Australia – TGA Pushes for Total Product Lifecycle Approach to Medical Device Cybersecurity

New draft guidance from Australia’s Therapeutic Goods Administration (TGA) encouraged use of regulatory policies that span total product lifecycles (TPLC) to ensure medical device cybersecurity.

A “growing area of interest” for TGA relates to “a large number” of class II, class III and active implantable devices registered in Australia that contain “electronic components with embedded software, have a software accessory or are a software device,” the regulator noted in its draft guidance, issued late December 2018.

The regulation of medical device cybersecurity came under the spotlight with the ongoing digitization and connectivity of healthcare. A renewed push manifested via draft guidances certain regulators issued in 2018 to support this shift and as a response to healthcare becoming a prime target for cyber threats.

In contrast with regulators in other major markets, TGA’s 65-page draft guidance covers cybersecurity both in pre- and postmarket settings as well as consumer or patient use of medical devices. This differs from the US Food and Drug Administration (FDA) and Health Canada—both of which issued medical device cybersecurity draft guidances just last year for set policies specific to premarket settings. TGA, FDA and Health Canada are members of the International Medical Device Regulators Forum (IMDRF).

By clarifying and expanding on policies, IMDRF regulators showed support for industry’s innovation efforts around the connectivity and digitization of healthcare technologies for improved patient care and personalized medicine. An emerging theme placed greater emphasis on premarket considerations…