RAPS is closely monitoring developments in the Coronavirus (COVID-19) outbreak. See our public safety page for the latest updates.

 
Regulatory Focus™ > News Articles > 2019 > 6 > Premarket Requirements for Medical Device Cybersecurity Come into Effect in Canada

Premarket Requirements for Medical Device Cybersecurity Come into Effect in Canada

Posted 27 June 2019 | By Ana Mulero 

Premarket Requirements for Medical Device Cybersecurity Come into Effect in Canada

Health Canada’s new premarket requirements on medical device cybersecurity came into effect Wednesday, following the adoption of the regulator’s final guidance document earlier this month.
 
Health Canada fleshed out much of the draft version, issued in December 2018, prior to the 17 June adoption of the final guidance. New requirements seek to improve device cybersecurity by mandating that manufacturers identify and analyze hazards associated with their devices to set controls and monitor their effectiveness.
 
“While the idea that medical devices could be used for intentional harm may sound like science fiction, the risk is real enough to warrant precautions from medical device regulators,” Health Canda said.
 
The final guidance document introduces new information under certain pre and postmarket areas. Most updates address monitoring and responding to emerging risks, as well as license applications, including the Table of Contents (ToC) format. Considerations for monitoring and responding to emerging risks relate to post‐market vigilance, patching, disclosures of vulnerabilities and information sharing. A new appendix provides a crosswalk between the final guidance and the corresponding sections in the ToC folder structure amid the shift to fully adopting the format.
 
The final guidance also adds a new policy statement from the draft that stresses the need for including the document’s information in license applications that could be otherwise put reviews on hold, pending requests for additional information. In terms of application, the final guidance brings into focus devices of higher risk to outline considerations and licensing requirements specific to those that are Class III or Class IV.
 
The guidance for implementation applies across all risk classifications, from Class I to Class IV. It outlines four elements—secure design, risk management verification and validation testing and plans to continuously monitor and respond to emerging risks, vulnerabilities and threats—that should be included in the required strategies to address cybersecurity risk. Yet the final guidance adds elements specific to Class III and Class IV applications, including cybersecurity risk analyses and management reports, detailed verification and validation testing summaries and for Class IV devices, reports of supporting evidence on cybersecurity testing.
 
New details around the concept of cybersecurity by design and cybersecurity bill of materials are included. These speak to the themes that have surfaced in recent draft guidances from other International Medical Device Regulators Forum (IMDRF) members, including the US Food and Drug Administration (FDA) and Australia's Therapeutic Goods Administration. New themes are based on extending cybersecurity principles throughout the total product lifecycle. FDA and Health Canada co-chair IMDRF’s work item on developing harmonized cybersecurity principles.
 
Guidance

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe