FDAnews
www.fdanews.com/articles/14027-canada-issues-guidance-on-premarket-requirements-for-cybersecurity

Canada Issues Guidance on Premarket Requirements for Cybersecurity

December 14, 2018

Health Canada released guidance for devicemakers on how to comply with premarket cybersecurity requirements.

The agency noted the draft guidance reflects international moves to protect the healthcare sector from cyberattacks as increasing global interconnectedness and data exchange can leave devices particularly vulnerable.

“Health Canada considers the inclusion of cybersecurity measures an important consideration in issuing medical device licenses,” the agency said. The guidance offers advice on practices, responses and mitigation measures that can improve device cybersecurity.

The agency calls for information to be submitted as part of a device license application or amendment to demonstrate that a device is sufficiently “secure from intentional or unintentional unauthorized access.”

Health Canada considers cybersecurity a component of a medical device’s lifecycle that can impact safety and effectiveness. As such, it should be considered when designing the device.

For example, design inputs captured in a requirement specification should include those related to cybersecurity, and the cybersecurity requirements should be cross-referenced to specific device cybersecurity hazards if the requirements are mitigations to identified hazards.

Manufacturers should also consider design controls that allow the device to detect, resist, respond and recover from cybersecurity attacks. The design controls include secure communications, data security, user access, software maintenance, and reliability and availability.

Cybersecurity should be incorporated into the risk management process for every device that consists of or contains software, the agency says. Manufacturers should develop and maintain a framework for managing cybersecurity risks throughout their organizations. The following elements should be included to address cybersecurity risks:

  • Secure design;
  • Risk management;
  • Verification and validation testing; and
  • Planning for continued monitoring of and response to emerging risks and threats.

The agency recommends device-specific cybersecurity risk management processes be conducted in parallel with the safety risk management process.

The comment period closes on Feb. 5, 2019. Read the guidance here: www.fdanews.com/12-13-18-DraftGuidanceDoc.pdf.