EMERGO BY UL SUMMARY OF KEY POINTS:

• Health Canada has proposed more formalized cybersecurity requirements for Medical Device License applicants.
• The Health Canada requirements align with cybersecurity approaches adopted by medical device regulators in the US and other jurisdictions.
• Health Canada recommends adoption of testing standards such as UL 2900 to support device cybersecurity claims.

New guidance from Health Canada would establish cybersecurity requirements and considerations for pre-market reviews of devices in Canada similar to policies developed by US and South Korean regulators.

The draft guidance proposes requirements for cybersecurity-related information Medical Device License (MDL) applicants would have to submit to Health Canada in order to demonstrate security of devices “consisting of or containing software,” and recommends measures such as implementation of UL 2900 cybersecurity testing standards to mitigate against cyber risks and vulnerabilities.

Among high-level cybersecurity recommendations in the new Health Canada guidance are:

• Incorporating cybersecurity measures into risk management processes for devices with software components;
• Establishing frameworks for managing cybersecurity risks on an enterprise level;
• Verification and validation of all cybersecurity risk control processes according to device design requirements and specifications.

According to Ken Pilgrim, Senior RA/QA consultant at Emergo by UL in Vancouver, the new guidance should prove valuable to medical device manufacturers obtaining market access not only in Canada but also other jurisdictions developing similar cybersecurity requirements.

“We are pleased to see Canada participating in medical device cybersecurity standard development, and this draft document consultative process should help Canadian medical device manufacturers meet Health Canada’s cybersecurity requirements as part of the licensing process,” Pilgrim says.

“The new guidance should also assist manufacturers in developing compliance with requirements globally for registration in other jurisdictions such as the US and South Korea.”

Specific cybersecurity strategy recommendations

Health Canada’s guidance lays responsibility for monitoring, assessment and mitigation of cybersecurity risks with manufacturers; broader cybersecurity responsibilities must be shared between medical device companies as well as regulators, end users and network administrators, according to the guidance.

Health Canada suggests adoption of cybersecurity risk management methodologies based on the US National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, as well as cyber strategies incorporating secure design, risk management, verification and validation testing, and planning for continued monitoring and response efforts for emerging risks and threats.

Secure design

First, Health Canada recommends manufacturers build in cybersecurity considerations as early as possible in their product lifecycles, including when evaluating and making design decisions and in design decisions that support both cybersecurity and safety-related factors such as usability.

Among cybersecurity design inputs the guidance identifies as worthy of consideration during a manufacturer’s device design phase are secure communication with other connected devices and systems; data security and encryption; access controls to validate proper users of the device; and software maintenance issues.

Device-specific risk management

As part of a comprehensive risk management process for the duration of a device’s lifecycle, manufacturers should apply ISO 14971 risk management principles as well as the following cybersecurity components:

• Identifying cybersecurity hazards
• Estimating and evaluating associated cyber risks
• Controlling risks at acceptable levels
• Monitoring effectiveness of risk controls

However, the guidance also warns against cybersecurity risk management processes that may negatively impact device safety or effectiveness: “Any cybersecurity risk that reduces effectiveness, negatively affects clinical operations, or results in diagnostic or therapeutic errors should also be considered in the medical device’s risk management process,” Health Canada states.

Canadian regulators have also included recommendations for cybersecurity-related standards manufacturers should implement to bolster these efforts:

• ANSI CAN UL 2900-1 software security network-connectable products (general requirements)
• ANSI CAN UL 2900-2 software cybersecurity for network connectable products
• AAMI TIR57:2016 principles for medical device security (risk management)
• IEC 80001-1:2010 application of risk management for IT networks incorporating medical devices
• NIST 800-30 Revision 1 guide for conducting risk assessments

Verification and validation testing

Third, Health Canada recommends verification and validation of all cybersecurity risk control processes against device design specifications and requirements, according to the guidance.

The regulator further recommends that manufacturers implement UL 2900-1:2017 and UL 2900-2-1:2018 cybersecurity testing standards to support these efforts. Specific types of testing the guidance includes for manufacturers’ software verification and validation process include:

• Vulnerabilities and exploits testing to cover known software code vulnerabilities, malware, malformed inputs and structured penetration testing against hacking;
• Software weakness testing including source code analysis as well as static binary and bytecode analysis.

Monitoring and response efforts for emerging risks

“It is essential that manufacturers proactively monitor, identify and address vulnerabilities and exploits as part of their post-market management because cybersecurity risks to medical devices are continuously evolving,” Health Canada advises in the guidance. To this end, the regulator recommends manufacturers clearly demonstrate plans and efforts for monitoring and responding to emerging cyber threats particularly for higher-risk Class III and IV medical devices in their post-market license applications.

Cybersecurity requirements for MDL applications

Health Canada has proposed inclusion of cybersecurity-related information in MDL pre-market applications based on guidance recommendations; applicants should include documentation covering secure design, risk controls, verification and validation testing, and ongoing monitoring and response plans.

General cybersecurity-related data elements identified in the guidance for MDL applications include:

• Device label and package documentation, including identification of any and all third-party and open-source software components;
• Marketing history that covers any reported problems and recalls stemming from cybersecurity issues;
• Risk assessment that includes analysis and evaluation of risks inherent in the use of the device in question, plus risk reduction measures taken to support safety and effectiveness;
• Device-specific quality plan for a Class IV MDL application that shows how a cybersecurity framework has been incorporated into applicant’s quality standards;
• Safety and effectiveness section that shows how any cybersecurity considerations were used to meet these requirements in terms of standards, testing, traceability matrices and maintenance plans.

Related Health Canada and cybersecurity regulatory resources:

• Cybersecurity risk management and procurement support
• Health Canada Medical Device License (MDL) registration consulting
• ISO 14971 risk management consulting for medical device companies
• US FDA medical device cybersecurity guidance consulting
• Whitepaper: Health Canada MDL applications
• Webinar: Mapping cybersecurity standards to US FDA guidance