The China Food and Drug Administration (“CFDA”) recently published the Guiding Principles on the Technical Reviews of the Cybersecurity Registration of Medical Devices (《医疗器械网络安全注册技术审查指导原则》) (“Guiding Principles”) to implement the principles of the PRC Cybersecurity Law.
The Guiding Principles apply to the registration of Type II and Type III medical devices that can be connected to networks (e.g. fixed line and mobile networks) to conduct electronic data exchanges or remote control, as well as Type II and Type III medical devices that use storage media to conduct data exchanges. Applicants who intend to file registrations for such medical devices now have clearer guidance on managing cybersecurity aspects.
Beyond the registration stage, the Guiding Principles also encourage applicants to continuously be aware of cybersecurity issues involved in the design, development, manufacture, distribution, deployment, maintenance and other stages in the life cycle of a medical device.
According to the Guiding Principles, a key aspect concerning the cybersecurity of medical devices is the confidentiality, integrity and availability of the data generated and used. An applicant for a medical device registration shall consider the type of data (e.g. personal data of users or device operations data) and the function of the medical device to decide on the appropriate data exchange and remote control methods. Considerations include (but are not limited to) the network interface, network bandwidth, data transfer protocol, real-time control, and data storage format used. An applicant is also required to satisfy all the applicable regulatory requirements concerning personal data protection.
Another aspect of the Guiding Principles concerns technologies used in medical devices. User access control mechanisms (e.g. user authentication, user authorisation, password strength, and software update authorisation), data encryption mechanisms (e.g. e-signature, standard protocol, and verification), and attack prevention and response mechanisms (e.g. firewalls, intrusion detection, and a mitigation and recovery plan) are the main considerations. Notably, an applicant may refer to the relevant national standards, technical reports and international standards to establish their cybersecurity capabilities. The 19 types of cybersecurity capabilities provided in the IEC/TR 80001-2-2 are specifically mentioned in the Guiding Principles.
The Guiding Principles also address the potential impact of pre-installed software in medical devices. An applicant is required to demonstrate the capability of monitoring the software, providing necessary updates and patches in time, and keeping accurate logs.
An applicant shall describe in its registration application materials (in the section of Software Research, Product Technical Requirements, and Product Instructions) the cybersecurity aspects relating to the medical device. The Guiding Principles are not mandatory nor do they have legislative effect, but the requirements set out will be considered by the CFDA during the examination of an application.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.