Notice: Medical Device Cybersecurity

August 15, 2018

Reference Number: 18-108099-160

Introduction

In recent years, there has been a dramatic increase in the level of interconnectedness and data exchange between medical devices and their network environments. Increased connectivity in medical devices can: improve access to health care information; facilitate more timely diagnoses and treatments; and, improve access to care for patients. However, it can leave medical devices vulnerable to unauthorized access in a manner similar to computer systems. These vulnerabilities can impact the safety of the medical device by affecting clinical operations, causing diagnostic errors, or causing direct harm to patients.

Health Canada's Role in Medical Device Cybersecurity

Health Canada, as the federal regulator of medical device safety and effectiveness, will consider cybersecurity vulnerabilities in medical devices as a potential risk to patients that manufacturers of medical devices must mitigate or eliminate. Medical device cybersecurity is a shared responsibility among many parties including the manufacturer, regulator, user, and network administrator. However, manufacturers are responsible for continuously monitoring, assessing, and mitigating potential cybersecurity risks associated with their products throughout their life-cycle.

Health Canada will assess the adequacy of a manufacturer's risk control measures with respect to the cybersecurity of their medical device as part of the pre-market evaluation process. The department will publish a guidance document to provide manufacturers of medical devices with details on the pre-market cybersecurity requirements. The guidance will be based on the principles of the application of risk management to medical devices and will call upon the manufacturer to: identify the cybersecurity hazards associated with medical devices; to estimate and evaluate the associated risks; to control those risks; and, to monitor the effectiveness of their associated controls.

Upcoming Opportunities for Stakeholder Engagement

In fall 2018 Health Canada will:

• seek input on its approach to medical device cybersecurity from the Scientific Advisory Committee on Digital Health Technologies (SAC-DHT), and
• publish a draft guidance document on the pre-market requirements for the cybersecurity of medical devices for comment to the Health Canada website.

Health Canada will continue to engage with key stakeholders and international partners to ensure that the submission requirements for medical device cybersecurity address safety and the emergence of innovations into the Canadian market. The department remains committed to monitoring the state of medical device cybersecurity and may adapt its submission requirements and policy to ensure the continued safety and effectiveness of medical devices.