Health Canada recently released two significant forward-looking documents on the regulation of medical devices:
- Action Plan on Medical Devices: Continuously Improving Safety, Effectiveness and Quality (Action Plan); and
- Draft Guidance Document: Pre-market Requirements for Medical Device Cybersecurity (Cybersecurity Guidance)
These publications are expected to inform changes to Canada's medical device regulatory regime to expand Health Canada's device licensing and monitoring oversight activities as well as to encourage manufacturers to address emerging security vulnerabilities in networked devices.
The Action Plan provides a three-part strategy to address perceived gaps in Health Canada's oversight of medical devices, with particular emphasis on (A.) investigational testing prior to device licensing and expanding scientific expertise, (B.) monitoring of licensed devices through increased reporting of device incidents, and (C.) providing more clinical and device incident data to the public. Each part of the strategy is summarized below:
A. Investigational Testing and Scientific Expertise: Currently, only device manufacturers are permitted to apply for an investigational testing authorization involving unlicensed devices. The proposed changes will allow independent researchers and health care professionals to file an application for investigational testing, with the aim of expanding the scope of Canadian research and generating more safety testing data. In this regard, Health Canada has indicated that it will be publishing a Notice of Intent (presumably to amend the Medical Devices Regulations) in June 2019 and a subsequent report of its consultation findings in September 2019.
Moreover, Health Canada will form a new scientific advisory committee of experts on women's health issues, and has formed a new division to review devices involving digital health technologies. Health Canada will also consider strengthening safety evidence requirements for higher-risk devices that seek approval on the basis of previously authorized versions.
B. Monitoring and Reporting: In an effort to address under-reporting of device incidents (which is currently mandatory for device manufacturers but optional for other health care stakeholders), amended regulations developed under the Protecting Canadians from Unsafe Drugs Act (a.k.a Vanessa's Law) will require hospitals to report incidents to Health Canada. The regulations are expected to be published in June 2019. Health Canada will also endeavour to improve reporting from other health care facilities by expanding the existing Canadian Medical Devices Sentinel Network (CMDSNet) of reporting health care organizations, and through a program to promote incident reporting by health care practitioners.
The regulations being developed under Vanessa's Law will also increase the scope of information that device manufacturers will be required to provide to Health Canada in respect of device incidents. Health Canada will be granted new powers to compel manufacturers to reassess their products in light of information issued by other regulatory agencies, and manufacturers will be required to inform Health Canada within 72 hours of warnings issued by certain foreign regulatory agencies. Health Canada is also developing a framework to expand the use of real-world evidence to monitor the safety and effectiveness of devices post-market.
Moreover, Health Canada has indicated that it will be enhancing its inspection and enforcement activities by hiring additional inspectors and increasing the number of foreign inspections and compliance promotion activities, starting in March 2019.
C. Publish Device Clinical and Incident Data: Health Canada will adopt new regulations to publicly release clinical data on devices in an effort to encourage independent analysis that could offer new safety insights. A public internet database of such information will reportedly launch after the regulations are published in June 2019.
With respect to device incident data, Health Canada has committed to publishing its approval decisions for higher risk (i.e. Class III and Class IV) devices, launching a public internet database of device incident reports in December 2019, and improving the existing device inspection database.
The draft Cybersecurity Guidance acknowledges that medical devices have evolved from analogue pieces of hardware to interconnected networked devices. This evolution has resulted in benefits for patients and health care providers, but has also created new vulnerabilities that could negatively affect device safety and effectiveness. Accordingly, the Cybersecurity Guidance provides manufacturers with advice on improving device security and outlines information that should be submitted in a device licensing application to demonstrate that it is sufficiently secure.
The Cybersecurity Guidance specifically applies to devices of all risk classes that consist of or contain software. Manufacturers of software devices of all risk classes will be required to implement a cybersecurity strategy that addresses (A.) secure design, (B.) risk management, (C.) verification and validation testing, and (D.) planning for continued monitoring of and response to threats. For manufacturers of Class III and Class IV devices, information on each of these elements will be required to be submitted in a licensing application in addition to the general data elements that are required to be submitted under the Medical Devices Regulations. Each element is summarized below:
A. Secure Design: Manufacturers should consider cybersecurity throughout product development by identifying cybersecurity risks and controls when making design decisions and developing designs that maximize security without compromising device safety. Health Canada specifically encourages manufacturers to consider design controls in the areas of secure communications, data security, user access, software maintenance, hardware design, and reliability and availability.
B. Risk Management: Manufacturers are directed to incorporate sound risk management principles into all stages of the device life cycle. Health Canada suggests adopting the safety risk management principles outlined in ISO 14971-07:2007 Medical devices - Application of risk management, and applying these principles to manage cybersecurity risks. Manufacturers are encouraged to implement device-specific cybersecurity risk management processes in parallel to their existing safety risk management processes, to address the fact that some cybersecurity risks may not be associated with a safety risk. The Cybersecurity Guidance also provides a list of recommended cybersecurity standards to be used when developing cybersecurity risk management processes.
C. Verification and Validation Testing: Cybersecurity risk control measures should be validated against and traceable to design specifications. In this regard, the Cybersecurity Guidance provides recommended standards for cybersecurity testing, and Health Canada specifically encourages manufacturers to conduct vulnerabilities and exploits testing and software weakness testing.
D. Monitoring and Response to Threats: Manufacturers should proactively monitor, identify, and address device vulnerabilities post-market, and must demonstrate their commitment to same in their license applications for Class III and Class IV devices.
Finally, the Cybersecurity Guidance outlines the specific cybersecurity information that must be provided in license applications for Class III and Class IV devices in addition to the general data elements. The data elements for which cybersecurity information must be provided are (i) device labels, package labels, and documentation, including a list of open source software components, version and build numbers, and user instructions on how to mitigate and respond to cybersecurity risks; (ii) marketing history, including a summary of reported cybersecurity problems and recalls; (iii) risk assessment, including an analysis and evaluation of cybersecurity risks and adopted risk mitigation measures; (iv) device-specific quality plan for Class IV devices, demonstrating that the quality standards for the device include a cybersecurity framework; and (v) safety and effectiveness, including details of any cybersecurity studies relied upon, a list of applied cybersecurity standards, cybersecurity testing evidence, a cybersecurity-design traceability matrix, and a device maintenance plan.
Health Canada recommends that device manufacturers use the Framework for Improving Critical Infrastructure Cybersecurity (NIST, Version 1.1, April 2018) to guide their cybersecurity activities, whether by improving existing processes or developing best practices.
The Cybersecurity Guidance is currently open for comment until February 5, 2019.
The Action Plan and Cybersecurity Guidance foreshadow significant near-term changes to Canada's medical device regulatory regime. Device manufacturers would be well advised to review their monitoring, reporting, and cybersecurity policies and procedures, as well as their product development pipeline, to identify and develop plans to address any newly anticipated compliance obligations. Fasken will continue to monitor and report on new developments as the draft regulations referenced in the Action Plan are published and the Cybersecurity Guidance is finalized.