Cybersecurity Requirements for Medical Devices in China

Cybersecurity is a critical component of the designing, developing, and deploying medical devices. As cyberattacks can manipulate or destroy personal and sensitive patient data, Regulatory Agencies worldwide are now strengthening the Regulatory requirements to ensure medical device cybersecurity.

China has in place regulations for medical device cybersecurity that are designed to ensure the safety and privacy of patient information. The regulations apply to both domestic and foreign manufacturers of medical devices sold in China.

The main Regulatory body responsible for medical device cybersecurity in China is the National Medical Products Administration (NMPA). In addition to the NMPA, the Cybersecurity Administration of China (CAC) regulates medical device cybersecurity.

In 2018, the NMPA released new regulations requiring medical device manufacturers to comply with cybersecurity requirements when developing and registering medical devices. These include:

• Secure data storage and transmission: Medical devices must ensure the secure storage and transmission of patient data to protect it from any unauthorized access, modification, or deletion.
• Access control: Medical devices must have appropriate access controls in place to limit access to sensitive data and functions only to authorized users.
• Encryption: Medical devices must use encryption technologies to protect sensitive data from interception and unauthorized access.
• Patch management: Medical device manufacturers must implement regular patch management procedures to address known security vulnerabilities in their devices.
• Incident response: Medical device manufacturers must have incident response plans in place to respond to cybersecurity incidents, including procedures for reporting incidents to Regulatory authorities and notifying affected patients and healthcare providers.
• Compliance documentation: Medical device manufacturers must document compliance with cybersecurity requirements and provide the documentation to Regulatory authorities during the device registration process.

In 2020, the NMPA released the ‘Guidelines for the Security Assessment of Medical Devices,’ which outlines the requirements for cybersecurity assessments of medical devices before they are approved for sale in China. The guidelines require manufacturers to conduct a cybersecurity risk assessment and provide evidence that their devices are secure and comply with Chinese cybersecurity laws and regulations.

The guidelines also require manufacturers to implement appropriate security controls and provide ongoing security updates and patches to their devices. Additionally, the NMPA may conduct audits and inspections to ensure the manufacturer’s compliance with cybersecurity regulations.

Overall, the regulations with respect to medical device cybersecurity in China aimed at ensuring the safe and secure use of medical devices, also protecting the privacy and security of patient data. It’s worth noting that cybersecurity regulations for medical devices in China are still evolving; thus, manufacturers need to stay updated with any changes or new requirements. As with any country, it is crucial for manufacturers to work closely with regulators to ensure that their devices are compliant and secure.

To decode more about cybersecurity requirements for medical devices in China, reach out to our Regulatory expert now! Stay informed. Stay compliant.