Canada – Health Canada Setting Pre-market Medical Device Cybersecurity Requirements

  • Health Canada has proposed more formalized cybersecurity requirements for Medical Device License applicants.
  • The Health Canada requirements align with cybersecurity approaches adopted by medical device regulators in the US and other jurisdictions.
  • Health Canada recommends adoption of testing standards such as UL 2900 to support device cybersecurity claims.

New guidance from Health Canada would establish cybersecurity requirements and considerations for pre-market reviews of devices in Canada similar to policies developed by US and South Korean regulators.

The draft guidance proposes requirements for cybersecurity-related information Medical Device License (MDL) applicants would have to submit to Health Canada in order to demonstrate security of devices “consisting of or containing software,” and recommends measures such as implementation of UL 2900 cybersecurity testing standards to mitigate against cyber risks and vulnerabilities.

Among high-level cybersecurity recommendations in the new Health Canada guidance are:

  • Incorporating cybersecurity measures into risk management processes for devices with software components;
  • Establishing frameworks for managing cybersecurity risks on an enterprise level;
  • Verification and validation of all cybersecurity risk control processes according to device design requirements and specifications.

According to Ken Pilgrim, Senior RA/QA consultant at Emergo by UL in Vancouver, the new guidance should prove valuable to medical device manufacturers obtaining market access not only in Canada but also other jurisdictions developing similar cybersecurity requirements.

“We are pleased to see Canada participating in medical device cybersecurity standard development, and this draft document consultative process should help Canadian medical device manufacturers meet Health Canada’s cybersecurity requirements as part of the licensing process,” Pilgrim says.

“The new guidance should also assist manufacturers in developing compliance with requirements globally for registration in other jurisdictions such as the US and South Korea.”

Specific cybersecurity strategy recommendations

Health Canada’s guidance lays responsibility for monitoring, assessment and mitigation of cybersecurity risks with manufacturers; broader cybersecurity responsibilities must be shared between medical device companies as well as regulators, end users and network administrators, according to the guidance.

Health Canada suggests adoption of cybersecurity risk management methodologies based on the US National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, as well as cyber strategies incorporating secure design, risk management, verification and validation testing, and planning for continued monitoring and response efforts for emerging risks and threats…