Cyber Regulatory Support

Strengthening the security of connected medical devices against cyberattacks is a responsibility shared by all industry participants, including hospital administrators, healthcare providers, and device developers and manufacturers. Developers and manufacturers must do more than meet the minimum regulatory requirements in their efforts to protect confidential patient data and to help ensure patient safety. They need to thoroughly evaluate and address the potential cybersecurity risks associated with their products, not just during the product development stage but also throughout the products’ anticipated use lifetime.

Regulators around the world have started to set regulatory requirements regarding cybersecurity and data privacy to make sure Health IoT devices are not only safe and effective but also secure.

  • USA: The FDA has published several guidance documents addressing the agency’s pre- and post-market requirements specific to cybersecurity considerations. In addition, the Health Insurance Portability and Accountability Act (HIPAA) might need to be considered either directly (legally) or indirectly (commercially) depending on your product type, type of data processed and your organization’s role.
  • European Union: The General Data Protection Regulation GDPR (EU) 2016/679, NIS Directive (EU) 2016/1148, MDR Regulation (EU) 2017/745 and IVDR Regulation (EU) 2017/746 contain requirements related to cybersecurity that might need to be considered either directly (legally) or indirectly (commercially) depending on your product type, type of data processed and your organization’s role.
  • Canada: Health Canada has published guidance on pre-market requirements for medical device cybersecurity applying to all risk classes.
  • Australia: Australian’s Therapeutic Goods Administration (TGA) published medical device cybersecurity guidance for all device risk classes, applicable to industry as well as users.
  • South Korea: The South Korean Ministry for Food and Drug Safety (MFDS) issued guidelines for medical device cybersecurity risk management based on US FDA guidance and recommendations.
  • China: The National Medical Products Administration (NMPA) published draft guidelines for standalone medical device software including cybersecurity requirements.

We are ready to help you address cybersecurity, data privacy and interoperability risks. Our services range from private security workshops to lay the foundation in your organization, gap analysis services to detect non-conformities and errors early on in the design phase, consulting services to support your organization's regulatory submission and meeting the necessary cybersecurity requirements.

Emergo by UL can help you:

  • Strengthen cybersecurity competencies and build up internal cybersecurity capacity
  • Navigate the regulatory cybersecurity landscape
  • Provide cybersecurity product design inputs
  • Advise and support internal cybersecurity processes across your divisions and departments

Consulting on FDA submission package and cybersecurity requirements

Review, evaluate, recommend, and develop:

  • US FDA premarket submission package
  • Your company’s risk management policies
  • Your company’s risk assessment practices used in design, development, and maintenance
  • Quality Management System
  • Product and/or system development processes

We can provide templates, training, industry best practices, and guides on:

  • Cybersecurity Management Plan
  • Hazard Analysis and Mitigation
  • Organizational Maturity assessment and planning
  • Supply chain controls and procedures
  • Risk Management policies and procedures
  • Risk Assessment tables