Who says back-to-back home runs only occur in baseball or softball? Because it just happened in Medical Device Cybersecurity. Health Canada and the Australian Therapeutic & Goods Administration (TGA) both released Cybersecurity guidance in back-to-back months this summer, adding to the growing number of regulatory bodies around the globe focusing on this critical topic.
Australian TGA Guidance – https://www.tga.gov.au/cyber-security-medical-devices-and-ivds
The release of these guidance documents highlights the growing importance of this topic to regulators and both Health Canada and the Australian TGA have taken another step in helping provide direction in an evolving space. Medical Device Manufacturers of all sizes can use these documents (along with existing guidance from other regulatory bodies) as input to the development or enhancement of their organizations Medical Device Cybersecurity capabilities.
Health Canada’s guidance (June), focuses on pre-market Cybersecurity requirements for devices, whereas TGA’s guidance (July), covers the total product lifecycle, including both pre- and post-market Cybersecurity requirements. One of the key takeaways from both documents is the requirement to ensure an organizations Quality Management System is properly updated to include Cybersecurity. In certain cases, not only will the security controls of a specific device and submission be reviewed, but the integration of Cybersecurity to the Quality Management System may be as well.
Health Canada introduces the concept of a “Device-Specific Quality Plan” whereby manufacturers need to have the ability to “demonstrate that a cybersecurity framework is part of the quality standards for the medical device” for Class III and Class IV medical devices.
TGA highlights a manufacturer/sponsor’s requirement to, “establish, document, and update quality management and risk management systems throughout the lifecycle of a medical device.”
A great place to start to educate yourself on this topic is with the Healthcare & Public Health Sector Coordinating Councils Medical Device and Health IT Joint Security Plan (JSP), which was released earlier this year (https://healthsectorcouncil.org/the-joint-security-plan/). In this document, you’ll find an example framework and a description of many of the key aspects of managing Cybersecurity throughout the total product lifestyle. As a co-author of the JSP, I can state many of the key thought leaders in this space contributed to and curated the content in this document hoping to help the entire community.
Need help with Medical Device Cybersecurity, contact us at firstname.lastname@example.org or 215.613.9900.