30 July, 2019
The Australian Therapeutic Goods Administration (the TGA) has finally published long-awaited cyber security guidance targeted specifically at:
- manufacturers developing software for use in medical devices, including artificial intelligence;
- manufacturers of medical devices which include components susceptible to cyber-based threats; and
- medical device sponsors in Australia.
Further information, including the guidance documents themselves, can be found here.
The guidance details, amongst other things, the TGA's expectations with respect to:
- how device sponsors and manufacturers should approach the assessment and documentation of cyber security risks;
- the consideration of cyber security risks as part of compliance with the Essential Principles; and
- the ongoing assessment of cyber security risks and vulnerabilities at all stages of the product life cycle.
Whilst there has been debate as to whether a change to the current regulatory framework for medical devices was required to protect users from cyber security risks, the TGA has confirmed its approach to embed improved cyber security practices as part of the existing regulatory framework.
What this means for medical device sponsors, manufacturers and SaMD app developers?
Assessment and documentation of cyber security risks during design and development
Manufacturers are expected to consider a range of general, technical, environmental, physical and social cyber security risks. This includes (where relevant):
- adopting secure by design and quality by design principles, for example, adopting modularised design architecture and ensuring a secure operating platform such as an ability for continual secure updating using cloud/virtual systems to account for new cyber threats/risks;
- ensuring that the cyber security practices in their supply chain are considered and any risks mitigated, for example, ensuring that component manufacturers and cloud server providers have appropriate cyber security practices in place. This may require specific contractual provisions setting out responsibilities regarding notifications of security breaches and response plans;
- conducting cyber security penetration testing or physically securing networks;
- considering the user environment and user factors, such as users introducing unauthorised modifications to devices, or use in home or public, open or secured, wifi networks, each a different threat environment.
Considerations and any actions taken to reduce or manage cyber security risks should be documented, for example, as part of a cyber security risk assessment in the manufacturer's quality management system and/or risk management system, which may be audited by the TGA as part of an application audit.
With increasing digitisation, the blurring between medical devices and consumer devices and the trends towards patients becoming more pro-active and demanding more control over their healthcare decisions, manufacturers and sponsors are asked not to only consider the risk of the device to their users, but to also consider their users as a source of risk. The security of many medical devices relies on the user having up-to-date security software, following safe cyber security practices, and regularly updating their apps and devices.
Consideration of cyber security risks as part of compliance with the Essential Principles
- The Essential Principles require a manufacturer to minimise the risks associated with the design, long-term safety and use of the device and the TGA has expressed its view that this implicitly requires minimisation of cyber security risks.
- Whilst legislation does not mandate the method by which a manufacturer must comply with the Essential Principles, the TGA's guidance refers to a range of relevant standards that could be used by manufacturers to assist with its consideration of cyber security risks. It will be up to the manufacturer to determine which Essential Principles are relevant to its device and how it will demonstrate compliance.
Ongoing monitoring of cyber security risks and vulnerabilities at all stages of the product life cycle.
- The TGA expects device manufacturers and sponsors to be able to demonstrate how they will gather information regarding emerging cyber security vulnerabilities across all stages of the product life cycle (ie. premarket conformity assessment, market authorisation, post-market monitoring and end-of-life/withdrawal of support)
- In cases where cyber security vulnerabilities, threats and risks pose an immediate and significant threat to users or will result in deficiencies as to safety, quality, or performance of the device, this may warrant notification to the TGA and the undertaking of recall or non-recall action under the Uniform Recall Procedure for Therapeutic Goods.
- As cyber threats evolve and as new standards and guidelines are developed, manufacturers and sponsors need to keep abreast of the changing state of the art relevant to their device and conduct ongoing cyber security risk assessments. Such risk assessments and related documentation may be required to be produced to the TGA (such as under section 41JA of the Therapeutic Goods Act 1989 (Cth)).
Conclusions
The medical device industry has well and truly moved on from factory-based manufacturing of medical devices with physical action to the world of digital technologies where connectivity and unprecedented access to data are giving rise to new medical software products based on artificial intelligence and machine learning algorithms.
The connection of devices to networks and the internet exposes devices to increased cyber vulnerabilities that can potentially lead to unacceptable risk of harm to patients and privacy and data security risks. Notably, the increasing interconnectedness and digitisation of medical devices now also means it is more dependent on factors beyond the manufacturer's control, such as the security systems of the cloud service provider and user practices and environment. Ongoing cyber security risk monitoring is all the more relevant as the increasing number of medical devices, incorporating machine learning or artificial intelligence, ‘learn’ and develop over time.
For further information, please contact:
Toby Patten, Partner, Baker McKenzie
toby.patten@bakermckenzie.com