North America

January 16, 2019

Life Sciences Bulletin

Health Canada recently released two significant forward-looking documents on the regulation of medical devices:

Action Plan on Medical Devices: Continuously Improving Safety, Effectiveness and Quality (Action Plan); and

Draft Guidance Document: Pre-market Requirements for Medical Device Cybersecurity (Cybersecurity Guidance)

These publications are expected to inform changes to Canada’s medical device regulatory regime to expand Health Canada’s device licensing and monitoring oversight activities as well as to encourage manufacturers to address emerging security vulnerabilities in networked devices.

Action plan

The Action Plan provides a three-part strategy to address perceived gaps in Health Canada’s oversight of medical devices, with particular emphasis on (A.) investigational testing prior to device licensing and expanding scientific expertise, (B.) monitoring of licensed devices through increased reporting of device incidents, and (C.) providing more clinical and device incident data to the public. Each part of the strategy is summarised below:

A. Investigational Testing and Scientific Expertise: Currently, only device manufacturers are permitted to apply for an investigational testing authorization involving unlicensed devices. The proposed changes will allow independent researchers and health care professionals to file an application for investigational testing, with the aim of expanding the scope of Canadian research and generating more safety testing data. In this regard, Health Canada has indicated that it will be publishing a Notice of Intent (presumably to amend the Medical Devices Regulations) in June 2019 and a subsequent report of its consultation findings in September 2019.

Moreover, Health Canada will form a new scientific advisory committee of experts on women’s health issues, and has formed a new division to review devices involving digital health technologies. Health Canada will also consider strengthening safety evidence requirements for higher-risk devices that seek approval on the basis of previously authorized versions.

B. Monitoring and Reporting: In an effort to address under-reporting of device incidents (which is currently mandatory for device manufacturers but optional for other health care stakeholders), amended regulations developed under the Protecting Canadians from Unsafe Drugs Act (aka Vanessa’s Law*) will require hospitals to report incidents to Health Canada. The regulations are expected to be published in June 2019. Health Canada will also endeavour to improve reporting from other health care facilities by expanding the existing Canadian Medical Devices Sentinel Network (CMDSNet) of reporting health care organizations, and through a program to promote incident reporting by health care practitioners.

The regulations being developed under Vanessa’s Law will also increase the scope of information that device manufacturers will be required to provide to Health Canada in respect of device incidents. Health Canada will be granted new powers to compel manufacturers to reassess their products in light of information issued by other regulatory agencies, and manufacturers will be required to inform Health Canada within 72 hours of warnings issued by certain foreign regulatory agencies. Health Canada is also developing a framework to expand the use of real-world evidence to monitor the safety and effectiveness of devices post-market.

Moreover, Health Canada has indicated that it will be enhancing its inspection and enforcement activities by hiring additional inspectors and increasing the number of foreign inspections and compliance promotion activities, starting in March 2019.

C. Publish Device Clinical and Incident Data: Health Canada will adopt new regulations to publicly release clinical data on devices in an effort to encourage independent analysis that could offer new safety insights. A public internet database of such information will reportedly launch after the regulations are published in June 2019.

With respect to device incident data, Health Canada has committed to publishing its approval decisions for higher risk (i.e. Class III and Class IV) devices, launching a public internet database of device incident reports in December 2019, and improving the existing device inspection database.

Cybersecurity Guidance

The draft Cybersecurity Guidance acknowledges that medical devices have evolved from analogue pieces of hardware to interconnected networked devices. This evolution has resulted in benefits for patients and health care providers, but has also created new vulnerabilities that could negatively affect device safety and effectiveness. Accordingly, the Cybersecurity Guidance provides manufacturers with advice on improving device security and outlines information that should be submitted in a device licensing application to demonstrate that it is sufficiently secure.

