Scientific Advisory Committee on Digital Health Technologies - Questions

Part 1: Digital Health and Health Canada’s Regulatory Approach

Pre-amble

The Building Better Access to Digital Health Technologies project aims to improve access to and improve outcomes for patients by adapting to rapidly changing technologies in digital health, responding to fast innovation cycles, and supporting the review of digital health technologies in the pre-market review phase to facilitate their market access.  Specifically, it aims to allow the people of Canada better access to digital health technologies such as wireless medical devices, mobile medical apps, home use health monitoring devices and medical device software applications.

Key areas of focus for The Building Better Access to Digital Health Technologies project, which align with other regulators’ approaches, include:

• Wireless Medical Devices
• Mobile medical apps
• Telemedicine
• Software as a Medical Device (SaMD)
• Artificial Intelligence
• Cybersecurity

Question 1

What do you believe are the most pressing emerging trend(s) in Digital Health? What do you believe will be the largest challenge facing Health Canada in regulating medical devices related to Digital Health as it carries out its mandate in helping the people of Canada maintain and improve their health?

Question 2

The Digital Health landscape is evolving with technologies not easily regulated under the current regulatory framework. An example of this is machine learning algorithms which mask some of the software’s behaviour. How can Health Canada facilitate the market emergence of innovative medical device software, such as machine learning algorithms, while ensuring that it remains safe and effective for the people of Canada?

Part 2: Health Canada’s Regulatory Approach to Medical Device Cybersecurity

Pre-amble

Medical devices have evolved from largely analogue, non-networked and isolated hardware into networked devices incorporating remote access, wireless technology, and complex software. Increases in the level of interconnectedness and data exchange between medical devices have large benefits to patients and the healthcare system but can leave devices vulnerable to unauthorized access. These vulnerabilities can negatively impact safety by causing diagnostic or therapeutic errors, or by affecting clinical operations. Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality can be intentionally or unintentionally compromised.

Question 3

What cybersecurity measures are already in place in healthcare facilities and what additional steps could be taken to fill any gaps in these cybersecurity measures for medical devices? Is a hospital LAN considered safer than a home network or a direct connection to the internet?

Question 4

What level of information about identified cybersecurity issues should be provided to potentially affected users? Do the benefits of fully informing users about known issues outweigh the potential risks of malicious use of the broadly exposed issues?

Question 5

What are the best cybersecurity risk mitigation practices for various intended use environments (e.g. home use, clinic use) for medical devices? Are there fundamental differences between the different use environments that should be considered in terms of cybersecurity? If so, what are the fundamental differences?

Question 6

The FDA recommended premarket submission documentation, which includes a summary describing controls in place to ensure integrity from the point of origin to point when the device leaves the manufacturer. Should manufacturers demonstrate controls in the cybersecurity of their own computing infrastructure at their site? Or can we assume this is captured by ISO 13485-2016 compliance?

Question 7

In Canada a recall of a medical device is defined in the Medical Devices Regulations as:
any action taken by the manufacturer, importer or distributor of the device to recall or correct the device, or to notify its owners and users of its defectiveness or potential defectiveness, after becoming aware that the device

1. may be hazardous to health;
2. may fail to conform to any claim made by the manufacturer or importer relating to its effectiveness, benefits, performance characteristics or safety; or
3. may not meet the requirements of the Act or these Regulations.

Additionally, Section 34 of the Medical Devices Regulations outlines that a device licence amendment is required for any significant change to a Class III or IV device.  A “Significant Change” means a change that could reasonably be expected to affect the safety or effectiveness of a medical device including, among other things, the design of the device, including its performance characteristics, principles of operation and specifications of materials, energy source, software or accessories.

In order to balance pre-market safety with post-market agility in deploying rapid corrections, Health Canada would like to consider how to best handle recalls and licence amendment authorizations in cases of certain patches, updates, or fixes in response to a cybersecurity issues.

1. What would be the manufacturer's expected timeline to deploy a fix?
2. Is there a delay that would be simply too long from a risk perspective?
3. What should Health Canada consider when determining if a cybersecurity fix is a recall or a pre-market licence amendment application?
4. Should Health Canada consider adopting the US FDA’s concept of “Controlled vs. Uncontrolled Risk of patient harm” as the basis for reporting issues to the regulator?

Question 8

Should the responsibility be put on the manufacturer to monitor post-market cybersecurity issues (e.g., built-in software to detect any abnormalities). If so, what are the best practices that are currently in place to monitor for cybersecurity issues that manufacturers should adopt? Should Health Canada request periodic reports from manufacturers documenting information concerning cybersecurity vulnerabilities?