March 19, 2021
Trends in Japan’s regulatory requirements for healthcare product cybersecurity
To improve safety related to medical device cybersecurity, a full-scale introduction of the International Medical Device Regulators Forum (IMDRF) guidance by Marketing Authorization Holders (MAHs) and related business operators in Japan is being implemented over a time frame of approximately three years.6
The Ministry of Health, Labour and Welfare (MHLW) of Japan first published a notification titled, “Ensuring Cyber Security of Medical Devices”1 on April 28, 2015. The purpose of this notification was for MAHs to appropriately evaluate the cybersecurity risks of medical devices and to address cybersecurity according to characteristics of the medical devices.
A concrete process
The Japan Federation of Medical Devices Associations (JFMDA) has been collaborating with the Pharmaceutical Safety and Environmental Health Bureau of MHLW, the Pharmaceuticals and Medical Devices Agency (PMDA) and the Japan Agency for Medical Research and Development (AMED) cybersecurity research group to develop Japan’s local guidance titled, “Security in Healthcare Intelligence, Electronics, Legacy system, and Digital transformation for Medical Devices (SHIELD for Medical Device),” for MAHs. SHIELD for Medical Device helps implement the IMDRF guidance in Japan and supports a robust medical system. This guidance will contribute to Japan’s Medical Device Cybersecurity regulation via collaborations with regulatory agencies in the future. JFMDA is also planning wider collaborations with the other governmental agencies that are related with healthcare institutions and cybersecurity. Special thanks to Mr. Nakazato (a member of the Medical Device Cybersecurity WG Japan) for information regarding the JFMDA’s cybersecurity activities.
MHLW published an additional notification titled, “Guidance on Ensuring Cyber Security of Medical Devices”2 on July 24, 2018. This guidance positions itself as a compensating document for the notification, “Ensuring Cyber Security of Medical Devices”.1 The purpose of this guidance is to provide instructions for MAHs to address their cybersecurity activities both at the premarket design and development phases and the post-market phase more pragmatically. With reference to this guidance, MAHs can confirm compliance to safety and effectiveness standards of medical devices which leads to reducing risks to the patients. The Objectives of this guidance consists of the following main sections:
- Identification of the medical devices and use environments to be considered
- Medical devices subject to this guidance
- Identification of use environments of the medical devices
- Network connections, etc. of the medical devices: Consideration of cybersecurity risks in network functions (wired and wireless), USB ports, etc.
- Addressing Cybersecurity
- Implementation and verification in risk management via establishing baselines in consideration of indication for uses, users and use environments, etc. of the medical devices
- Collaborations with the healthcare providers when necessary and supports by MAHs via maintenance contracts, etc.
- Ensuring Post market Safety
- Cybersecurity related information should be also handled by MAHs as a part of safety information under the proper ordinances via collaborations among distributors, service/maintenance providers, healthcare providers etc. to ensure post-marketing safety.
- MAHs to instruct the distributors of used medical devices according to “Enforcement regulations of Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices (Article 170)”3 to address their cybersecurity appropriately.
- Provision of information to users
- Notes and descriptions into package Inserts
- Technical documentations, etc.
- Other considerations (countermeasures appropriate for the post market phase of medical device life cycle, point of contact as to cybersecurity, etc.)
To provide general principles and best practices of medical device cybersecurity and facilitate international alignments among regulatory agencies, “Principles and Practices for Medical Device Cybersecurity,”4 (hereinafter referred to as the IMDRF guidance) was published by the IMDRF in April 2020.
Soon after publishment of the IMDRF guidance, MHLW further published a notification (request for circulation of the IMDRF guidance), “Publication of Guidance on the Principles and Practices for Medical Device Cybersecurity by the International Medical Devices Regulators forum (IMDRF),”5 on May 13, 2020, with a complete translation into Japanese.
UL and cybersecurity
Japan’s steps to address and publish on cyber threats to healthcare systems reflect a proactive approach to connected technology safety. UL offers a suite of cybersecurity solutions to help verify requirement compliance and to validate products and systems. These services help offer protection against risks that may result in unintended or unauthorized access, change or disruption.
We can perform tests and issue solution-oriented reports, including:
- Fuzz, patch and malware testing
- Informative, summative and other testing reports
- Testing certification
- Gap assessments
- Product testing
- Ministry of Health, Labour and Welfare. Ensuring Cyber Security of Medical Devices (April 28, 2015)
- Ministry of Health, Labour and Welfare. Ensuring Cyber Security of Medical Devices (July 24, 2018)
- Ministry of Health, Labour and Welfare. Enforcement regulations of Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices, Article 170
- International Medical Device Regulators Forum. Principles and Practices for Medical Device Cybersecurity ((Posted) April 20, 2020)
- Ministry of Health, Labour and Welfare. Publication of Guidance on the Principles and Practices for Medical Device Cybersecurity by the International Medical Devices Regulators forum (IMDRF) (May 13, 2020)
- Ministry of Health, Labour and Welfare. Pharmaceuticals and Medical Devices Safety Information No. 373 (June 16, 2020)