NMPA published “Draft Technical Guideline on Medical Device Cybersecurity” on September 8, 2020. Feedbacks need to be submitted to NMPA by October 19, 2020. It is the second version after the January 2017 issue.
For China session on AdvaMed MedTech Conference which includes AI & cybersecurity issues, please click HERE.
Scope of Application & Focus of Attention
The guideline is to direct the registration of Class II&III medical devices (including domestic and imported) that have functions like electronic data exchange, remote control or data storage. It is applicable to initial products registrations, modifications, and renewals.
The medical device cybersecurity protection level includes product level (ie, the medical device product itself) and system level (ie, medical information technology network). The assurance measures include management measures (such as usage specifications), physical measures (such as anti-theft measures, etc.), and technical measures (Such as encryption technology, etc.). The Guideline focuses on technical measures on the product level.
Instructions for Registration
For Initial registrations and modifications, software research materials and Instruction for Use shall be submitted.
For initial registrations, registrants should submit self-developed software cybersecurity research reports and external software environment assessment reports in the software research materials. If using off-the-shelf software components, submit corresponding research materials according to their usage methods.
The Instruction for Use should provide cybersecurity instructions, clarify the user access control mechanism, electronic interface (including network port interface, electronic data exchange interface) and its data types and technical characteristics, cybersecurity feature configuration, data backup and disaster recovery, operating environment (including hardware configuration external software environment, network environment), security software compatibility, external software environment and security software update requirements.
Takeaways for Manufactures
- Registrants should consider the cybersecurity issues of medical device products based on the types, functions, uses, exchange methods and requirements of medical device-related data. Regarding health data, the registrant shall abide by the relevant laws and regulations regarding patient privacy protection. Regarding equipment data, the registrant shall ensure that it is effectively separated from health data.
- Registrants should consider the requirements of their cybersecurity capabilities based on the product characteristics of medical devices. They can refer to IEC/TR 80001-2-2 to improve their cybersecurity capabilities to ensure that medical device products have the necessary capabilities to identify, protect and protect against cybersecurity threats. Appropriate detection, response, and recovery capabilities.
- The registrant shall identify the types of medical device cybersecurity updates, carry out corresponding quality assurance work according to the degree of impact of cybersecurity updates on medical devices and combine the requirements of the quality management system, and submit corresponding registration application materials. The software version naming rules should consider the situation of cybersecurity updates.
- Registrants shall comply with national laws and regulations related to cybersecurity and relevant departmental regulations, such as the “Cyber Security Law of the People’s Republic of China”, “National Health Information Management Measures”, “National Health and Family Planning Commission Opinions on Promotion of Telemedicine Services”. etc.
- Registrants can refer to the requirements of international standards and technical reports related to cybersecurity to ensure the cybersecurity of medical device products, and improve the quality management system requirements for cybersecurity systems, such as IEC80001 series standards and technical reports, IEC 60601-1 third Edition, IEC 82304-1, IEC 27000 series standards and ISO/DIS 27799, etc.