Keeping patients safe from potential cybersecurity risks with medical devices

OTTAWA, June 26, 2019 /CNW/ - Canadians want access to the latest technologies in medical devices, while still being able to depend on them to be as safe as possible. While the idea that medical devices could be used for intentional harm may sound like science fiction, the risk is real enough to warrant precautions from medical device regulators.

To better protect Canadians from the possibility of such an event, Health Canada has published guidance on Pre-market Requirements for Medical Device Cybersecurity to help protect patient safety. The new guidance describes how and when to implement strategies to reduce potential risks associated with medical devices that contain software and technology that enable communication with outside networks.

Medical device technology is evolving quickly. Many devices and applications rely on computer programs and interfaces, and network connections to operate properly and interact with patients and caregivers. However, this ability to connect to outside networks introduces potential vulnerabilities that must be minimized to protect patient safety.

While there have been no reports or evidence to suggest that direct patient harm has occurred in real-world situations, cybersecurity experts and researchers have demonstrated that tampering would be possible if specific security precautions are not taken.

The new requirements in the guidance come into effect immediately, and will require safeguards such as passwords to protect against unauthorized tampering. In many cases, cybersecurity precautions like passwords or secure communications have been designed into certain medical devices for years, however, it will now be required that all medical device manufacturers consider cybersecurity for their products. Health Canada will update the guidance as needed to reflect changes in evolving medical device design and function.

This guidance complements work underway as part of Health Canada’s Action Plan on Medical Devices. The Action Plan lays out a three-part strategy to further improve how medical devices get on the market, strengthen monitoring and follow-up for devices already in use, and provide Canadians with more information about the medical devices they rely on.

Quotes
“Many Canadians rely on medical devices such as pacemakers or insulin pumps to keep them alive and healthy, which is why our government is committed to ensuring that those devices are as safe as possible. This includes protecting devices from cybersecurity threats, which—though remote—could become very real without the proper precautions in place.”
The Honourable Ginette Petitpas Taylor
Minister of Health

Quick Facts

• The Government consulted on the proposed guidance for 60 days—from December 7, 2018, to February 5, 2019.
• Thirteen stakeholders provided input on the guidance document, which was then revised and finalized to reflect the submitted comments.
• The revisions address questions and concerns raised during the consultation such as:
  • the incorporation of additional cybersecurity principles;
  • clarification on the scope and application of the guidance; and
  • further details on post-market requirements for medical devices.

Related Products
Health Canada Action Plan on Medical Devices
Guidance Document on Pre-market Requirements for Medical Device Cybersecurity

SOURCE Health Canada