The Pharmaceutical and Medical Devices Agency (PMDA), the Japanese medical device regulating authority, issued a Safety Information notice dedicated to the recent trends in cybersecurity assurance of medical devices.
Regulatory Background
According to the position of the regulating authority, any and all medical devices allowed to be imported and placed on the Japanese market should meet applicable safety and quality requirements. The PMDA acknowledges that nowadays a lot of medical devices utilize novel technologies, such as wireless connections, communications with other devices through the networks, the Internet of Things (IoT). The agency expects that the number of such medical devices would continue to increase.
At the same time, the data exchange processes performed by such medical devices in the course of their normal operations result in additional risks associated with the possibility of unauthorized access through the network of the medical institution. The same connection to the network could be used to commence an attack on other medical devices.
The PMDA states that medical device manufacturers shall duly implement all reasonable measures to ensure the highest level of protection against cybersecurity risks. Such measures should be implemented at the design and development stages – the medical device should be resistant to cyberattacks. The medical device manufacturer shall also pay proper attention to such important aspects as:
- The environment medical device is intended to be used in (for example, healthcare institutions and their internal networks).
- Exchange with information related to post-market surveillance.
- Identification and mitigation of potential vulnerabilities in the sphere of cybersecurity.
- Incident reporting, as well as responding to arising issues without the undue delay.
- Clinical settings management.
The document published by the PMDA provides a general overview of the regulatory measures taken in Japan, as well as in other countries in order to ensure the highest level of protection against cybersecurity threats and vulnerabilities with regard to medical devices.
Risk Analysis on Medical Device Cyberattacks: an Overview
The PMDA states that cyberattacks on a medical device could result in certain interruptions in normal operations of the device, such as incorrect diagnosis in case of diagnostic devices, and the appropriate interruptions in operations of therapeutic devices respectively. According to the information available to the agency, there were no cases when cyberattacks against medical devices resulted in damage to the patients` health. At the same time, such cases have already taken place in foreign countries. In particular, the document provides the following examples:
- The incident with drug infusion pumps, US, July 2015. The Food and Drug Administration (FDA) has identified that drug infusion pumps manufactured by the particular medical device manufacturer could be accessed without the appropriate authorization, allowing such unauthorized third parties to intervene in normal operations of the medical device – for example, make changes to the dosages of medicines. The FDA issued recommendations to healthcare institutions stating that they should suspend the use of drug infusion pumps in question. Actually, the FDA issued a warning related to identified cybersecurity threats.
- The incident with a remote monitoring device for implantable cardiac pacemakers, US, January 2017. The US regulating authority identified that the aforementioned medical device has not passed the appropriate cybersecurity risk assessment, and the existing and potential vulnerabilities were not identified. The identified vulnerability actually allowed unauthorized parties to intervene in normal operations of the medical device – for example, to make changes to its settings. To address the issue, special measures have been taken – in particular, the firmware was updated, and the aforementioned vulnerability ceased to exist, which prevented actual damage to the patients` health.
Cybersecurity Efforts in Various Countries
The present PMDA document also briefly describes various measures taken in different countries to address cybersecurity threats.
- July 2005 – the FDA, the US regulating authority, successfully implemented special regulations on cybersecurity.
- May 2017 – the appropriate regulations on cybersecurity issued in the EU countries. Later some of the EU countries, as well as Australia and China, issued additional guidance documents on cybersecurity of medical devices.
In accordance with the Japanese regulatory framework, the assessment of cybersecurity threats associated with the use of a medical device should be performed by the marketing authorization holders (MAHs). Existing regulations and guidelines also describe in detail the cybersecurity risk measurement principles, and also the countermeasures to be taken by medical device manufacturers.
The PMDA guidance states that first of all, it is necessary to identify the particular environment the medical device in question is designed to be used in. Then, it is necessary to identify the methods used to connect to the network during the use of the medical device for its intended purpose. Such assessment should be performed separately depending on whether the device should use a wired or wireless connection, or operated independently sing an external medium. According to the guidance, the MAHs shall also provide potential users of the medical device with all necessary information related to cybersecurity issues – in particular, such information should be included in the instructions for use and additional documents supplied with the device. The agency recommends MAHs to cooperate actively with the healthcare institutions using the medical device in question.
IMDRF Guidance on Cybersecurity Aspects for Medical Devices
The PMDA also describes the approach to cybersecurity utilized by the International Medical Device Regulators Forum (IMDRF) – a voluntary association of regulating authorities collaborating to improve the existing regulatory framework. The IMDRF has already issued its own guidance on cybersecurity aspects, which was actually based on the appropriate documents issued by the national regulating authorities of the different countries. The IMDRF additionally emphasizes the importance of efficient information sharing between different countries, which is necessary to establish international collaboration in this sphere.
The guidance on cybersecurity issued by the IMDRF also contains the following concepts:
- Operating Devices in the Intended Use Environment,
- Information Sharing,
- Coordinated Vulnerability Disclosure (CVD),
- Vulnerability Remediation,
- Incident Responses.
The PMDA states that the Coordinated Vulnerability Disclosure is one of the most important principles set forth by the aforementioned IMDRF guidance on cybersecurity. In particular, the CVD improves significantly the cooperation in the sphere of addressing cybersecurity issues. According to the position of the IMDRF, the MAHs shall perform continuous monitoring during the whole lifecycle of the device in order to identify cybersecurity threats and vulnerabilities in a timely and efficient manner. Thus, the IMDRF guidance on cybersecurity of medical devices is mostly dedicated to the importance of the active collaboration between all the parties engaged in operations with medical devices at all levels to ensure the highest level of public health protection.
The PMDA states that the MAHs shall commence the actual implementation of the aforementioned IMDRF guidance and main principles set forth therein.
Summarizing the information provided here above, the new safety information issued by the PMDA describes the modern regulatory approach to cybersecurity issues and all important aspects associated thereto and also provides the general overview of the existing regulatory framework in different countries, including Japan and the United States.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.
Sources:
