device and IVD market registrants, the TGA guidance recommends two design and development approaches to cyber risk management. These include “secure by design” early assessments of potential cyber risks, and “quality by design” for mitigating risks involved with each function of a device.
TGA pre-market recommendations also identify baseline standards to which the regulator expects compliance in order to satisfy Essential Requirements: ISO 14971, ISO 13485, IEC 60601 and IEC 62304 for medical device software lifecycle processes.
Additional pre-market cybersecurity-related recommendations include:
Post-market requirements
TGA’s post-market requirements for devices and software to maintain their ARTG listings come down to ongoing compliance to Essential Principles, including for cybersecurity.
The perpetually evolving nature of cybersecurity risk requires both pre- and post-market management, according to the guidance, which means cyber risk monitoring and management processes must be included in manufacturers’ ongoing post-market plans and activities.