You are here

TGA Internet site archive

The content on this page and other TGA archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.

Submissions received: Medical device cyber security

18 July 2019

Between 20 December 2018 and 14 February 2019, the TGA sought comments from interested parties on proposed guidance for industry on medical device cyber security.

A total of twenty-three written responses were received, comprising of:

  • 17 submissions from industry and professionals
  • 2 submissions from peak bodies and industry organisations
  • 2 submissions from consumer representative bodies
  • 2 submissions from government agencies

We thank those individuals and organisations for their valuable feedback.

All submissions that gave permission to be published on the TGA website are now available below in PDF format.


The TGA has considered the submissions received and the feedback provided has informed the creation guidance specific to industry as well as guidance and information specific to users, including consumers and health professionals.



How to access a pdf document

*Large file warning: Attempting to open large files over the Internet within the browser window may cause problems. It is strongly recommended you download this document to your own computer and open it from there.











On 20 December 2018, the TGA published a draft guidance document for public comment on the topic of medical device cyber security. The document was developed in consultation with the Commonwealth Scientific and Industrial Research Organisation (CSIRO). The draft document contained three sections: guidance for the medical device industry, information for users of medical devices including hospitals and healthcare providers, and a fact sheet for consumers. The consultation period closed on 14 February 2019.

Twenty-three submissions were received. The majority of submissions were from industry
(17 submissions). The remaining six submissions came from Commonwealth government agencies (3 submissions), one medical college, one consumer group, and one anonymous submission.

The sections of the document that were most commented on were those relating to proposed changes to the Essential Principles and the use of Standards. The feedback raised some questions relating to the Essential Principles, and also suggested useful changes to clarify or correct wording.

In response to the feedback more detail is being provided on how the TGA considers cybersecurity risks over the total life of the medical device, whose responsibility it is to assess and communicate risk, and the expectations for manufacturers under the Essential Principles. This includes detail around ongoing risk management, and the freedom and responsibility of the manufacturer under principle based regulation. Some more detail is also added to the background information in the Appendices to clarify the frameworks and basis that the TGA currently consider good practice. Industry stakeholders raised some concerns about the wording used for software updates that pre-emptively correct vulnerabilities. Some revisions are made to the document in these areas, ensuring that the guidance remained in accordance with the Uniform Recall Procedure for Therapeutic Goods (URPTG). The intent of the guidance in this regard is to use the URPTG as a reference, and not duplicate its content.

Cybersecurity of medical devices is a shared responsibility, and the information for users was also updated in response to the feedback. More details are provided around the communication expectation for users, clinicians, and consumers as well as manufacturers.

Some comments were unable to be actioned, for example, those suggesting changes to the regulatory framework, or those reflecting an incomplete understanding of the regulatory framework. These comments are valuable and will be considered in areas of current reform work, or for the development of additional guidance material.