The new article provides recommendations and clarifications on a broad range of matters with a primary focus on the ones related to cybersecurity considerations for software medical devices intended to be marketed and used in Singapore.
Table of content
The Health Sciences Authority (HSA), Singapore’s regulatory agency in healthcare products, has published a guidance document dedicated to software medical devices in the context of a life cycle approach.
The document provides an overview of the applicable regulatory requirements, as well as additional clarifications and recommendations to be considered by medical device manufacturers (software developers) to ensure compliance with it.
At the same time, the authority reserves the right to change the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation.
Adverse Event Reporting in Post-Market Surveillance
The scope of the guidance covers, among other things, the aspects related to adverse event reporting. As explained by the authority, the obligations of entities involved in distributing medical devices in Singapore extend to reporting Adverse Events (AEs) to enhance patient safety and device efficacy.
AEs, whether directly or indirectly affecting patients, necessitate prompt investigation and implementing corrective actions to prevent recurrence.
This includes addressing issues arising from design flaws, software bugs, or inadequate user instructions.
The authority mentions that prompt action not only manages risks but also reinforces the commitment to safeguarding users and patients from potential harm associated with software products used in the healthcare sphere.
Software Medical Devices with Multiple Functions
Another essential concept described in the guidance is the concept of software medical devices with multiple functions. In this respect, the authority acknowledges that software medical devices often encompass functionalities beyond the medical sphere, including data storage, patient education, and administrative tasks.
While such functions may not require pre-market validation, their potential impact on device safety and performance cannot be overlooked.
Consequently, medical device manufacturers (software developers) must assess and mitigate risks associated with these non-medical device (non-MD) functions, ensuring that their presence does not compromise the clinical utility or expose the device to cybersecurity threats.
The integration and verification of these functionalities form a critical part of the device’s quality management system.
Critical Importance of Cybersecurity
The wide use of connected medical devices increases the importance of robust cybersecurity measures to be implemented by the parties involved to prevent unauthorized access and potential associated risks.
Cybersecurity threats pose significant risks to device availability, functionality, and, by extension, patient care. Effective cybersecurity is a collective responsibility, necessitating the involvement of various stakeholders, from manufacturers to healthcare providers.
A proactive approach to cybersecurity involves secure device design, comprehensive risk management, and continuous monitoring of emerging threats.
Cybersecurity Considerations and Strategies
According to the guidance, cybersecurity strategies for software medical devices should encompass secure design, end-user documentation, risk management, and verifying and validating cybersecurity measures.
The authority additionally emphasizes the importance of the early integration of cybersecurity considerations, providing users with detailed security documentation, and implementing a continuous risk management process.
Manufacturers must actively identify and mitigate cybersecurity risks, ensuring device and patient safety through rigorous testing and ongoing surveillance.
Post-Market Cybersecurity Management
Given the evolving nature of cybersecurity threats, post-market management is crucial. Manufacturers must establish surveillance mechanisms to detect new threats, disclose vulnerabilities, and provide timely patches and updates.
This ongoing vigilance helps maintain the safety and performance of the device, emphasizing the importance of recovery plans, information sharing, and active participation in cybersecurity communities.
Patient Confidentiality and Regulatory Compliance
The authority also reminds us that cybersecurity incidents can have far-reaching implications for patient privacy and data confidentiality.
Manufacturers and distributors must adhere to local data protection and privacy regulations, ensuring comprehensive security measures are in place to safeguard sensitive patient information.
Compliance with applicable laws and regulatory requirements is vitally important to maintain trust and ensure the holistic safety of software medical devices.
Conclusion
The present HSA guidance covers various essential aspects of the regulatory requirements that medical devices should comply with to ensure their safety and proper performance when used for the intended purpose. In particular, the authority emphasizes the importance of cybersecurity-related matters and outlines the critical points about incident reporting in the context of software products used in healthcare.
How Can RegDesk Help?
RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.