The Cybersecurity Guidance specifically applies to devices of all risk classes that consist of or contain software. Manufacturers of software devices of all risk classes will be required to implement a cybersecurity strategy that addresses (A.) secure design, (B.) risk management, (C.) verification and validation testing, and (D.) planning for continued monitoring of and response to threats. For manufacturers of Class III and Class IV devices, information on each of these elements will be required to be submitted in a licensing application in addition to the general data elements that are required to be submitted under the Medical Devices Regulations. Each element is summarized below:

A. Secure Design: Manufacturers should consider cybersecurity throughout product development by identifying cybersecurity risks and controls when making design decisions and developing designs that maximize security without compromising device safety. Health Canada specifically encourages manufacturers to consider design controls in the areas of secure communications, data security, user access, software maintenance, hardware design, and reliability and availability.

B. Risk Management: Manufacturers are directed to incorporate sound risk management principles into all stages of the device life cycle. Health Canada suggests adopting the safety risk management principles outlined in ISO 14971-07:2007 Medical devices – Application of risk management, and applying these principles to manage cybersecurity risks. Manufacturers are encouraged to implement device-specific cybersecurity risk management processes in parallel to their existing safety risk management processes, to address the fact that some cybersecurity risks may not be associated with a safety risk. The Cybersecurity Guidance also provides a list of recommended cybersecurity standards to be used when developing cybersecurity risk management processes.

C. Verification and Validation Testing: Cybersecurity risk control measures should be validated against and traceable to design specifications. In this regard, the Cybersecurity Guidance provides recommended standards for cybersecurity testing, and Health Canada specifically encourages manufacturers to conduct vulnerabilities and exploits testing and software weakness testing.

D. Monitoring and Response to Threats: Manufacturers should proactively monitor, identify, and address device vulnerabilities post- market, and must demonstrate their commitment to same in their license applications for Class III and Class IV devices.

Finally, the Cybersecurity Guidance outlines the specific cybersecurity information that must be provided in license applications for Class III and Class IV devices in addition to the general data elements. The data elements for which cybersecurity information must be provided are (i) device labels, package labels, and documentation, including a list of open source software components, version and build numbers, and user instructions on how to mitigate and respond to cybersecurity risks; (ii) marketing history, including a summary of reported cybersecurity problems and recalls; (iii) risk assessment, including an analysis and evaluation of cybersecurity risks and adopted risk mitigation measures; (iv) device-specific quality plan for Class IV devices, demonstrating that the quality standards for the device include a cybersecurity framework; and (v) safety and effectiveness, including details of any cybersecurity studies relied upon, a list of applied cybersecurity standards, cybersecurity testing evidence, a cybersecurity-design traceability matrix, and a device maintenance plan.

Health Canada recommends that device manufacturers use the Framework for Improving Critical Infrastructure Cybersecurity (NIST, Version 1.1, April 2018) to guide their cybersecurity activities, whether by improving existing processes or developing best practices.

The Cybersecurity Guidance is currently open for comment until February 5, 2019.

The Action Plan and Cybersecurity Guidance foreshadow significant near-term changes to Canada’s medical device regulatory regime. Device manufacturers would be well advised to review their monitoring, reporting, and cybersecurity policies and procedures, as well as their product development pipeline, to identify and develop plans to address any newly anticipated compliance obligations. Fasken will continue to monitor and report on new developments as the draft regulations referenced in the Action Plan are published and the Cybersecurity Guidance is finalised.

* For more information on Vanessa’s law, please see our bulletins on enactment of the statute and associated regulations, and consultations on proposed changes to the Medical Devices Regulations.

Authors

Mark Vanderveken
Associate
Toronto, ON
Timothy M Squire
Partner
Toronto, ON

© 2017 Fasken Martineau DuMoulin LLP The content of this website may contain attorney advertising under the laws of various states.

