Health Canada, the Canadian medical regulating authority, announced that new requirements, which was under development since 2018, came into effect this week. The scope of new requirements covers issues related to cybersecurity threats.
In accordance with applicable rules, medical device manufacturers shall perform continuous analysis of possible vulnerabilities existing in the management of devices.
New requirements: key points of attention
The main goal of the new regulations is to prevent the possibility of unauthorized control over the medical devices that requires network connection to operate. Such cases are quite unusual nowadays, but the regulating authority considers it necessary to create legal framework, which would allow avoiding such cases in future.
Amended regulations include new license application requirements, monitoring and accident reporting requirements, special requirements on obligatory vulnerability disclosure, and other.
New requirements mostly focus on high risk medical devices of Class III and Class IV, including both in vitro and non in vitro diagnostic devices, but will also cover all four types of medical devices.
It will have the following main elements of the strategy:
- Secure design,
- Risk management,
- Continuous monitoring system,
- Procedure of responding to threats and vulnerabilities.
Each medical device manufacturer shall have a detailed strategy, covering all issues listed above in order to ensure the safety of the product. They will also be prepared to respond properly in case of any incidents occurring.
High risk medical devices defined as Class III and Class IV will require additional pre-licensing safety evaluation. The regulating authority will consider main points of attention mentioned here during the assessment procedure. Also, it is important to know that the new regulation does not cover post-market product maintenance.
Main regulatory principles
According to the regulations, all manufacturers of medical devices must meet the cybersecurity requirements and should implement appropriate risk management procedures to evaluate possible risks that many arise during the operations of medical devices. Such procedures should also be applied to all processes inside the organization to ensure cybersecurity. This will prevent possible attempts of external interferences in manufacturing process and maintenance of existing products.
At the same time, according to the regulations, medical device manufacturer is not the only party bearing the responsibilities related to cyber threat risk. Regulating authority should establish efficient pre-market examination procedure. Also, patients and healthcare professionals should use the device strictly in a way prescribed by manufacturer.
Patients and healthcare professionals must apply all security measures specified in documentation and guidance provided with the device.
Most importantly, manufacturers should maintain the required protection level during the whole lifecycle of the product.
Safety by design refers to the creation process of medical devices, which must be in accordance with the applicable regulations from the very first step of the process.
All solutions, implemented in the device, should meet the safety requirements set forth for the appropriate device type.
The guidance also covers issues related to data protection. The construction of the device should provide secured data transmission to avoid the possibility of disclosure of patients` sensitive personal data. This principle should be applied at the stage of constructing communication methods (using the device to establish connection with other devices or cloud servers). If these connection methods use wireless data transmission, the proper data encryption algorithm should be applied, including authentication system that will prevent disruptions and unauthorized modifications.
Health Canada is not the only medical device regulating authority deeply concerned with cybersecurity threats. Other leading regulating authorities, such as US FDA or European Commission have implemented common regulatory guidance earlier.