Cybersecurity holds immense significance in the realm of medical devices due to their integral role in patient health and safety. While these devices offer enhanced connectivity and data sharing for improved care, they also introduce vulnerabilities that malicious actors can exploit. Ensuring patient safety is paramount, as compromised devices could lead to life-threatening situations. Moreover, the sensitive data contained in these devices demands rigorous privacy measures to prevent breaches. Consequently, making regulatory compliance, cyber threat protection, and trust maintenance through proper security practices imperative, especially with the potential legal, financial, and reputational repercussions that companies may face, that said, collaborative efforts between manufacturers, healthcare providers, regulators, and cybersecurity experts are essential to establishing and upholding robust security standards throughout the lifecycle of medical devices.
Here at Qualtech, we give great importance to cybersecurity, especially when dealing with Software as a medical device (SaMD). In this article, we would like to present an updated version of the QT Cybersecurity Analysis published last June 2019 by discussing the recent updates from Japan, China, and Singapore.
The latest amendment in cybersecurity regulations within Japan align with the recently issued notification concerning the Essential Principle Article 12-3, which is built upon IMDRF’s "Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices" and "Principles and Practices for Medical Device Cybersecurity." This updated Essential Principle article centers around three perspectives:
(1) Manufacturers must plan to ensure cybersecurity throughout the medical device's life cycle.
(2) SaMD is designed and manufactured in a way to reduce cyber risks.
(3) Establish minimum requirements for hardware, network, and IT security for a suitable operating environment.
The standards that manufacturers shall comply with to meet with the updated Essential Principle Article 12-3 are as follows:
(1) JIST 2304
(2) JIST 81001-5-1
(3) International standards that are equivalent of those above.
This updated essential principle article is already under implementation and the grace time for compliance is given until March 1st of 2024.
This 2022 guideline is still actively employed, albeit with some slight changes. It pertains to the registration of cybersecurity for Class II and Class III medical devices, encompassing software-only and software-contained medical devices, like in vitro diagnostic devices. Moreover, these devices offer electronic data interchange, user access, and/or remote access and control. The guideline is valid for both self-developed and off-the-shelf software.
The major updates from this territory are related to medical devices with artificial intelligence capabilities. The NMPA released a general guideline for AI medical devices and is an important part of the digital medical guideline system.
The technical review requirements for artificial intelligence medical devices provide a reference for the system verification of artificial intelligence medical devices and quality management software.
This guiding principle includes the following contents:
(1) scope of application
(2) main concepts
(3) basic principles
(4) artificial intelligence medical device life cycle process
(5) technical considerations
(6) algorithm research materials
(7) supplementary instructions for registration application materials
(8) and references.
Regarding the requirements for the product registration information, the following factors need to be considered:
• Algorithm research data:
Different security levels entail specific actions.
For products with medium or severe security levels in the “new type” category, each artificial intelligence algorithm or combination needs a separate research report within the software research materials. Whereas mature type products require basic algorithm details in the software materials.
As for those with mild security levels no research materials are needed, only the essential algorithm information is required.
• User training program:
Separate training is generally needed for products intended for patients or primary care institutions.
• Product technical requirements:
If the performance indicators of a product rely on a test database, core details about the database must be included in the appendix.
As of July 2023, the HSA has issued more comprehensive guidelines for medical device software and cybersecurity. In the Design Verification & Validation section of the latest version of "GN-17 Guidance on Preparation of a Product Registration Submission for General Medical Devices Using the ASEAN CSDT," there are new requirements for the evidence to support the cybersecurity of connected medical devices. It should be noted that the cybersecurity requirements listed under Design Verification & Validation section is distinct from the Software requirements.
The updated scope for the cybersecurity requirements now encompasses all medical devices with Bluetooth capability, expanding beyond the initial criteria of being either wireless-enabled, internet-connected, or network-connected. Moreover, aside from the original submissions to meet the requirements for cybersecurity regulations, there are new stipulations to include security test reports and/or other evidence to verify the device’s cybersecurity and the effectiveness of the implemented cybersecurity control measures. It's important to highlight that this mandate does not extend to products slated for registration under Immediate Route Classes B and C.
Additionally, HSA also expects parties, e.g., manufacturers, importers, wholesalers, and registrants, involved in distributing software medical devices in Singapore to incorporate the post-market surveillance plan into the product life cycle to anticipate security threats from the internet. In January 2023, the Health Sciences Authority (HSA) joined forces with the Ministry of Health's Cyber Security Agency of Singapore (CSA) and Integrated Health Information Systems (IHIS) to initiate an industry consultation aimed at introducing novel cybersecurity tiers, establish a designated testing laboratory for conducting third-party assessments, and implement a comprehensive Cybersecurity Labelling Scheme tailored for medical devices. Any subsequent information is yet to be released this year.
The ever-evolving landscape of medical device cybersecurity underscores its paramount importance in safeguarding patient health, privacy, and overall well-being. As medical devices become increasingly interconnected and reliant on advanced technologies, the potential risks posed by cyber threats cannot be underestimated.
The proactive measures taken by countries such as Japan, China, and Singapore exemplify the global commitment to addressing these challenges. From Japan's emphasis on comprehensive cybersecurity planning, to China's focus on safeguarding AI medical devices, and Singapore's expansion of cybersecurity requirements, each jurisdiction is actively working to fortify the resilience of medical devices against cyber threats.
As the journey towards enhanced medical device cybersecurity continues, collaboration, knowledge sharing, and ongoing vigilance between manufacturers, cybersecurity experts, distributors, consultants, and governments will remain critical in ensuring that these devices continue to advance patient care without compromising their safety and security.