In an effort, to mitigate, potential cybersecurity threats due to the increasing levels of interconnectedness and data exchange between medical devices— Health Canada has released a guidance document on “pre-market requirements for medical device cybersecurity.”
The guidance document defines cybersecurity as, “the body of technologies, processes, practices, responses and mitigation measures designed to protect a medical device against unauthorized access, modification, misuse, or denial-or-use, and against the unauthorized use of information stored, accessed, or transferred to or from a medical device.”
The purpose of this guidance document is to address cybersecurity in medical devices that consist of or contain software and are regulated as Class I to Class IV devices under the Canadian MDR. This includes in vitro diagnostic (IVD) and non- in vitro diagnostic (nIVD) devices. Class III and Class IV medical devices will require a review of submitted evidence of safety and effectiveness before their license applications are finalized. Therefore, this guidance document should be read in parallel with the guidance document on “supporting evidence to be provided for medical device license applications and license amendment applications.” However, it is important to note that the cybersecurity guidance document does not provide guidance on post-market activities to be executed by the manufacturer.
With Health Canada focusing on pre-market activities in this guidance document, the emphasis is put on the importance for manufacturers to include the risks of cybersecurity as a component of, a medical device’s design and lifecycle, that can affect the safety and effectiveness of the medical device. In order to provide evidence that demonstrates the safety and effectiveness of a Class III or IV medical device, manufacturers are obligated to submit additional information presented in this guidance document, under subsection 35(1) of the Regulations at any time during the review.
The purpose of this is to encourage manufacturers to incorporate cybersecurity into their risk management process for all medical devices with a software component or standalone software.
In addition, it is also advised that manufacturers develop and maintain a framework for managing all cybersecurity risks throughout their product lifecycle. For blueprints and best practices on how manufacturers should establish a cybersecurity framework for their product, they can refer to the NIST document, “Framework for Improving Critical Infrastructure Cybersecurity.” However, the responsibility of medical device cybersecurity is not only on the manufacturer, but for the regulator, user, and healthcare provider.
As part of developing a solid cybersecurity strategy, medical device manufacturers should consider risk mitigation strategies following risk management principles laid out in ISO 14971:2007. In addition, Health Canada recommends the following standards to be considered with respect to cybersecurity:
- AAMI TIR57:2016 – Principles for medical device security- risk management;
- ANSI/CAN/UL 2900-1:2017- Standard for Software Security Network-Connectable Products, Part 1: General Requirements;
- ANSI/CAN/UL 2900-2-1:2018- Software Cybersecurity for Network Connectable Products;
- IEC 80001-1:2010- Application of risk management for IT- networks incorporating medical devices;
- NIST 800-30 Revision 1 Guide for Conducting Risk Assessments, September 2012.
Overall, a medical device manufacturer with a cybersecurity risk management process in place is strongly encouraged to review all documents including this guidance to ensure the continued safety and effectiveness of the device throughout its lifecycle.