Is your medical device hacker proof?

CFDA essential guidance on cybersecurity for medical devices


Echoing the rapid development in the ICT sector, increasingly medical devices utilize the internet to enable electronic exchange or remote control of medical device related health information.  On one hand, this development prompts the hope of enhancing healthcare quality and efficiency; on the other hand it also raises concerns over cybersecurity in medical devices.  Compromised cybersecurity can in turn compromise the confidentiality, integrity and availability of the data, as well as ultimately the safety and performance of the device, which may lead to patient harm.

In recognizing the importance of cybersecurity issues, CFDA has as of 24th-Jan-2017 published a technical guidance on cybersecurity in medical devices. It will kick into effect from 1st- Jan-2018 onwards.  This new guidance is built on several international standards, such as IEC 80001-1:2010, IEC/TR 80001-2 series, FDA guidance on management of cybersecurity in medical device etc.


This technical guidance is applicable for the registration of Class II and Class III medical devices that can:

  • Via network medium (e.g. wireless or hard-wired network) to enable electronic data exchange or remote control; OR
  • Via storage medium (e.g. CD or USD etc.) to enable electronic data exchange

    It is a supplementary guidance document to the CFDA Technical guidance for registration of medical device software which was published in August 2015.

  • Main requirement:

  • The manufacture of such medical devices is required to consider cybersecurity control over the whole product life cycle, including the design & development, production, distribution, deployment and maintenance.  Moreover, in tune with its counterpart’s guidance on cybersecurity, CFDA also recommends a risk management approach to ensure medical device cybersecurity, that might well be similar to the specifications indicated previously by the FDA:

  • Identification of assets, threats, and vulnerabilities;
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
  • Assessment of the likelihood of a threat and of a vulnerability being exploited;
  • Determination of risk levels and suitable mitigation strategies;
  • Assessment of residual risk and risk acceptance criteria*

*source: FDA, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014.

Implications for product registration:

A Cybersecurity Description document is required among the other mandated submission files for software registration. This particular documentation needs to address:

  1. the descriptive information on the characteristics of the cybersecurity relating to the medical device (e.g. type of data, data transmission mode, security software etc.);
  2. a specific isk analysis report on cybersecurity management;
  3. the verification and validation reports to prof that cybersecurity requirements (e.g. confidentiality, integrity, availability etc.) have been fulfilled; and
  4. the maintenance plan for providing cybersecurity update

Furthermore, the Instruction for Use (IFU) should also address cybersecurity related information, such as software environment, the use of firewall, user access control etc.

Want to know more about Qserve or how Qserve can help you bring your devices to the Chinese market? Contact us.

Xiaoli, Jane and Gert

More information about the writers:

Gert W. Bos, PhD, Fraps
Post date: April 01, 2017
How can we help you? Contact us