Medical device cyber security guidance for industry
Guidance for manufacturers and sponsors on cyber security of medical devices that include software or electronic components.
This guidance is for manufacturers and sponsors of medical devices that include software or electronic components.
The guidance is intended for:
manufacturers that develop software for use in or as standalone medical devices, such as in Software as a Medical Device (SaMD); this includes devices that incorporate artificial intelligence in their design
- manufacturers of medical devices (including in-vitro diagnostic medical devices) where devices include components that may be vulnerable to cyber-based threats
- medical device sponsors who are responsible for the supply of medical devices in Australia, to ensure that safety and quality is demonstrated and compliance with the Essential Principles is maintained
Alongside this guidance, the TGA has also produced medical device cyber security guidance for users.
The Australian government regularly provides updates and advisories on cybersecurity for Australian organisations at cyber,gov,au. The TGA recommends that medical device sponsors and manufacturers consult cyber.gov.au for the latest advice on various cybersecurity issues and education from Australian government.
Connectivity and digitisation increase benefits and risks
Connectivity and digitisation of medical device technologies may help improve device functionality and benefit. However, the connection of medical devices to networks or the internet exposes them to increased cyber threats that can potentially lead to increased risk of harm to patients. These might include:
- denial of intended service or therapy
- alteration of device function to directly cause patient harm
- loss of privacy or alteration of personal health data
Additionally, there are fundamental security interdependencies between medical devices and the networks they connect to. Cyber security for medical devices must be considered as part of a layered, holistic security ecosystem. The cyber security landscape is constantly evolving.
Chapter 4 of the Therapeutic Goods Act 1989 (the Act) provides for the safety and satisfactory performance of medical devices, by setting out particular requirements for medical devices, establishing processes aimed at ensuring those requirements are met, and providing for enforcement of these requirements. The requirements for medical devices includes fifteen 'Essential Principles', set out in Schedule 1 of the Therapeutic Goods (Medical Devices) Regulations 2002 (the MD Regulations), which relate to the safety and performance characteristics of medical devices. Assurance that relevant medical devices are appropriately cyber-secure is required for compliance with a number of the Essential Principles.
Purpose and scope of this guidance
This guidance has been produced in order to support Australia's medical device cyber security capability, embedding improved cyber security practices across the medical device sector. This guidance on cyber security for medical devices is in line with existing regulatory requirements and will assist in supporting the implementation of risk-based regulatory approval pathways that are guided by and support the Australian Government's cyber security strategy.
The purpose of this guidance is to help manufacturers and sponsors understand how the TGA interprets regulations, and thus indicate how to comply. This is a guide only, and manufacturers and sponsors are encouraged to familiarise themselves with the legislative and regulatory requirements in Australia. If necessary, seek professional advice as it is the responsibility of each manufacturer or sponsor to understand and comply with these requirements.
This document will evolve over time and updates and clarifications will be included as required. Feedback on the guidance is always welcome.
Lifespan of a medical device
Medical devices cannot generally be supplied in Australia unless they are included on the Australian Register of Therapeutic Goods (ARTG). Inclusion on the ARTG requires considerations that span the life of a medical device, including:
- pre-market via conformity assessment
- market authorisation via inclusion in the ARTG
- post-market monitoring
- end-of-life / withdrawal of support
Adopting a total product life cycle (TPLC) approach to risk and quality management is required.
Risk assessment and management
Assessment and management of cyber security risks that could compromise the health and safety of a patient, user or any other person, as with other risks for medical devices, is the responsibility of the manufacturer.
- Pre-market: Manufacturers are required to address cyber security risks during the design and development process. This includes:
- general considerations, such as the development approach; administration protocols; application of standards; risk management strategies; infrastructure, manufacturing and supply chain management; and provision of information for users
- technical considerations, such as cyber security penetration testing; modularised design architecture; operating platform security; emerging software; and Trusted access and content provision
- environmental considerations for the device's intended use, such as connecting to networks, and uploading or downloading data
- physical considerations, such as mechanical locks on devices and interfaces, physically securing networks, waste management (preventing capture of sensitive paper-based information)
- social considerations, such as designing out or minimising social-engineering threats (e.g., phishing, impersonation, baiting, tailgating)
- Post-market: Manufacturers and sponsors are required to continually assess and take action on medical device cyber security risk
- The cyber security threat landscape changes in short periods of time, therefore a compliant risk management strategy will demonstrate how medical device cybersecurity risk is reviewed and updated.
- Cyber security events that do not appear to immediately impact a medical device are still part of the cyber security threat landscape, and will need to be considered as part of a compliant medical device cyber security risk management strategy.