The Therapeutic Goods Administration (TGA), an Australian regulating authority in the sphere of medical devices, has published detailed guidance dedicated to the regulatory requirements related to the cybersecurity aspects associated with medical devices. The document provides an overview of the applicable Australian legislation on medical devices, and also the important recommendations and clarifications to be considered by the medical device manufacturers and other parties involved to ensure compliance with the regulatory requirements.
As was already mentioned before, the present TGA guidance is intended to assist medical device manufacturers in addressing cybersecurity risks associated with medical devices. In particular, the recommendations provided therein should be considered by the software developers focused on Software as a Medical Device (SaMD) products, including the ones based on the Artificial Intelligence (AI) technology, the manufacturers of other medical devices for which the cybersecurity-related matters are important, as well as any other parties interested in placing medical devices on the Australian market. The authority additionally mentions that the present guidance is addressed solely to the medical device manufacturers, while there is another guidance published by the TGA to clarify cybersecurity-related matters to the laypersons using medical devices.
The TGA acknowledges the increasing importance of cybersecurity matters associated with medical devices. Nowadays a lot of medical devices require to be connected to one or several networks, local or global, to simplify and accelerate the information exchange. At the same time, this exposes healthcare professionals and patients using these medical devices to additional risks arising from the potential interferences in normal operations by the means of unauthorized access. Aside from the general health-related risks, this also creates additional risks associated with personal data protection – the data transmitted between medical devices contains sensitive information about the patient and thus requires special protection against unwanted disclosure.
According to the guidance, all matters associated with the cybersecurity of medical devices should be treated in the context of the general ecosystem of the healthcare facility where these medical devices are being used. As it is stated by the TGA, the actual effectiveness of cybersecurity measures depends on the effectiveness of such measures implemented in the hospital`s ecosystem in general.
In terms of applicable legislation, the appropriate regulatory requirements are set forth by the following acts and regulations:
- The Therapeutic Goods Act 1989,
- The Essential Principles,
- The Therapeutic Goods (Medical Devices) Regulations 2002.
The aforementioned acts introduce the main regulatory requirements in terms of cybersecurity to be followed by the medical device manufacturers (software developers) placing their products on the Australian market.
The present guidance describes in detail the approach to be applied by the medical device manufacturers in order to follow the appropriate pathways for medical devices subject to cybersecurity-related risks. At the same time, the TGA emphasizes the importance of independent consultations to be carried out by the interested parties – the information provided in the guidance should not be treated as exhaustive, and in case of any discrepancies with the provisions of the current legislation the latter shall prevail. Moreover, the regulating authority reserves the right to amend the guidance and recommendations provided therein in case if it is reasonably necessary to align them with the changes in the regulatory framework.
General Approach to Medical Devices
According to the general rule, any and all medical devices intended to be marketed and used in Australia should be included in the Australian Regifted of Therapeutic Goods (ARTG), the country’s national register of medical devices and other healthcare-related products. As in the case of other risks, a similar risk-based approach should be applied in terms of cybersecurity matters. In order to assist medical device manufacturers in applying this approach, the present TGA guidance provides a general overview of the applicable responsibilities with regard to cybersecurity aspects related to the medical devices on each respective step of the product`s lifecycle, namely:
- Pre-market stage. According to the document, the main cybersecurity-related aspects should be considered at the very first stages of the development process. For instance, the medical device manufacturer (software developer) shall apply basic risk management strategies, as well as the appropriate approach for technical considerations. According to the TGA guidance, the latter include cybersecurity penetration testing, modularised design architecture, operating platform security, emerging software, and trusted access and content provision. The manufacturer shall also consider the cybersecurity-related aspects associated with the environment in which the medical device is intended to be used. For example, in the case of medical devices intended to be used in clinical settings, the aspects to be considered include the risks associate with the connection of the device to the appropriate networks. At this stage, the manufacturer shall also consider matters related to physical protection and mitigation of risks associated with social-engineering threats.
- Post-market stage. In order to ensure continuous safety and effectiveness of medical devices, the manufacturers shall take the appropriate measures after the device has been placed on the market. For instance, such measures could include periodical updates to be made by the software developer to improve the protection against new threats. As part of this continuous process, the manufacturers should also rigorously investigate the cybersecurity-related issues associated with medical devices to identify existing and potential vulnerabilities and develop the measures necessary to repeal them. This becomes especially important since the period of time during which a medical device or software is being used sometimes exceeds the period initially intended by the manufacturer (developer).
Essential Principles and Cybersecurity
As it was already mentioned before, the regulatory requirements set forth by the Essential Principles should be applied in terms of cybersecurity matters as well, including the ones related to the quality management systems and risk management approaches. In this regard, the TGA emphasizes the following:
- The medical device manufacturer (software developer) shall duly have in place sufficient evidence demonstrating compliance of the product in question with the applicable regulatory requirements in terms of cybersecurity risks. This rule applies to any and all medical devices irrespectively of their class under the risk-based classification.
- Any interested party placing a medical device on the Australian market shall also have the aforementioned information or the procedures to be followed to obtain such information directly from the medical device manufacturer (software developer) upon request of the regulating authority.
In any case, sufficient information demonstrating compliance of a medical device with the Essential Principles should be provided to the TGA upon request.
Summarizing the information provided here above, the present TGA guidance describes the most important aspects related to cybersecurity threats associated with medical devices, and also on the approaches to be applied to mitigate the risks associated thereto. The recommendations contained therein should be considered by all the parties involved in placing medical devices (including SaMD) on the Australian market.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.