Cybersecurity – Draft Guidance Document

Author: Karen Zhou

Medical devices play a pivotal and ever increasing role in improving access to care for patients. Through data exchange with network environments, medical devices facilitate timely diagnoses and treatments and improve access to healthcare information.  The tradeoff is that that devices can become vulnerable to cyberattacks.  Vulnerabilities, such as unauthorized access, can significantly impact the safety and effectiveness of the device by causing diagnostic or therapeutic errors or by affecting clinical operations.

Health Canada considers cybersecurity vulnerabilities a potential risk to patients that manufacturers must mitigate or eliminate.  The regulatory agency holds manufacturers responsible for monitoring, assessing and mitigating potential cybersecurity risks throughout the product lifecycle.  In a move that aligns with the Food and Drug Administration, Health Canada has issued a draft Guidance Document (the “Guidance”) that addresses the premarket cybersecurity requirements.  The Guidance advises manufacturers to incorporate cybersecurity into the risk management process for any device that contains software. It also recommends that manufacturers of Class I-IV devices follow a strategy to develop a cybersecurity risk management framework which incorporates the following elements:   

·         Secure design – Design inputs should include cybersecurity requirements. Early in development, it is important to consider (1) cybersecurity risks and controls when making design choices and (2) design choices that maximize device cybersecurity without affecting other safety-related aspects of the device.

·         Risk Management – Health Canada recommends developing a device-specific cybersecurity risk management process in parallel to the risk management process per ISO  14971.

·         Verification and Validation Testing – Cybersecurity risk control measures should be verified and validated.

·         Planning for continuous monitoring and response to emerging risks and threats – Manufacturers should demonstrate in their premarket applications that they proactively monitor, identify and address potential cybersecurity risk throughout the expected service life.

Evaluation of Class III and IV device applications will consider these elements in the assessment of safety and effectiveness of the device.  In these premarket applications, the data elements that are relevant to cybersecurity are labeling and packaging, marketing history, risk assessment, quality planning, safety and effectiveness.

The consultation period, during which industry stakeholders can provide feedback on the Guidance, will be open until February 5, 2019.  To participate, read the draft guidance and send an email to Bureau of Policy, Science and International Programs at hc.policy.bureau.enquiries.sc@canada.ca .

References

1.       Consultation: Pre-market Requirements for Medical Device Cybersecurity https://www.canada.ca/en/health-canada/services/drugs-health-products/public-involvement-consultations/medical-devices/consutation-premarket-cybersecurity-profile.html

2.       Draft Guidance Document - Pre-market Requirements for Medical Device Cybersecurity https://www.canada.ca/en/health-canada/services/drugs-health-products/public-involvement-consultations/medical-devices/consutation-premarket-cybersecurity-profile/draft-guidance-premarket-cybersecurity.html

3.       Content of Premarket Submissions for Management of Cybersecurity in Medical Device https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf