Australia TGA’s Draft Guidance for Medical Device industry on Cyber Security

Although digitization and Internet of Things (IoT) have together enhanced the performance of medical devices, they have also made devices prone to cyber vulnerabilities. The malware and spyware invading the devices are growing. The hackers are mining for loopholes in devices and related software that allow them to corrupt the devices to compromise user data by malfunctioning the devices. All these adversities are hindering organizations’ efforts towards securing user data and preventing the damage.

To address the threat of cyber security on medical devices, all member health authorities of the International Medical Device Regulators Forum (IMDRF) have released draft guidance documents with Regulatory policies for premarket settings. However, Therapeutic Goods Administration (TGA) of Australia has anticipated the need for regulation even in the post-marketing stage of devices and released a draft guidance that spans across the total product life cycle (TPLC).

Who does the guidance apply to?

The TPLC approach proposed by the TGA focuses on continuously updating quality management systems, risk management procedures and change management procedures. Since the guidance covers aspects of both pre- and post-market scenario, its regulations are intended for multiple stakeholders that are listed below.

  • Manufacturers who develop software-as-medical-devices (SaMD)
  • Manufacturers of devices which include software components vulnerable to cybersecurity
  • Sponsors responsible for devices supply in Australia
  • Healthcare professionals who use medical devices to diagnose and treat patients
  • Clinical and biomedical engineers who are responsible for managing device assets in health and medical environment
  • General and IT administration responsible for systems, procedures and processes in health and medical service environment
  • Consumers who use a registered medical device
    • under the guidance of their health and medical professional
    • that does not require medical supervision

Guidance to the Medical Device Industry:

While helping the medical device industry to stay prepared for cybersecurity, the guidance also emphasizes that the devices must be included in the Australian Register of Therapeutic Goods (ATRG) to market them in the country. However, inclusion in the ARTG requires considerations that cover the complete extent of life of a medical device which are divided into the following four stages:

  • Pre-market via conformity assessment
  • Market authorization via inclusion in the ARTG
  • Post-market monitoring
  • End-of-life / withdrawal of support

The guidance also states that manufacturers are solely responsible to assess and address the cybersecurity risk of the device in both pre- and post-market setups. In doing so, they must take into account certain considerations in both setups, which include:  

  • Pre-market Considerations: These considerations include risks during the design and development of medical devices. They are of general and technical type.
    • General considerations like development approach, application of standards, risk management strategies, supply chain assessment and provision of information for users
    • Technical considerations like cybersecurity performance testing, modularized design architecture, operating platform security, emerging software, and trusted access and content provision
  • Post-market Considerations:  Under the post-market regime, manufacturers and sponsors of devices are required to assess and act on cyber security risk, continuously. This includes understanding the risks and threats and responding to them when they occur. 

Highlights of the Guidance:

While other regulators of IMDRF listed pre-market cyber security principles, TGA has walked the extra mile and listed 15 ‘essential principles’ including focus on long-term safety. Additionally, eight more essential principles have been added to the guidance to address malware prevention. The guidance highlights cyber security framework developed by the US National Institute of Standards and Technology. It also includes common examples of vulnerabilities, known standards which help strengthen the security, and instructions for end-users, clinical trials and healthcare set-ups using the devices.

The draft guidance encompasses a comprehensive range of information to put in place the TLPC approach for medical device manufacturers. However, the current form of guidance is intended for comments and changes are expected in upcoming versions. To remain compliant and secure, stakeholders must take required action well ahead with the help of a medical device Regulatory expert. Be compliant.