You are here

Presentation: Cybersecurity considerations for medical devices - From the TGA Laboratories

14 September 2018


These presentation papers are provided on the TGA's website solely for the purpose of indicating or suggesting what TGA representatives spoke about to the various conferences and seminars to which it relates. The papers are not legislative in nature and should not be taken to be statements of any law or policy in any way.

The Australian Government Department of Health (of which the TGA is a part) advises that (a) the presentation papers should not be relied upon in any way as representing a comprehensive description of regulatory requirements, and (b) cannot guarantee, and assumes no legal liability or responsibility for, the accuracy, currency or completeness of the information contained in the presentation paper.


  • Presented by: Dr Lee Walsh
  • Presented at: 2018 ARCS Annual Conference
  • Presentation date: 22 August 2018
  • Presentation summary: The Australian regulatory framework for medical devices already captures cybersecurity. Manufacturers have been considering security in their design, and the Therapeutic Goods Administration (TGA) has been assessing and regulating the security of medical devices through the Essential Principles. However, the number of networked devices is growing, the risk profile is changing, and public awareness of cybersecurity as a risk is increasing.
  • This changing landscape has created new challenges for regulators of medical devices, including poor or unclear standardisation, sharing information, publication of vulnerabilities and exploits by users and security researchers, and poor transparency of expectations between stakeholders.
  • TGA is currently undertaking multiple projects to improve the regulation of medical device cybersecurity in Australia. These include, building on the existing capabilities to assess and measure medical device security, consulting with industry and other stakeholders on their challenges and expectations, and working to improve standardisation.


Cybersecurity considerations for medical devices - From the TGA Laboratories

Dr Lee Walsh CPEng NER
Senior Engineer, Biomaterials and Engineering Section
Laboratories Branch Therapeutic Goods Administration

ARCS 2018, 22 August 2018

Slide 1 - Overview of the TGA Laboratories

The reason the TGA has this building

  • In Canberra
  • Seven Sections:
    • Biochemistry
    • Biomaterials and Engineering
    • Biomedicines and Influenza Vaccines
    • Chemistry
    • Immunobiology
    • Laboratory Business Operations
    • Microbiology

Slide 2 - Overview of the TGA Laboratories

What we do

  • Scientific and engineering expertise
  • Evaluate therapeutic goods
    • Market authorisation
    • Post market
    • Batch release
  • Standards development
  • Pacific Medicines Testing Program
  • WHO:
    • Collaborating Centre of Drug Quality Assurance
    • Collaborating Centre for Quality Assurance of Vaccines and Biological Medicines

Slide 3 - Overview of the TGA Laboratories

Our testing

  • Responsive testing
    • Urgent public health and safety concern
    • Supports investigations into complaints
  • Programmed testing
    • Selected goods to verify required quality and performance
  • Maintenance testing
    • Supports accreditation, harmonisation, standardisation and other obligations
  • Contract testing
    • Other regulators and government departments
    • International organisations

Slide 4 - Cybersecurity in the TGA Laboratories

  • Offensive security engineers
    • Penetration testing of medical devices
    • Threat analysis
    • Specialist advice and evaluation
    • Signal monitoring and analysis
    • External collaboration

Slide 5 - Challenges in regulating cybersecurity


  • Essential Principles
    • 1. Use of medical devices not to compromise health and safety
    • 2. Design and construction of medical devices to conform to safety principles
    • 6. Benefits of medical devices to outweigh any undesirable effects
    • 9. Construction and environmental properties
    • 12. Medical devices with an energy source
    • 13. Information to be supplied with medical devices

Slide 6 - Challenges in regulating cybersecurity


  • No single standard
  • Many that are relevant, including:
    • ISO 15408
    • ISO 80002
    • ISO 14971
    • ISO 2700x
    • IEC 62304
    • IEC 60601
    • IEC 80001
    • IEC 82304
    • UL 2900

Slide 7 - Challenges in regulating cybersecurity

Health is different

Information security and Medical device security are separate.

Slide 8 - Challenges in regulating cybersecurity

Health is different

Information security includes medical device security.

  • Patient safety
    • Changes risk profile
    • Vulnerability disclosure
  • Distributed and manual patch deployment
    • Complex
    • Uncertain patch application
  • Long device life
    • Patching might not be possible
    • Complicates risk profile

Slide 9 - Challenges in regulating cybersecurity

Health is different

Information security and Medical device security overlaps.

  • Tools require adaptation
    • Penetration testing and red teaming
    • Defence and blue teams
    • Network focussed
  • Risk are poorly understood by
    • Users
    • Patients
    • Public
    • InfoSec experts

Slide 10 - Progress in regulation of cybersecurity

Key TGA work areas

  • Consultation - CSIRO
  • First offensive security testing program (2017)
  • Developing and adapting tools
    • Standards
    • Signal detection, intelligence and threat assessment
    • Penetration testing
    • Red vs Blue
  • Visibility and education
    • Participation in InfoSec sector
    • Collaboration

Slide 11 - END SLIDE

Print version

How to access a pdf document

*Large file warning: Attempting to open large files over the Internet within the browser window may cause problems. It is strongly recommended you download this document to your own computer and open from there.