New cybersecurity guidelines for medical devices

The China Food and Drug Administration (CFDA) has issued guidelines aimed at implementing China’s new Cybersecurity Law (CSL) in the administration of medical devices. The development is a clear signal that Chinese regulators intend to enhance cybersecurity protection in the healthcare sector.

From 1 January 2018, medical device companies will be required to register their networked medical devices with the CFDA and be assessed for their cybersecurity protection status under the Principles on Guiding Technology Examination of Medical Device Cybersecurity Registration (CFDA guidelines).

MAJOR IMPLICATIONS

Cybersecurity threats represent a risk to the safe and effective operation of networked medical devices. A data breach may lead to infringement of patients’ personal privacy while a network attack can cause the malfunction of a device resulting in the injury or death of patients. Medical device companies are therefore expected to pay attention to these issues throughout the product life cycle to ensure proper cybersecurity protection for their networked products.

When applying to register networked medical devices with the CFDA, the CFDA guidelines require applicant companies to conduct a self-assessment of the relevant cybersecurity protection standards or measures. Applicants need to be aware that while the CFDA guidelines do not express the cybersecurity protection standards as mandatory obligations, failure to meet the requirements may delay product registrations. In practical terms, this can have an impact on the success and timing of the roll-out of new products.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at: danian.zhang@bakermckenzie.com