Annex
Technical Guideline on Cybersecurity of Medical Device
This guideline is formulated to instruct the registration applicant how to submit documents for
cybersecurity registration of medical device while standardizing the technical review requirements for
cybersecurity of medical devices.
The guideline specifies general requirements for the cybersecurity of medical device. The registration
applicant should submit the cybersecurity registration materials based on the characteristics of the medical
device and determine whether the specific content of the guideline is applicable, and explain the reason in
detail if it is not applicable. The registration applicant may also use alternative methods to meet regulatory
requirements, but should provide detailed research information and validation documents.
The guideline is developed based on existing regulations and standards and current cognitive level
with reference to foreign regulations and guidelines, international standards and technical reports. With
the continuous improvement of laws and standards, as well as cognitive level and technical capacity, the
relevant content will be revised in a timely manner.
The guideline that is intended to simply provide instruction for the registration applicant and the
reviewer does not cover the administrative matters involved in the review and approval, nor is it enforced
as a rule. The guideline should be used in accordance with the relevant regulations.
As a supplement, the guideline should be used in combination with the requirements as specified in
the Guideline for Technical Review of Medical Device Software Registration. The guideline provides the
general provision of cybersecurity of medical device and serves as the basis for the targeted adjustment,
modification and improvement of other guideline related to cybersecurity of medical devices.
ⅠScope of application
—2——
The guideline is applicable to the registration declaration of Class Ⅱ and Ⅲ medical device product
with network (including wireless and wired network) connection function for electronic data exchange
(including unidirectional and bidirectional data transmission) or remote control (including real-time and
non-real-time control).
Meanwhile, the guideline also applies to the registration declaration of Class Ⅱ and Ⅲ medical
device product with storage media (including but not limited to CD, mobile hard disk and U disk) for
electronic data exchange.
ⅡBasic principles
With the development of network technology, more and more medical devices have the function of
network connection for electronic data exchange or remote control, which face the threat of network
attacks while improving the quality and efficiency of medical services. Problems arising out of cybersecurity
of medical device may not only violate patient privacy, but also produce unexpectedly operational risk of
medical device, resulting in injury or even death of patients or users. Therefore, cybersecurity of medical
device is an important component of the safety and effectiveness of medical devices.
Cybersecurity of medical device means to maintain the confidentiality, integrity and availability of
medical device-related data 1
(adapted from GB / T 29246-2012 Information Technology. Security
Techniques. Information Security Management Systems. Overview and Vocabulary):
- Confidentiality: refers to the characteristic that the data can not be utilized or learned by
unauthorized individuals and entities, namely, the medical device-related data can only be accessed by the
authorized user within authorized time; - Integrity: refers to the characteristic that the accuracy and completeness of the data should be
1
In the field of information, the term “availability” is translated as “可用性” (in Chinese), but in the field of
medical devices, the term “usability” is also translated as “可用性” (in Chinese). For avoiding ambiguity,
the “availability” in this guideline is translated as “可得性” (in Chinese).
—3——
protected, namely, medical device-related data should be accurate and complete, without alternation; - Availability: refers to the characteristic that the data can be utilized or learned by unauthorized
individuals and entities, namely, the medical device-related data can be accessed in an expected manner as
appropriate.
In addition, the characteristics of cybersecurity of medical device also include authenticity,
accountability, non-repudiation, reliability and so on. The corresponding definition is shown in GB / T
29246-2012.
The registration applicant shall determine the cybersecurity nature of the medical device products
combined with their intended use, utilization environment and core functions, and the equipment or
systems to which they are expected to be connected (such as other medical devices, information
technology equipment), and ensure the cybersecurity of medical device products with risk
management-based approach: the identification of assets (means anything that is valuable to individuals or
organizations), threats (means potential cause that is responsible for the occurrence of unexpected events
that could cause damage to an individual or organization), and vulnerability (means shortcoming of assets
and risk controlled measures that may be utilized by threats), assessment of the impact of threats and
vulnerabilities on medical device products and patients, and the utilization likelihood, determination of the
level of risk and implementation of appropriate risk control measures, and evaluation of the residual risk
based on risk acceptance criteria.
The registration applicant should continuously focus on cybersecurity issues throughout the life cycle
of the medical device product, including the design, development, production, distribution, deployment
and maintenance of medical device products. At the same time, the registration applicant should ensure
that cybersecurity of medical device products, including pre-market and post-marketing related
requirements, such as risk management, design and development, cybersecurity maintenance and user
—4——
notification and other requirements in combination with the requirements of its own quality management
system and the characteristics of medical device products. In addition, the registration applicant can
improve the cybersecurity management of medical device products with the good engineering practice2
in
the information engineering field to ensure the safety and effectiveness of medical device products.
The registration applicant should keep track of the rules and regulations relating to cybersecurity (e.g.,
Cybersecurity Law of the People’s Republic of China) and standards issued by the relevant authorities (such
as the Ministry of Public Security, the State Network Office, the National Health and Family Planning
Commission of PRC, the Ministry of Industry and Information Technology). The cybersecurity of medical
devices should comply with the requirements of the corresponding laws and regulations and departmental
regulations.
The medical device product is often connected to the equipment or system that is unexpected by the
registration agent during the use process, so that it is difficult for the registration applicant to control and
ensure cybersecurity of the medical device product. Therefore, the cybersecurity of medical devices can be
guaranteed only by the joint efforts and co-operation of the registration applicant, users and information
technology service providers. However, this does not mean that the registration applicant may be
exempted from the responsibilities related to cybersecurity of medical device. The registration applicant
shall guarantee the cybersecurity of the medical device product itself and clarify the interface requirements
for device or system to which it is intended to be connected in order to ensure the safety and effectiveness
of the medical device product.
The protection level of cybersecurity of medical device can be divided into product-level and
system-level. Assurance measures include management measures, physical measures and technical
2
In the field of information security, the IEC 27000 series standard specifies the ISHC certification
requirements. According to the guideline, manufacturers are not required to pass ISMS certification, but they
are advised to refer to the relevant standard requirements.
—5——
measures. This guideline focuses on product-level technical assurance measures with medical device data
security as the core.
In view of the cybersecurity of medical device that is characterized by multiple factors, wide range,
strong diffusibility and significant abruptness, etc., a separate consideration of the software security level
for medical device products is not enough to ensure its cybersecurity. Thus, the requirements for
registration declaration information related to the cybersecurity of medical device should be specified in a
uniform manner