Dec 18, 2018
EMERGO BY UL SUMMARY OF KEY POINTS:
New guidance from Health Canada would establish cybersecurity requirements and considerations for pre-market reviews of devices in Canada similar to policies developed by US and South Korean regulators.
The draft guidance proposes requirements for cybersecurity-related information Medical Device License (MDL) applicants would have to submit to Health Canada in order to demonstrate security of devices “consisting of or containing software,” and recommends measures such as implementation of UL 2900 cybersecurity testing standards to mitigate against cyber risks and vulnerabilities.
Among high-level cybersecurity recommendations in the new Health Canada guidance are:
According to Ken Pilgrim, Senior RA/QA consultant at Emergo by UL in Vancouver, the new guidance should prove valuable to medical device manufacturers obtaining market access not only in Canada but also other jurisdictions developing similar cybersecurity requirements.
“We are pleased to see Canada participating in medical device cybersecurity standard development, and this draft document consultative process should help Canadian medical device manufacturers meet Health Canada’s cybersecurity requirements as part of the licensing process,” Pilgrim says.
“The new guidance should also assist manufacturers in developing compliance with requirements globally for registration in other jurisdictions such as the US and South Korea.”
Health Canada’s guidance lays responsibility for monitoring, assessment and mitigation of cybersecurity risks with manufacturers; broader cybersecurity responsibilities must be shared between medical device companies as well as regulators, end users and network administrators, according to the guidance.
Health Canada suggests adoption of cybersecurity risk management methodologies based on the US National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, as well as cyber strategies incorporating secure design, risk management, verification and validation testing, and planning for continued monitoring and response efforts for emerging risks and threats.
First, Health Canada recommends manufacturers build in cybersecurity considerations as early as possible in their product lifecycles, including when evaluating and making design decisions and in design decisions that support both cybersecurity and safety-related factors such as usability.
Among cybersecurity design inputs the guidance identifies as worthy of consideration during a manufacturer’s device design phase are secure communication with other connected devices and systems; data security and encryption; access controls to validate proper users of the device; and software maintenance issues.
As part of a comprehensive risk management process for the duration of a device’s lifecycle, manufacturers should apply ISO 14971 risk management principles as well as the following cybersecurity components:
However, the guidance also warns against cybersecurity risk management processes that may negatively impact device safety or effectiveness: “Any cybersecurity risk that reduces effectiveness, negatively affects clinical operations, or results in diagnostic or therapeutic errors should also be considered in the medical device’s risk management process,” Health Canada states.
Canadian regulators have also included recommendations for cybersecurity-related standards manufacturers should implement to bolster these efforts:
Third, Health Canada recommends verification and validation of all cybersecurity risk control processes against device design specifications and requirements, according to the guidance.
The regulator further recommends that manufacturers implement UL 2900-1:2017 and UL 2900-2-1:2018 cybersecurity testing standards to support these efforts. Specific types of testing the guidance includes for manufacturers’ software verification and validation process include:
“It is essential that manufacturers proactively monitor, identify and address vulnerabilities and exploits as part of their post-market management because cybersecurity risks to medical devices are continuously evolving,” Health Canada advises in the guidance. To this end, the regulator recommends manufacturers clearly demonstrate plans and efforts for monitoring and responding to emerging cyber threats particularly for higher-risk Class III and IV medical devices in their post-market license applications.
Health Canada has proposed inclusion of cybersecurity-related information in MDL pre-market applications based on guidance recommendations; applicants should include documentation covering secure design, risk controls, verification and validation testing, and ongoing monitoring and response plans.
General cybersecurity-related data elements identified in the guidance for MDL applications include:
EMERGO SUMMARY OF KEY POINTS:
EMERGO SUMMARY OF KEY POINTS: