The Agência Nacional de Vigilância Sanitária – National Health Surveillance Agency (Anvisa), a Brazilian regulating authority, has published guidance on cybersecurity issues related to medical devices. The document is dedicated to cybersecurity principles and practices related to the procedures and methods necessary to comply with the technical requirements set forth under the existing regulatory framework.
Scope of the Cybersecurity Guidance
The present Anvisa guidance on cybersecurity for medical devices is actually based on the recommendation N60 Principles and Practices for Medical Device Cybersecurity developed by the International Medical Device Regulators Forum (IMDRF), a voluntary association of medical device regulating authorities focused on continuous improvement of medical device regulations. The aforementioned recommendation describes basic principles and best practices to be implemented by all the parties involved in operations with medical devices, including ones intended for in vitro diagnostics.
The guidance published by the Brazilian regulating authority describes the particular approaches and methods to be applied in order to mitigate cybersecurity risks associated with medical devices when being used for the intended purpose. Thus, the scope of the Anvisa guidance covers all medical devices containing software, as well as those existing as software themselves (e.g. software as a medical device – SaMD). However, the authority also mentions that the document covers only the issues associated with the harm that could be caused to the patient’s health through affecting clinical decisions taken on the basis of the information provided by the device, or in the course of the treatment process itself. Thus, any other cybersecurity aspects, such as personal data protection, are actually falling outside the scope of the present guidance.
According to Anvisa, the guidance is intended to:
- introduce a risk-based approach to the processes related to the development of medical devices to ensure that necessary cybersecurity measures are being implemented at the early design stages,
- improve the safety and effectiveness of medical software in general,
- emphasize the importance of cybersecurity matters, as well as the joint responsibility of all the parties involved in operations with medical devices for maintaining the highest standards,
- provide industry representatives with the important recommendations to be implemented in order to mitigate the aforementioned risks,
- outline the most important terms and best practices,
- encourage all the parties to improve transparency and exchange with the information related to incidents and vulnerabilities identified.
Cybersecurity for Medical Devices: Regulatory Background
The Anvisa states that due to the significant increase in the use of medical devices connected to the network all matters related to cybersecurity are becoming vitally important for ensuring the correct operations of medical devices and the safety of patients. As was already mentioned before, not only the medical device manufacturer but all the parties involved in operations with medical devices including but not limited to healthcare professionals and patients are responsible for cybersecurity-related matters. The present Anvisa guidance on cybersecurity for medical devices describes in detail the roles of all parties in achieving and sustaining compliance with cybersecurity requirements.
According to the applicable international standard (ISO 81001-1), cybersecurity is a state in which information and systems are protected from unauthorized use, access, disclosure, interruption, modification, or destruction at a level where the risk related to confidentiality, integrity, and availability are maintained at an acceptable level.
The authority also states that the regulations in the sphere of cybersecurity for medical devices adopted in different countries could vary significantly which affects the effectiveness of international cooperation in this sphere. To improve the situation, the Anvisa is going to provide certain main cybersecurity principles based on best practices implemented in other countries. In particular, the document covers the following aspects:
- legal background on cybersecurity matters,
- general cybersecurity principles for medical devices,
- recommendations for all the parties involved related to both pre- and post-market aspects,
- definitions of the most important terms related to cybersecurity for medical devices.
As it was already mentioned before, the present guidance is mostly based on the principles established by the recommendations issued by the IMDRF, as well as on the applicable Brazilian legislation on medical devices in general and medical software in particular. The Anvisa states that:
- all medical products intended to be marketed in Brazil are subject to state registration and/or surveillance,
- the definition of medical products is based on the intended purpose,
- since medical software falls within the scope of the medical intended purpose, it also should be subject to state regulation.
General Cybersecurity Principles for Medical Devices
The most important part of Anvisa guidance on cybersecurity for medical devices is dedicated to the particular principles to be implemented to ensure the highest possible level of protection against unauthorized third-party intervention in normal operations on medical devices and medical software. These principles should be considered not only by the medical device manufacturers but also by the healthcare professionals, patients, and other parties involved in operations with medical devices. The main cybersecurity principles for medical devices include, inter alia, the following ones:
- Global harmonization. Since cybersecurity-related threats and vulnerabilities could potentially impact the patines from all over the world, the measures intended to mitigate such risks should be also taken on the international level. At the same time, Anvisa emphasizes the importance of proper balance between the safety of the patients and their access to innovative medical devices incorporating novel technologies.
- Product lifecycle. According to the guidance, the risks related to cybersecurity should be considered at all stages of the medical device’s lifecycle. The authority also mentions that each time implementing new features or controls, the medical device manufacturers shall consider the aspects associated with the proper performance of the medical device and safety of the patients.
- Shared responsibility. As it was already mentioned before, the Anvisa states that all the parties manufacturing or using medical devices should be responsible for cybersecurity aspects. Thus, it is important to ensure efficient cooperation between all stakeholders related to the risk mitigation activities and dealing with the identified threats and vulnerabilities.
- Information sharing. In order to improve the effectiveness of the efforts, all parties involved in operations with medical devices and medical software should actively share the information related to cybersecurity matters including all identified threats and vulnerabilities. When being received in time, such information could be of the essence for counteracting cybersecurity threats and ensuring the safety of the patients. In particular, the Anvisa encourages participation in the Coordinated vulnerability disclosure (CVD), a special information-sharing initiative. At the same time, the Brazilian medical device regulating authority intends to share the information related to cybersecurity for medical devices with other national regulating authorities.
Summarizing the information provided here above, the Anvisa guidance on cybersecurity for medical devices describes the harmonized approach to the protection against unauthorized third-party intervention in normal operations of medical devices containing software or software as a medical device. The document covers the most important aspects to be considered at all the stages of the product lifecycle in order to ensure the safety of the patients.
At the same time, to its legal nature, the present Anvisa guidance on cybersecurity does not establish any binding obligations or mandatory requirements medical device manufacturers shall follow but only provides certain recommendations to be implemented. Hence, medical device manufacturers and other parties involved would not be subject to any sanctions for failing to comply with the principles outlined in the document providing that all mandatory requirements set forth under applicable regulations are met. The authority also mentions that all comments and suggestions submitted by industry representatives would be considered when preparing further versions of the document.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.