health + tech in law = mixing chalk + cheese
With all the recent reports on the hacking of pacemakers, it’s timely that Health Canada confirms that it “considers cybersecurity a component of the medical device’s design and life-cycle that can impact safety and effectiveness.” The Draft Guidance appears to address both IVDD and non-IVDD devices. Interestingly, however, the Draft Guidance focuses on pre-market/pre-license application activities, and explicitly excludes actual post-market activities. Perhaps Health Canada is waiting for changes to the Medical Devices Regulations it announced earlier this year to strengthen post-market surveillance and risk management of devices before releasing another Draft Guidance on such activities.
The Draft Guidance suggests manufacturers address cybersecurity risk through their organizations, and requires a strategy to address the cybersecurity risk of all medical devices (Class I to Class IV)that run software. For the devices themselves, the Draft Guidance focuses on four elements: secure design,(device-specific) risk management, verification and validation testing, and planning for continued monitoring of and response to emerging risks and threats.
Out of these, the technical section on Device Specific Risk Management is worth noting since it brings together risk management from a medical device perspective to the management of risk from a cybersecurity perspective, with the observation that not all cybersecurity risks have a safety impact. The agency recommends following the risk management principles of ISO 14971 (which is required in any event for Class III and IV devices) with additional considerations and references to other standards. In particular, theDraft Guidance recommends that device-specific cybersecurity risk management processes be conducted in parallel to the safety risk management process.
The Draft Guidance further sets out the relevant data elements in medical device and license amendment applications for Class III and IV (higher risk) devices which are relevant to cybersecurity. It’s common sense that cybersecurity testing evidence would be expected, but I’d be curious to know how many medical device manufacturers in the past failed to do any such testing.
Comments on the Draft Guidance are due by February 5, 2019.