Software Medical Devices and Cybersecurity in Hong Kong: A Guide to TR-007

Safeguarding Digital Health: Software Medical Devices and Cybersecurity in Hong Kong – Our Insights

From our perspective, the rapid growth of digital health has put software at the very heart of medical innovation. In Hong Kong, the Medical Device Administrative Control System (MDACS) clearly recognizes the unique regulatory challenges and safety concerns that software brings. Technical Reference TR-007, specifically titled "Software Medical Devices and Cybersecurity," provides essential guidance for manufacturers and Local Responsible Persons (LRPs) on how to classify, develop, and protect the cybersecurity of software that acts as a medical device.

To our understanding, TR-007 aims to make sure that software medical devices are safe, work exactly as they're supposed to, and are well-protected against cyber threats. This document reflects global best practices in this constantly evolving field, which is crucial for Hong Kong medical device cybersecurity.

What are Software Medical Devices? Understanding SaMD and SiMD

TR-007 clearly explains the difference between two main types of software we see in the medical world. Have you ever wondered if a health app on your phone counts as a medical device? Let's clarify!

1. Software as a Medical Device (SaMD):

   • This is software that fits the definition of a medical device and is designed to be used for one or more medical purposes without being built into a piece of hardware medical equipment.
   • According to our experience, SaMD performs its medical function all by itself. Common examples include software for analyzing medical images (like X-rays), programs that help plan treatments, or even mobile apps that give medical diagnoses based on user input. This is a growing area in digital health Hong Kong.

2. Software in a Medical Device (SiMD):

   • This is software that's an essential part of a hardware medical device. It's needed for that piece of equipment to do its intended medical job.
   • What's the key difference? SiMD can't work as a medical device on its own if it's separated from the hardware. Think of the operating software built inside an MRI scanner or the program that controls an infusion pump – these are prime examples.

How Are Software Medical Devices Classified?

The way SaMD and SiMD are classified under MDACS follows the same risk-based principles as other medical devices (you can find details in TR-003 for general devices and TR-006 for IVDMDs). The risk class depends on factors like what the software is intended to be used for, how important the information it provides is for diagnosis or treatment, and the potential impact on a patient's health if the information is wrong. TR-007 provides specific considerations and helpful flowcharts to guide you in correctly classifying your software, which is a critical step for software medical device regulation in Hong Kong.

Cybersecurity: Why It's Absolutely Crucial for Medical Devices

Why is cybersecurity such a big deal for software medical devices? Because they can be vulnerable to unauthorized access, changes, or even being shut down, which could directly affect patient safety and the privacy of their sensitive health data. TR-007 strongly emphasizes that manufacturers must build cybersecurity measures into every single stage of their software medical devices' lifespan. Key cybersecurity requirements, as we understand them, include:

1. Risk Management:
   • Manufacturers absolutely must perform thorough cybersecurity risk assessments. This means identifying any known weaknesses and potential threats.
   • This includes making sure patient data stays intact, confidential, and always available when needed.
2. Secure Design and Development:
   • Implementing safe coding practices and designing the software's architecture in a way that minimizes vulnerabilities.
   • Addressing threats like unwanted access, data tampering, and malicious software.
   • According to our experience, thinking about how users will log in (e.g., strong passwords, multi-factor authentication) from the start is vital.
3. Vulnerability Management:
   • Setting up a system to manage how vulnerabilities are reported and actively keeping an eye out for new threats.
   • Developing clear procedures for applying timely software patches and updates to fix any identified weaknesses.
4. Post-Market Surveillance and Monitoring:
   • Proactively monitoring the device's cybersecurity status once it's being used by patients or in clinics.
   • Putting in place ways to detect anything unusual or inconsistent in how the device operates or its data.
   • For software that uses Artificial Intelligence (AI) or Machine Learning (ML), it's important to address potential "concept drift" (where the AI's understanding changes over time) and ensure data integrity. This is a complex but growing area in AI medical devices Hong Kong.
5. Documentation:
   • Providing clear, comprehensive paperwork about all the cybersecurity measures you've put in place. This includes cybersecurity plans, risk analyses, and reports proving your security works.
   • To our understanding, this documentation becomes part of your STED dossier (TR-002) when you submit for listing.
6. Software Version Control and Traceability:
   • Making sure that the software versions you describe in your pre-market submissions clearly match the versions you actually sell.
   • Establishing strong processes for managing frequent software updates, including having options to revert to older versions if needed.

Manufacturer's and LRP's Responsibilities: Who Does What?

Manufacturers are ultimately responsible for making sure their software medical devices meet all the necessary basic principles and cybersecurity requirements. The Local Responsible Person (LRP) plays a crucial role in making sure this compliance is met, especially for foreign manufacturers. Based on our knowledge, the LRP must ensure that all the technical documentation accurately reflects strong cybersecurity practices, and that any cybersecurity issues that pop up after the product is on the market are quickly resolved and reported to the MDD. This continuous vigilance is vital for medical device regulatory compliance.

TR-007, in our opinion, serves as an indispensable guide. It helps ensure that we can fully enjoy the benefits of exciting software innovations in healthcare without ever compromising patient safety or the security of their sensitive data in Hong Kong.