New draft guidance from Australia’s Therapeutic Goods Administration (TGA) encouraged use of regulatory policies that span total product lifecycles (TPLC) to ensure medical device cybersecurity.
A “growing area of interest” for TGA relates to “a large number” of class II, class III and active implantable devices registered in Australia that contain “electronic components with embedded software, have a software accessory or are a software device,” the regulator noted in its draft guidance, issued late December 2018.
The regulation of medical device cybersecurity came under the spotlight with the ongoing digitization and connectivity of healthcare. A renewed push manifested via draft guidances certain regulators issued in 2018 to support this shift and as a response to healthcare becoming a prime target for cyber threats.
In contrast with regulators in other major markets, TGA’s 65-page draft guidance covers cybersecurity both in pre- and postmarket settings as well as consumer or patient use of medical devices. This differs from the US Food and Drug Administration (FDA) and Health Canada—both of which issued medical device cybersecurity draft guidances just last year for set policies specific to premarket settings. TGA, FDA and Health Canada are members of the International Medical Device Regulators Forum (IMDRF).
By clarifying and expanding on policies, IMDRF regulators showed support for industry’s innovation efforts around the connectivity and digitization of healthcare technologies for improved patient care and personalized medicine. An emerging theme placed greater emphasis on premarket considerations.
updates to its 2014 premarket policies last October, followed by Health Canada’s premarket draft guidance release
in December. The moves signaled a shift to focus more heavily on integrating policies into new product designs and manufacturing processes, though FDA had previously issued final guidance on postmarket cybersecurity requirements. TGA’s draft guidance is broader in scope than FDA’s and Health Canada’s, but all three draft guidances support use of a TPLC approach.
TGA’s proposed TPLC approach is centered on continuously updating quality management systems, risk management procedures and change management procedures. “The approach to monitoring cyber security information should be clearly outlined during the development of the medical device,” TGA said. “The outcome of all cybersecurity monitoring must be documented as part of ongoing risk management, regardless of the level of risk that the activity identifies. Cybersecurity vulnerabilities, threats and risks may be identified by numerous different parties along the supply chain,” it added.
Setting premarket cybersecurity “principles” is also stressed across the three draft guidances, though TGA is the only one with set “essential principles.” TGA listed a total of 15 essential principles, including long-term safety and information to provide with medical devices. An additional “essential eight” principles are intended to address malware prevention. Other common themes across draft guidances promote industry use of voluntary consensus standards and involve the alignment with the recently revised cybersecurity framework developed by the US National Institute of Standards and Technology.
TGA intends to asses the “applicability and usefulness of the content contained in the draft regulatory guidance and information materials” based on comments submitted to its consultation by 14 February.
Consultation: Medical device cyber security