The integration of advanced information technologies in medical devices has transformed the healthcare industry, resulting in dramatic improvements in the efficiency and effectiveness of healthcare and related services. But this integration has fostered the emergence of a new set of challenges for patients, healthcare providers, and device developers and manufacturers. Today, the healthcare industry is a major target for hackers and cybercriminals, potentially compromising private and confidential healthcare data and placing the safety and health of patients at risk.

Strengthening the security of connected medical devices against cyberattacks is a responsibility shared by all industry participants, including healthcare providers, manufacturers and regulators. Regulators have started now to enforce more stringent cybersecurity requirements globally.

Although US FDA issued final guidance addressing premarket expectations related to cybersecurity in 2014, the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, required an updated approach. FDA was the first to issue a new draft premarket guidance for cybersecurity management in October 2018. Health Canada’s guidance on premarket requirements for medical device cybersecurity issued in June 2019 and now TGA’s medical device cybersecurity guidance for industry issued in July 2019 have come into effect, but FDA’s guidance has yet to be finalized, which is expected at some point in  2019.

For the purpose of this post, we’ll examine the convergence of medical regulatory premarket cybersecurity requirements for Australia, Canada and the USA as described in the guidance documents above. This post focuses on the following subjects:

• Scope of the guidance
• Organizational process requirements
• Recommendations for product security controls and capabilities
• The use of standards
• Information to be included in premarket submissions

Scope of the guidance

Let’s have a look to the scope of the guidance documents before looking into the individual cybersecurity requirements.

The FDA guidance applies to medical devices and IVDs that contain software (including firmware) or programmable logic as well as Software as a Medical Device (SaMD) requiring premarket submissions. FDA also notes that the cybersecurity principles might also be applied to Investigational Device Exemption (IDE) submissions as well as devices exempt from premarket review.

Health Canada’s (HC) guidance applies to medical devices and IVDs that consist of or contain software and are regulated as a medical device (Class I to Class IV) under the Canadian Medical Devices Regulations. Class III and IV medical devices require a review of submitted evidence of safety and effectiveness before their license applications are finalized.

Australia’s Therapeutics Goods Administration (TGA) guidance applies to all medical devices and IVDs that contain software and SaMD. The level of scrutiny by the TGA of a device before it is placed on the Australian Register of Therapeutic Goods (ARTG) depends on the risk posed by the device. Although Class I devices are not assessed by the TGA, for all classes of medical devices, evidence is required to be made available when requested by the TGA to demonstrate that medical device risk, including cybersecurity risk, is being managed by appropriate quality and risk management frameworks.

Organizational process requirements

Essentially, all three regulators are now looking to see that manufacturers have embedded cybersecurity into their risk and quality management systems, including software development life-cycle processes. Risk management is expected to be an ongoing activity that should be considered, controlled and documented across all phases of a medical device, from the initial conception to development and testing, market authorization, post-market use, and through to end-of-life and obsolescence.

So, what does this practically mean for manufacturers? A manufacturer will need to review the existing systems and figure out which processes need to be modified or established from scratch to consider cybersecurity. Here are some considerations, to name a few:

• Has the responsibility for product cybersecurity clearly been defined within the organization?
• Do product design input requirements include security requirements?
• Do software test protocols include verification and validation activities to ensure the effectiveness of security controls implemented?
• Has the safety risk management process been amended to also include security risks?
• Does the organization provide adequate and competent staff in terms of cybersecurity?
• Has the organization issued a vulnerability disclosure policy?
• Do post-market surveillance processes include monitoring of known vulnerabilities?

Recommendations for security controls and capabilities

Another common scheme is that all three regulators recommend a series of security controls a manufacturer should consider early in the product life-cycle when design requirements are being developed with FDA being the most specific. For more information refer to section 2.1.1 of HC’s guidance, section V of FDA’s guidance and section “Technical cyber security considerations” of TGA’s guidance.

Deviating from these baseline requirements is acceptable in case the manufacturer can provide adequate and risk-based justifications. Justifications could be based on factors such as intended use, the use environment, device risk profile and type.

