The China Food and Drug Administration ("CFDA") has issued guidelines aimed to implement China's new Cybersecurity Law ("CSL") in the administration of medical devices in China. This development is a clear signal that Chinese regulators intend to enhance cybersecurity protection in the healthcare sector.
From 1 January 2018, medical device companies will be required to register their networked medical devices with the CFDA and be assessed for their cybersecurity protection status under the Principles on Guiding Technology Examination of Medical Device Cybersecurity Registration ("CFDA Guidelines").
Major implications for medical device companies
Cybersecurity threats represent a risk to the safe and effective operation of networked medical devices. A data breach may lead to infringement of patients' personal privacy while a network attack can cause the malfunction of a device resulting in the injury or death of patients. Medical device companies are therefore expected to pay attention to these issues throughout the product life cycle to ensure proper cybersecurity protection for their networked products.
When applying to register networked medical devices with the CFDA, the CFDA Guidelines require applicant companies to conduct a self-assessment of the relevant cybersecurity protection standards or measures. Applicants need to be aware that while the CFDA Guidelines do not express the cybersecurity protection standards as mandatory obligations, failure to meet the requirements may potentially cause delay on product registrations. In practical terms, this can have an impact on the success and timing of the rollout of new medical device products.
What are the Highlights?
By way of background, the CSL was introduced on 7 November 2016 and takes effect on 1 June 2017. The CSL imposes obligations on network operators to formulate internal security management systems for cybersecurity protection and take measures to protect important data, among other things.
Failure to comply with the CSL may result in various penalties including the imposition of fines on directly responsible personnel. The CFDA Guidelines, which were issued on 20 January 2017, aim to implement the CSL in the administration of medical devices in China. The key features of the CFDA Guidelines include:
1. Non-mandatory principles. The CFDA Guidelines do not specify mandatory requirements for registration. When registering medical device products, the applicant may conduct a self-assessment on whether some measures proposed under the CFDA Guidelines should apply. If not, the applicant may elaborate the reasons or propose alternative solutions to ensure its compliance with the CSL and other relevant regulations.
2. Application scope. The CFDA Guidelines apply to the registration of Grade II and Grade III medical devices that have electronic data exchange or remote control functions through network connection ("Qualified Devices").
3. Impact on product lifecycle. Companies that intend to register Qualified Devices in China are expected to consider cybersecurity protection issues during the entire lifecycle of the medical devices, including product design, development, production, distribution and maintenance. Specifically, cybersecurity protection of the Qualified Devices should, among others, satisfy the following requirements:
(a) Confidentiality: the data can only be accessed by authorized users within an authorized timeframe through authorized means;
(b) Integrity: the data must be accurate, comprehensive and cannot be altered without authorization; and
(c) Availability: the data must be accessible and utilized as expected.
4. Product registration documents. In order to register Qualified Devices with the CFDA, the applicant is required to submit a standalone cybersecurity description file and a cybersecurity instruction manual. When there is a major cybersecurity update affecting the safety or effectiveness of the Qualified Devices after the initial registration, the applicant is required to file a revised application with the CFDA.
5. Review factors. When reviewing the product cybersecurity registration process, the CFDA will consider:
(a) Data: the data on the Qualified Devices can be categorized as personal data and equipment data. Different protection measures should be adopted depending on the type of data and the transmission method. Personal data usually warrants enhanced protection and relevant personal privacy protection rules should be followed.
(b) Technology: different cybersecurity protection technology can be utilized. The applicant may follow various international and national standards to build up their cybersecurity protection capability.
(c) Off-the-shelf software: the applicant is expected to pay close attention to the cybersecurity risks associated with off-the-shell software and adopt relevant maintenance procedures, as well as notify users of relevant information in a timely manner.
Actions to consider
The CFDA Guidelines and CSL are good reminders for businesses to assess cybersecurity risk issues connected to the use and function of their networks and products. Similarly, companies should continue to be vigilant on the collection and protection of personal data, and ensure that they comply with the relevant data privacy laws.
To avoid delay on the registration of networked medical products, and prevent exposure to potential penalties under the CSL, we recommend that medical device companies consider the following steps:
- Seek advice and adopt cybersecurity protection measures to meet the specific standards under the CFDA Guidelines.
- Closely monitor the latest developments of the CSL and its implementing rules in relation to the cybersecurity protection requirements of medical devices.