Hong Kong MDD Issues New Technical Reference Document for SaMD, SiMD and Cybersecurity

Technical Document Requirements 

Technical document requirements are similar to non-software medical devices with the exception of more obvious documents such as biocompatibility, manufacturing process, and other items related to physical device production. 

Document requirements expected by the MDD, as part of the MDACS listing application, include: 

1. A quality management system (QMS) – ISO 13485 is considered the standard but the MDD will accept equivalent QMS such as 21 CFR Part 820 (USFDA), or Medical Device Single Audit Program (MDSAP) 
2. Essential Principles (Technical Reference TR-004) 
   1. International standards such as “Medical Device Administrative Control System Essential Principles Conformity Checklist” (MD-CCL or IVDMD-CCL) or Essential Requirements / General Safety and Performance Requirements Checklist in accordance with relevant European Union (EU) Medical Device directives or regulations are acceptable.  
3. Labeling must meet the requirements outlined in Technical Reference TR-005: Additional Medical Device Labelling Requirements and Special Listing Information (as specified in Clause 4.4.13 of Guidance Notes GN-01 Guidance Notes for Overview of the Medical Device Administrative Control System). 
4. Risk Management requirements follow the international standard ISO 14971 Medical Devices — Application of Risk Management to Medical Devices in addition to the Hong Kong specific cybersecurity requirements outlined in Clause 5.5.3 of the new TR-007 guidance. 
5. Clinical Evaluation establishes the acceptability of risks and side effects when weighed against the intended benefits of the device and should follow the international standard ISO 14155 Clinical investigation of medical devices for human subjects – Good Clinical Practice. 
6. Marketing approvals from reference countries including the US, Canada, Europe, Japan, Australia, Mainland China, and/or South Korea. Note: Products approved by 2 or more reference markets will be reviewed quicker. 
7. Software Verification and Validation. Manufacturers are encouraged to refer to the international standard IEC 62304 Medical device software – Software life cycle processes. 
8. Software Versioning and Traceability. Manufacturers should have clear processes for tracking versions of their software and will need to work with their Local Responsible Person (LRP) to submit change applications for new versions in accordance with Guidance Notes GN-10 (Guidance Notes for Changes of Listed Medical Device). 
9. Cybersecurity Management. Manufacturers will need to demonstrate that they identified potential threats and implemented appropriate measures to mitigate risks.

Cybersecurity Management

Cybersecurity management refers to manufacturers considering the potential cybersecurity threats medical devices face when connected to the internet and potential risks posed to patient data or the product’s functionality. Applicants can refer to ISO 27032 Cybersecurity – Guidelines for Internet Security and ISO/IEC 27001 Information security, cybersecurity and privacy protection. Information security management systems for best practices. Primary considerations include: 

1. General items such as administrative protocols, application of standards, provision of user data, etc. 
2. Technical aspects such as penetration testing, operating platform security, etc.  
3. Environmental functionality such as connecting to networks and uploading/downloading data. 
4. Physical considerations such as mechanical locks on devices, physically securing networks, and waste management. 
5. Social concerns such as minimizing social engineering threats (e.g. phishing, impersonation, baiting, tailgating). 

More information on the cybersecurity management requirements and guidance can be found in sections 5.5.3 to 5.5.7 of TR-007: Software Medical Devices and Cybersecurity.