Related Articles by Firm
New transparency registry for all private BC companies in the offing
If the bill comes into force it will have far reaching compliance consequences for all private BC companies.
Privacy Commissioner of Canada reverses position on transfers of personal information for processing
The Commissioner has made a surprising reversal of its long-standing position on the transfer of personal information.
Changes are coming!
Five factors to consider when reviewing your Canadian trademark strategy in 2019.
The Canadian gig economy: Embracing the future of work
Instead of quashing models that have the potential to empower the workforce, better protections for gig workers are needed.
A closer look at Canada’s budget
Fasken’s team examines important budget 2019 measures — some which made headlines, and others that should not escape notice.
Selected tax measures in Canada's 2019 federal budget
The budget contains significant proposals to amend income and excise taxes, while also providing updates on previously announced tax measures and policies.
OSFI issues advisory on technology and cyber security incident reporting
The Advisory reflects the fact that OSFI is very focused on this increasingly significant area of risk.
USMCA impact on communications industries
How the US-Mexico-Canada Agreement affects telecommunications, broadcasting and digital trade.
Surprise changes seek to modernise Canadian trademarks law and practice
This bulletin looks at key proposed changes to trademark law in Canada.
Time limits for retaining information about employees
Retention of personal information carries various obligations, particularly in terms of access to the information and confidentiality.
Further hurdles for regulatory approval of notifiable mergers in South Africa
On July 12, the Competition Amendment Bill was introduced in Parliament, substantially revising the earlier version of the Bill.
Hitting the sweet spot: Regulation of sweetened alcoholic beverages
Health Canada issued a notice of intent to restrict the amount of alcohol in highly sweetened alcoholic beverages.
Significant changes proposed to Canada’s AML/ATF regime
The Proposed Regulations are wide ranging and include a number of substantive changes as well as technical amendments.
Canada: Privacy commissioner issues key guidelines for consent and inappropriate data practices
Important guidance documents issued in respect of activities regulated pursuant to the Personal Information Protection and Electronic Documents Act ...
Cybersecurity risks for directors and officers
The cybersecurity field is ripe for affected stakeholders to test claims that directors and officers have failed to discharge their duties.
Cybersecurity Risks for Directors and Officers
Directors and officers in Canada face increased risk of personal liability and threats to job security in relation to cybersecurity...
Proposed changes to Canada's anti-money laundering and anti-terrorist financing regime
A consultation paper released in February could potentially have broad implications for Canada's AML/ATF regime.
Bill 148 Update: Scheduling and the three-hour rule
The Fair Workplaces, Better Jobs Act, 2017 makes significant changes to the Employment Standards Act, 2000.
Does your non-competition clause really protect you?
Or does it merely offer the illusion of protection? What you need to know about the validity and enforceability of a non-competition clause.
Canada: Selected Tax Measures in the Federal Budget 2018
Canada's 2018 Federal Budget contains significant proposals to amend the Income Tax Act and the Excise Tax Act while also providing updates on previously announced tax measures and policies ...
Expect the Intersection of Privacy and AI in 2018
We must consider how to regulate, or at least control, the use of artificial intelligence at different levels ...
Energy Licences and Approvals in Canada
Update on Directive 067: Eligibility Requirements for Acquiring and Holding Energy Licences and Approvals ...
Canada to Revise Tax Voluntary Disclosures Program
Effective March 1, 2018: New Regime will Result in Limited Relief for Certain Taxpayers Disclosing Errors and Omissions ...
Canada: New CASL Ruling
CRTC Provides Guidance on B2B Messaging and the Due Diligence Defence ...
Corporate Parent Liability: Litigation Risks for Resource Companies
Traditionally, parent companies have been considered legally distinct entities and thus immune from the actions of their subsidiaries, a concept described as the “corporate veil”. This position is now being challenged ...
