2019年 8月 20日
The integration of advanced information technologies in medical devices has transformed the healthcare industry, resulting in dramatic improvements in the efficiency and effectiveness of healthcare and related services. But this integration has fostered the emergence of a new set of challenges for patients, healthcare providers, and device developers and manufacturers. Today, the healthcare industry is a major target for hackers and cybercriminals, potentially compromising private and confidential healthcare data and placing the safety and health of patients at risk.
Strengthening the security of connected medical devices against cyberattacks is a responsibility shared by all industry participants, including healthcare providers, manufacturers and regulators. Regulators have started now to enforce more stringent cybersecurity requirements globally.
Although US FDA issued final guidance addressing premarket expectations related to cybersecurity in 2014, the rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations, required an updated approach. FDA was the first to issue a new draft premarket guidance for cybersecurity management in October 2018. Health Canada’s guidance on premarket requirements for medical device cybersecurity issued in June 2019 and now TGA’s medical device cybersecurity guidance for industry issued in July 2019 have come into effect, but FDA’s guidance has yet to be finalized, which is expected at some point in 2019.
For the purpose of this post, we’ll examine the convergence of medical regulatory premarket cybersecurity requirements for Australia, Canada and the USA as described in the guidance documents above. This post focuses on the following subjects:
Let’s have a look to the scope of the guidance documents before looking into the individual cybersecurity requirements.
The FDA guidance applies to medical devices and IVDs that contain software (including firmware) or programmable logic as well as Software as a Medical Device (SaMD) requiring premarket submissions. FDA also notes that the cybersecurity principles might also be applied to Investigational Device Exemption (IDE) submissions as well as devices exempt from premarket review.
Health Canada’s (HC) guidance applies to medical devices and IVDs that consist of or contain software and are regulated as a medical device (Class I to Class IV) under the Canadian Medical Devices Regulations. Class III and IV medical devices require a review of submitted evidence of safety and effectiveness before their license applications are finalized.
Australia’s Therapeutics Goods Administration (TGA) guidance applies to all medical devices and IVDs that contain software and SaMD. The level of scrutiny by the TGA of a device before it is placed on the Australian Register of Therapeutic Goods (ARTG) depends on the risk posed by the device. Although Class I devices are not assessed by the TGA, for all classes of medical devices, evidence is required to be made available when requested by the TGA to demonstrate that medical device risk, including cybersecurity risk, is being managed by appropriate quality and risk management frameworks.
Essentially, all three regulators are now looking to see that manufacturers have embedded cybersecurity into their risk and quality management systems, including software development life-cycle processes. Risk management is expected to be an ongoing activity that should be considered, controlled and documented across all phases of a medical device, from the initial conception to development and testing, market authorization, post-market use, and through to end-of-life and obsolescence.
So, what does this practically mean for manufacturers? A manufacturer will need to review the existing systems and figure out which processes need to be modified or established from scratch to consider cybersecurity. Here are some considerations, to name a few:
Another common scheme is that all three regulators recommend a series of security controls a manufacturer should consider early in the product life-cycle when design requirements are being developed with FDA being the most specific. For more information refer to section 2.1.1 of HC’s guidance, section V of FDA’s guidance and section “Technical cyber security considerations” of TGA’s guidance.
Deviating from these baseline requirements is acceptable in case the manufacturer can provide adequate and risk-based justifications. Justifications could be based on factors such as intended use, the use environment, device risk profile and type.
In order to avoid costly product redesigns or market access delays due to inappropriate design solutions or cybersecurity documentation, the following is recommended:
A standards-based approach is recommended by all three regulators, although use of standards is not mandated like for guidance documents. Medical devices that have cybersecurity risks are highly variable in their components and operate in a variety of environments, resulting in many relevant standards.
FDA, Health Canada and TGA each have published a list of standards / guidelines that have been recognized as being suitable to meet regulatory cybersecurity requirements for medical devices.
The following important documents have been recognized in all three jurisdictions, and assist manufacturers to address cybersecurity process, product design and/or testing requirements:
The FDA and Health Canada both provide a very detailed list of information to be included in FDA medical device premarket submissions (section VII refers) and HC medical device license applications (section 2.3 refers). The level of details required is sometimes depending on the device risk class. Here are some examples of information regulators will assess for new submissions / applications:
TGA does not explicitly describe what kind of information is required to be submitted as part of the premarket review process. However, manufacturers must demonstrate compliance with the Essential Principles. The Essential Principles require manufacturer minimize the risks associated with the design, long-term safety and use of the device; this implicitly includes minimization of cybersecurity risks. As noted above, a standards-based approach is recommended as one method to demonstrate compliance with the Essential Principles. Please refer to Table 1 and 2 of the guidance for more details.
In summary, it is encouraging to see that regulators are now enforcing more stringent cybersecurity requirements to make medical devices more secure and at the same time allow for a risk-based approach. The TGA guidance aligns closely with regulatory approaches developed by the FDA and Health Canada, based on total product life-cycle (TPLC) principles for risk and quality management. Convergence of TGA cybersecurity requirements with US FDA draft pre-market guidance and final post-market guidance on cybersecurity risk management, Health Canada cybersecurity guidance finalized in June 2019 shows an increasingly harmonized regulatory response to emerging cybersecurity risks and threats to connected healthcare environments.
Marco Deuschler is Business Development Manager at UL Life & Health Sciences’ Digital Health division focusing on Cybersecurity, Interoperability and Data Privacy.
Related medical device cybersecurity resources from Emergo by UL: