Medical Device Premarket Cybersecurity: TGA Finalizes Guidance
Posted 19 July 2019 | By
The premarket requirements on medical device cybersecurity from Australia’s Therapeutic Goods Administration (TGA) came into effect on Thursday, with new details that further underscore the agency’s push for the total product lifecycle (TPLC) approach and international harmonization.
A 53-page final guidance sets the premarket cybersecurity requirements on manufacturers and sponsors of medical devices and in vitro
diagnostic devices. Requirements are centered on essential principles, including six general principles and nine related to design and construction.
Compliance with the essential principles is required for inclusion in the Australian Register of Therapeutic Goods (ARTG). A new essential principles checklist
providing overviews of each principle to aid industry with compliance. “The essential principles require that a manufacturer minimize the risks associated with the design, long-term safety and use of the device; this implicitly includes minimization of cybersecurity risk,” TGA says. This was revised from the December 2018 draft version
of the guidance to further stress the TPLC approach.
TGA, like other members of the International Medical Device Regulators Forum (IMDRF), is pushing for the TPLC approach to risk and quality management with new information on TPLC expectations. TGA also restructured the guidance document into TPLC guidance, premarket guidance and postmarket guidance.
Premarket cybersecurity became a clear area of harmonization efforts since the US Food and Drug Administration’s (FDA) draft guidance
last October, Health Canada and TGA followed with drafts that have many elements in common. All three IMDRF members align in the area of cybersecurity with the TPLC push.
One cybersecurity element discussed by other IMDRF member regulators via their respective draft and final guidances but not included in TGA’s draft version is that of a software bill of materials (SBOM). The final guidance does address SBOM, and TGA’s glossary now includes a definition of SBOM, among other terms.
Another emerging theme across IMDRF member regulators relates to the role of coordinated vulnerability disclosures. TGA’s final guidance clarifies certain new policies on vulnerability disclosures, as well.
Both the TPLC approach and the harmonization efforts stem from the interest of not just regulators, but also industry. Industry comments on TGA’s draft called for additional clarity in support of both areas.
FDA’s Center for Devices and Radiological Health was the first to issue draft guidance on premarket cybersecurity. Health Canada
’s and now TGA’s have come into effect, but FDA’s has yet to be finalized.