In order to avoid costly product redesigns or market access delays due to inappropriate design solutions or cybersecurity documentation, the following is recommended:

1. Determine regulatory as well as standard cybersecurity requirements based on target markets
2. Determine desired customer cybersecurity product capabilities exceeding regulatory requirements
3. Derive recommended security controls / capabilities and record them as part of the design input specifications
4. Establish a risk management file, e.g. per ISO 14971 or AAMI TIR57, containing all risks including cybersecurity threats, risks and cybersecurity risk controls measures. Make sure risk control measures are successfully verified and validated with traceability maintained between the risk, the control measure and the V&V activities. Document risk-based justifications for (not) implementing any of the recommended security controls
5. Consult with regulators / 3^rd party experts early in the design life-cycle to determine necessary security controls, if unsure
6. Develop the product in a controlled environment e.g. per ISO 13485 and IEC 62304
7. Verify and validate security risk controls through testing and reviews based on recommended standards and best practices such as ANSI/CAN/UL 2900-1 and ANSI/CAN/UL 2900-2-1
8. Compile cybersecurity test reports and file them as part of the design history file as well as the premarket clearance submissions with the level of details requested in the individual guidance documents

The use of standards

A standards-based approach is recommended by all three regulators, although use of standards is not mandated like for guidance documents. Medical devices that have cybersecurity risks are highly variable in their components and operate in a variety of environments, resulting in many relevant standards.

FDA, Health Canada and TGA each have published a list of standards / guidelines that have been recognized as being suitable to meet regulatory cybersecurity requirements for medical devices.

The following important documents have been recognized in all three jurisdictions, and assist manufacturers to address cybersecurity process, product design and/or testing requirements:

• ISO 14971 – Application of risk management to medical devices
• AAMI TIR 57 – Principles for medical device security risk management
• IEC 80001 Series – Application of risk management for IT-networks incorporating medical devices
• ANSI/CAN/UL 2900-1 – General software cybersecurity requirements
• ANSI/CAN/UL 2900-2-1 – Particular cybersecurity requirements for healthcare systems
• ISO 13485 – Quality management system
• IEC 62304 – Software life-cycle processes

Information to be included in premarket submissions

The FDA and Health Canada both provide a very detailed list of information to be included in FDA medical device premarket submissions (section VII refers) and HC medical device license applications (section 2.3 refers). The level of details required is sometimes depending on the device risk class. Here are some examples of information regulators will assess for new submissions / applications:

• Cybersecurity Bill of Materials (CBOM)
• Marketing history as it relates to cybersecurity incidents (HC only)
• Security risk management file with traceability matrix
• A list of standards applied, in whole or in part, with respect to cybersecurity
• Evidence for cybersecurity testing (e.g. known vulnerability testing, malware testing, malformed input testing / fuzzing, penetration testing, static source code / binary code analysis, etc.)
• Maintenance plan, e.g. for post-market vigilance, patching, vulnerability disclosure policies, etc.
• Design documentation demonstrating that the device is trustworthy including documentation of the design features from section V of the FDA guidance as well as system diagrams (FDA only)

TGA does not explicitly describe what kind of information is required to be submitted as part of the premarket review process. However, manufacturers must demonstrate compliance with the Essential Principles. The Essential Principles require manufacturer minimize the risks associated with the design, long-term safety and use of the device; this implicitly includes minimization of cybersecurity risks. As noted above, a standards-based approach is recommended as one method to demonstrate compliance with the Essential Principles. Please refer to Table 1 and 2 of the guidance for more details.

Conclusion

In summary, it is encouraging to see that regulators are now enforcing more stringent cybersecurity requirements to make medical devices more secure and at the same time allow for a risk-based approach. The TGA guidance aligns closely with regulatory approaches developed by the FDA and Health Canada, based on total product life-cycle (TPLC) principles for risk and quality management. Convergence of TGA cybersecurity requirements with US FDA draft pre-market guidance and final post-market guidance on cybersecurity risk management, Health Canada cybersecurity guidance finalized in June 2019 shows an increasingly harmonized regulatory response to emerging cybersecurity risks and threats to connected healthcare environments.

Marco Deuschler is Business Development Manager at UL Life & Health Sciences’ Digital Health division focusing on Cybersecurity, Interoperability and Data Privacy.

Related medical device cybersecurity resources from Emergo by UL:

• US FDA medical device cybersecurity consulting
• Cybersecurity risk management and procurement support
• Webinar: Mapping cybersecurity standards to FDA guidance