Cybersecurity – Draft Guidance Document

Cybersecurity – Draft Guidance Document

Published on January 4, 2019

Author: Karen Zhou

Medical devices play a pivotal and ever increasing role in improving access to care for patients. Through data exchange with network environments, medical devices facilitate timely diagnoses and treatments and improve access to healthcare information.  The tradeoff is that that devices can become vulnerable to cyberattacks.  Vulnerabilities, such as unauthorized access, can significantly impact the safety and effectiveness of the device by causing diagnostic or therapeutic errors or by affecting clinical operations.

Health Canada considers cybersecurity vulnerabilities a potential risk to patients that manufacturers must mitigate or eliminate.  The regulatory agency holds manufacturers responsible for monitoring, assessing and mitigating potential cybersecurity risks throughout the product lifecycle.  In a move that aligns with the Food and Drug Administration, Health Canada has issued a draft Guidance Document (the “Guidance”) that addresses the premarket cybersecurity requirements.  The Guidance advises manufacturers to incorporate cybersecurity into the risk management process for any device that contains software. It also recommends that manufacturers of Class I-IV devices follow a strategy to develop a cybersecurity risk management framework which incorporates the following elements:   

·         Secure design – Design inputs should include cybersecurity requirements. Early in development, it is important to consider (1) cybersecurity risks and controls when making design choices and (2) design choices that maximize device cybersecurity without affecting other safety-related aspects of the device.

·         Risk Management – Health Canada recommends developing a device-specific cybersecurity risk management process in parallel to the risk management process per ISO  14971.

·         Verification and Validation Testing – Cybersecurity risk control measures should be verified and validated.

·         Planning for continuous monitoring and response to emerging risks and threats – Manufacturers should demonstrate in their premarket applications that they proactively monitor, identify and address potential cybersecurity risk throughout the expected service life.

Evaluation of Class III and IV device applications will consider these elements in the assessment of safety and effectiveness of the device.  In these premarket applications, the data elements that are relevant to cybersecurity are labeling and packaging, marketing history, risk assessment, quality planning, safety and effectiveness.

The consultation period, during which industry stakeholders can provide feedback on the Guidance, will be open until February 5, 2019.  To participate, read the draft guidance and send an email to Bureau of Policy, Science and International Programs at hc.policy.bureau.enquiries.sc@canada.ca .

References

1.       Consultation: Pre-market Requirements for Medical Device Cybersecurity https://www.canada.ca/en/health-canada/services/drugs-health-products/public-involvement-consultations/medical-devices/consutation-premarket-cybersecurity-profile.html

2.       Draft Guidance Document - Pre-market Requirements for Medical Device Cybersecurity https://www.canada.ca/en/health-canada/services/drugs-health-products/public-involvement-consultations/medical-devices/consutation-premarket-cybersecurity-profile/draft-guidance-premarket-cybersecurity.html

3.       Content of Premarket Submissions for Management of Cybersecurity in Medical Device https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf

Related Articles

Value-Based Drug Pricing in Canada and its Limitations

Value-Based Drug Pricing in Canada and its Limitations

Drug pricing is a complex and controversial issue that often sparks debates among patients, pharmaceutical companies, and the government. Prices can vary significantly...

Addressing Underrepresentation in Clinical Trials: FDA's Diversity Action Plan

Addressing Underrepresentation in Clinical Trials: FDA's Diversity Action Plan

The U.S. Food and Drug Administration (FDA) released a new draft guidance in June 2024 to enhance the diversity of clinical trial participants. The guidance details the...

VIRTUAL HEALTHCARE IN CANADA

VIRTUAL HEALTHCARE IN CANADA

“Virtual care” is defined as any “interaction between patients and/or members of their circle of care, occurring remotely, using any forms of communication or...