Cyber Security Handbook and IEC 81001-5-1
There are two regulatory requirements for cybersecurity response in Japan.
The “Guide to Implementing Cybersecurity for Medical Devices” and “IEC 81001-5-1 Safety, Effectiveness and Security of Health Software and Health IT Systems – Part 5-1: Security – Product Lifecycle Activities”.
While the content is similar, some differences exist.
It is a double standard, so to speak. What kind of response is required?
Guide to Implementing Medical Device Cybersecurity
On March 18, 2020, the IMDRF issued Principles and Practices for Medical Device Cybersecurity.
In response, in May 2020, the MHLW issued the “International Medical Device Regulators Forum (IMDRF) Guidance on Principles and Practices for Medical Device Cybersecurity” The Ministry of Health, Labour and Welfare (MHLW) issued a public awareness request in May 2020.
The content of the document was a translation of the IMDRF guidance. This may be due to the urgency of the response until Japan issues its own guidance on cybersecurity.
On December 24, 2021, the Guidance on Implementing Cybersecurity for Medical Devices was issued. This added Japan-specific requirements to the IMDRF guidance. In other words, if you comply with this guidance, the IMDRF guidance is now covered.
The positioning of this guide is to “establish a system that enables confirmation of cybersecurity compliance of medical devices in licensing, etc.”.
In other words, the implication is that the company is required to establish a cybersecurity response system and procedures in accordance with this guide, and that these will be examined during inspections.
In addition, since supplemental guidance was issued by the IMDRF, the “Guidance on Implementing Cybersecurity for Medical Devices (Second Edition)” was issued on March 31, 2023, based on the contents of the supplemental guidance.
IEC 81001-5-1:2021
On the other hand, a third clause was added to the Basic Requirements Standard for Medical Devices, Article 12, “Considerations for Programmed Medical Devices,” making cybersecurity measures mandatory.
Here, compliance with IEC 81001-5-1:2021 (JIS T 81001-5-1:2023) is required.
However, this requirement is effective as of April 1, 2023, but a one-year transitional period has been established.
Inclusion in the basic requirements standard means that unless medical device software is developed in compliance with this IEC 81001-5-1, it will not be certified/approved in the certification application/approval application.
This means that IEC 81001-5-1 must be complied with in the application for certification/approval.
Which should it conform to?
There is currently no information available regarding the clear distinction between the “Guide for the Implementation of Cyber Security for Medical Devices” and “IEC 81001-5-1”.
It is necessary to create a system and written procedures that combine both. However, in order to do so, it is necessary to deeply understand both, analyze GAPs, and determine the company’s own policies and procedures.
Comment