On June 26, 2019, Health Canada published its guidance document on pre-market requirements for medical device cybersecurity (Guidance). The Guidance advises manufacturers and regulatory representatives on how to reduce cybersecurity risks associated with their medical devices.

Health Canada considers the inclusion of cybersecurity risk control measures an important consideration in issuing medical device licenses. The Guidance provides medical device manufacturers advice on practices, responses and mitigation measures that can improve the cybersecurity of their devices. The Guidance also outlines what information is to be submitted as part of a medical device licence to demonstrate that a medical device, consisting of or containing software, is sufficiently secure from cyber threats.

The Guidance applies to medical devices that consist of or contain software and are regulated as a medical device. The Guidance states that manufacturers must have a strategy to address the cybersecurity risk of a medical device (Class I to Class IV) that runs software code and the strategy must include the following elements:

  • Secure design;
  • Risk management;
  • Verification and validation testing; and
  • Planning for continued monitoring of and response to emerging risks, vulnerabilities and threats.

The elements listed above, and Health Canada's expectations with respect to each element, are outlined in the Guidance.

Summary By: Imtiaz Karamat


19 07 24

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.