Health Canada Published Draft Guidance on Premarket Device Cybersecurity
Health Canada posted a new draft guidance document on Friday to aid medical device manufacturers in complying with premarket cybersecurity requirements. The move comes as more regulators seek to expand on considerations for the cybersecurity of medical devices as the health care sector became a prime target for cyberattacks amid an increasingly connected ecosystem.
The US Food and Drug Administration (FDA) issued premarket draft guidance for medical devices containing cyber risks in October. Both the Canadian and US regulators are active participants in the International Medical Device Regulators Forum (IMDRF), which recently agreed to pick up cybersecurity as a new work item.
Similar to FDA’s renewed push to extend cybersecurity considerations across the total product lifecycle, Health Canada said it “considers cybersecurity a component of the medical device’s design and lifecycle that can impact safety and effectiveness.” Health Canada stressed that “manufacturers should consider cybersecurity when designing their medical device.”
Another shared theme between FDA’s and Health Canada’s new premarket draft guidances involves a policy clarification around cybersecurity being a shared responsibility. “Medical device cybersecurity is a shared responsibility between the manufacturer, regulator, user and network administrator,” Health Canada said.
The consultation on Health Canada’s draft guidance will remain open until 5 February 2019 for device manufacturers and other stakeholders to provide feedback on the new policy statements.
The requirements outlined in the draft guidance relate to device and package labeling, documentation for seeking premarket approval, marketing history, risk assessments, device-specific quality, safety and effectiveness. The draft guidance also provides recommendations for a four-pronged approach to a “medical device cybersecurity strategy.”
The recommended strategy includes a secure device design, device-specific risk management, verification and validation, as well as monitoring and responding to emerging risks.