Canada Establishes New Premarket Requirements for Device Cybersecurity

Health Canada has new requirements in place for medical device cybersecurity that require devicemakers to identity and analyze hazards associated with their devices.

The agency’s final guidance calls for information to be submitted as part of a device license application or amendment to demonstrate that a device is sufficiently “secure from intentional or unintentional unauthorized access.”

New requirements in the final guidance address pre- and post-market compliance, including monitoring and responding to emerging risks. The new requirements require safeguards such as passwords to protect against unauthorized tampering.

“While the idea that medical devices could be used for intentional harm may sound like science fiction, the risk is real enough to warrant precautions from medical device regulators,” the agency said.