Canada: No Duty to Consult Triggered by Omnibus Changes to Environmental Laws
In Canada (Governor General In Council) v. Courtoreille, 2016 FCA 311, the Federal Court of Appeal found that the federal government did not owe a duty to consult when it developed and implemented changes to environmental legislation through two omnibus bills ...
The Global Reach of Canadian Privacy Law
Federal Court Issues Landmark Ruling in Globe24h ...
Temporary Foreign Workers in Canada: Employer Compliance Rules
The regulations that govern applications for work permits provide a very strict framework for employers who hire temporary foreign workers in Canada ...
Canada is Open for Business
Trump and the Changing Political Landscape in the US ...
Primer on Procurement Rules in the New Canadian FTA
Fasken Martineau Releases Primer on Procurement Rules in the New Canadian Free Trade Agreement ...
Canada: Donald Trump, Paris and the Climate Policy Two­-Step
Will the U.S. withdrawal from the Paris Agreement fundamentally alter Canada's course?
China’s Priorities for a Free Trade Agreement with Canada
Analysis of Chinese language commentary, news media and academic studies, reveal some of China's top priorities for a free trade agreement with Canada ...
Canada: New Authorities under Vanessa's Law
On June 18, 2016, the Federal Department of Health published a Notice of Intent to amend the Food and Drug Regulations and the Medical Devices Regulations to implement key authorities under Vanessa's Law...
Canada: Consultation on New Health Regs for Self-Care Products
Health Canada is seeking consultation on new standards for self-care products, over-the-counter drugs, natural health products and cosmetics ...
Private right of action under Canada’s Anti-Spam Law
As of July 1, 2017, individuals and organizations will be entitled to institute a "private right of action" before the courts against those that contravene certain provisions of Canada's Anti-Spam Law ...
New Federal Consumer Protection Regime for Bank Customers
Canada: The government has introduced a bill which proposes to create a comprehensive federal consumer code and strengthen federal jurisdiction over provincial jurisdiction with respect to products and services of banks.
Canada: Alberta's Renewable Electricity Program
Alberta released details of the Renewable Electricity Program to accelerate the development of renewable power generation through a competitive bid process.
Certainly Uncertain: Construction Trusts after Iona in Canada
A recent decision clarifies the law regarding provincial statutory trusts in the insolvency context, particularly in the construction sector.
The Fight against Climate Change and the Overhaul of Canada's Environment Quality Act
A bill allows government to require a "climate test" from a project proponent.
Health Canada Is Cracking The Whip On Advertising Violations
On January 21, 2016, various hospitals, natural health product manufacturers, physicians and pharmaceutical companies found themselves specifically named by Health Canada in a published list of health product advertising complaints ...
Canada: New Strategic Plan for the Patented Medicines Prices Review Board
The Strategic Plan comprises a fresh vision, a revised mission statement and four new strategic objectives ...
Transport Canada Promises New Drone Regulations
Increase in popularity has had a direct effect on risks involved for the safe use of regular aircraft ...
N. America: Northern Gateway Pipeline
Province must consult and decide but may impose conditions
Canada: Tinkering with Title - Don’t Get Caught by Surprise
The Mining Amendment Act 2015 proposes a new electronic mining lands administration system in Ontario.
New Lobbyists’ Code Will Restrict Dealings with Canada’s Federal Government and Agencies
Canada's new Lobbyists' Code of Conduct will significantly restrict the activities of lobbyists and others seeking to influence federal decision making.
Righting a Wrong: Canadian Regulators Improve the Rights Offering Regime
Canadian regulatory authorities recently overhauled how prospectus exempt rights offerings are to be conducted going forward.
A change of role for a legal representative under the new Clinical Trials Regulation 536/2014?
The roles and responsibilities of the legal representative set out under Clinical Trials Directive 2001/20/EC are likely to change under the new Clinical Trials Regulation 536/2014.
Historic Court of Appeal Decision in Dunkin' Brands: Three Lessons for Franchisors in Canada
The Quebec Court of Appeal has specified the intensity of the franchisor's implied obligations in what is the most significant franchise case in Québec since 1998.
New Compliance Form and Fee for Employers of Foreign Work Permit Applicants in Canada
Employers whose foreign employees must apply for a work permit or extension should be aware of a new Compliance Form and Compliance Fee that they must submit before the person applies for the work permit in Canada.
Use of Trademarks As Metadata & #Hashtags in Canada
A recent decision of the Federal Court of Canada provides guidance on the proper use of IP in this digital world that brand owners need to know now.
Claims that Involve a Fixed Dosage and Schedule Can Constitute Patentable Subject Matter
The Canadian Intellectual Property Office has issued a revised guidance which provides clear instructions on how to approach medical use claims and determine whether such claims are eligible for patent protection.
The Application of the Bhasin Principle of Good Faith in Canada: An Early Example
A recent decision from the Supreme Court of British Columbia provides an early example of how courts will apply the general principle of good faith in Canada.
The TPP Agreement: A Canadian Business Perspective
The TPP will impact goods access and other aspects of Canadian businesses.
Foreign Corruption and the Integrity Framework in Canada: A Difficult Corporate Board Dilemna
Canada's Integrity Framework raises difficult choices for corporate board directors and management regarding voluntary disclosure of prior foreign corrupt activity of an acquired company.
Canada-EU Comprehensive Economic and Trade Agreement Negotiation Completed: Additional Protection for Innovative Pharmaceutical Products
If ratified, key intellectual property provisions in the Canada-EU trade pact will provide additional protection for innovative pharmaceutical products.
An Update on the Proposed EU Revisions to the Regulation of Medical Devices
The proposed European regulatory regime will merge the directives on Medical Devices and Active Implantable Medical Devices into a single regulation and wholly replace the current regulation on In Vitro Diagnostic Medical Devices.
UK FCA consults on requirements for reports on payments to government
While Canada does not currently have a reporting regime for payments to governments, a process is underway to ensure that a regime is implemented in the near future.
Trademark Use: an Important Shift in Canada
Bill C-31, which was given royal assent on June 19, 2014, will eliminate the requirement that a trademark be used in order to be registered in Canada.
Intellectual Property Protection - Industrial Designs
Many companies will consider the availability of and merits of seeking patent and/or trade-mark registration. However, one form of IP protection that is often overlooked is an industrial design registration.
Protocol to Amend the Canada-UK Tax Treaty
The Canada-United Kingdom Tax Convention was amended with the signing of a protocol on July 21, 2014. This article will describe some highlights of the Protocol and comment on the impact of these provisions on cross-border tax issues between Canada and the ...
The end of the Canadian "iPod Tax" saga
The "Certain Televisions Remission Order" confirms that, in fact, there is not now, and never actually was, "tax" on "iPod" imports to Canada.
Updating Canadian Trademark Filing & Registration Strategies
Here are some key trademark filing strategies for avoiding or minimizing the potential impact of recent amendments to the Canadian trademark landscape.
The Canadian insurance M&A environment
There have been a significant number of insurance company M&A transactions in the Canadian market in recent years, a trend expected to continue. Fasken Martineau DuMoulin have surveyed the acquisition agreements from these transactions and analysed ...
Merger control and foreign investment review in Canada
Fasken Martineau DuMoulin’s Huy Do and Jack Yu1 write that acquisitions of, or investments in, Canadian businesses can give rise to merger control and foreign investment reviews. ...
Related Articles
Related Articles by Jurisdiction
Canada: Alberta's Renewable Electricity Program
Alberta released details of the Renewable Electricity Program to accelerate the development of renewable power generation through a competitive bid process.
Proposed changes to Canada's anti-money laundering and anti-terrorist financing regime
A consultation paper released in February could potentially have broad implications for Canada's AML/ATF regime.
Surprise changes seek to modernise Canadian trademarks law and practice
This bulletin looks at key proposed changes to trademark law in Canada.
Latest Articles