8/22/2018 New China Cybersecurity Guidelines for Registration of Networked Medical Devices | Insight | Baker McKenzie

23 March 2017

New China Cybersecurity Guidelines for

Registration of Networked Medical Devices

Share u F g O Contact

The China Food and Drug Administration (CFDA) has issued

j
guidelines aimed to implement China's new Cybersecurity Law
(CSL) in the administration of medical devices in China. This
development is a clear signal that Chinese regulators intend to
enhance cybersecurity protection in the healthcare sector. Mini vandePol
Registered Foreign Lawyer
From 1 January 2018, medical device companies will be required to Hong Kong
register their networked medical devices with the CFDA and be
assessed for their cybersecurity protection status under the
Principles on Guiding Technology Examination of Medical Device y + 852 2846 2562 g
Email
Cybersecurity Registration (CFDA Guidelines).

Major implications for medical device companies

j
Cybersecurity threats represent a risk to the safe and effective
operation of networked medical devices. A data breach may lead
to infringement of patients' personal privacy while a network
https://www.bakermckenzie.com/en/insight/publications/2017/03/new-china-cybersecurity-guidelines 1/5
8/22/2018 New China Cybersecurity Guidelines for Registration of Networked Medical Devices | Insight | Baker McKenzie

attack can cause the malfunction of a device resulting in the Fung (Simon) Hui
injury or death of patients. Medical device companies are Partner
We use
therefore cookies on
expected toour
pay attention to these issues throughout Shanghai
website.life
the product To learn
cyclemore
to ensure proper cybersecurity protection
about how we use cookies
for their networked products.
and how to change your y + 86 21 6105 5996 g
cookies settings if you do Email
When applying to register networked medical devices with the
not want cookies on your
CFDA, the CFDA Guidelines require applicant companies to conduct
computer, please see our
a self-assessment of the relevant cybersecurity protection
Privacy and Cookies
standards or measures.
Statement. Applicants need to be aware that while
By continuing
Regions
the CFDA
to useGuidelines do not express the cybersecurity protection
this site you
consent
standards astomandatory
our use of obligations, failure to meet the
cookies in accordance
I Asia Pacific
requirements may potentially cause delay on product
with our Privacy and
registrations. In practical terms, this can have an impact on the
Cookies Statement.
success and timing of the rollout of new medical device products.
VIEW STATEMENT Countries
What are the highlights?
I China
By way of background, the CSL was introduced on 7 November
2016 and takes effect on 1 June 2017. The CSL imposes obligations
on network operators to formulate internal security management Offices
systems for cybersecurity protection and take measures to
protect important data, among other things. Failure to comply I Beijing
with the CSL may result in various penalties including the
imposition of fines on directly responsible personnel. I Hong Kong

The CFDA Guidelines, which were issued on 20 January 2017, aim to I Shanghai
implement the CSL in the administration of medical devices in
China. The key features of the CFDA Guidelines include:
Professionals
1. Non-mandatory principles. The CFDA Guidelines do
not specify mandatory requirements for registration. I Mini vandePol
When registering medical device products, the
applicant may conduct a self-assessment on whether I Fung (Simon) Hui
some measures proposed under the CFDA Guidelines
should apply. If not, the applicant may elaborate the

https://www.bakermckenzie.com/en/insight/publications/2017/03/new-china-cybersecurity-guidelines 2/5
8/22/2018 New China Cybersecurity Guidelines for Registration of Networked Medical Devices | Insight | Baker McKenzie

reasons or propose alternative solutions to ensure its

compliance with the CSL and other relevant
We useregulations.
cookies on our
website. To learn morescope. The CFDA Guidelines apply to the
2. Application
about how we use cookies
registration of Grade II and Grade III medical devices
and how to change your
that have electronic data exchange or remote control
cookies settings if you do
not wantfunctions through
cookies on your network connection (Qualified
Devices).
computer, please see our
Privacy and Cookies
3. Impact on product lifecycle. Companies that intend
Statement. By continuing
to register Qualified Devices in China are expected to
to use this site you
consider cybersecurity protection issues during the
consent to our use of
entire lifecycle of the medical devices, including
cookies in accordance
with ourproduct
Privacy design,
and development, production, distribution
Cookiesand maintenance. Specifically, cybersecurity protection
Statement.
of the Qualified Devices should, among others, satisfy
VIEW STATEMENT
the following requirements:

a. Confidentiality: the data can only be accessed by

authorized users within an authorized timeframe
through authorized means;
b. Integrity: the data must be accurate,
comprehensive and cannot be altered without
authorization; and
c. Availability: the data must be accessible and
utilized as expected.
4. Product registration documents. In order to register
Qualified Devices with the CFDA, the applicant is
required to submit a standalone cybersecurity
description file and a cybersecurity instruction manual.
When there is a major cybersecurity update affecting
the safety or effectiveness of the Qualified Devices
after the initial registration, the applicant is required
to file a revised application with the CFDA.
5. Review factors. When reviewing the product
cybersecurity registration process, the CFDA will
https://www.bakermckenzie.com/en/insight/publications/2017/03/new-china-cybersecurity-guidelines 3/5
8/22/2018 New China Cybersecurity Guidelines for Registration of Networked Medical Devices | Insight | Baker McKenzie

consider:

We usea.cookies
Data:onthe
ourdata on the Qualified Devices can be
website.categorized
To learn moreas personal data and equipment data.
Different
about how we useprotection
cookies measures should be adopted
and how to change your
depending on the type of data and the transmission
cookies settings if you do
method. Personal data usually warrants enhanced
not want cookies on your
protection and relevant personal privacy protection
computer, please see our
rulesCookies
Privacy and should be followed.
b. Technology:
Statement. By continuingdifferent cybersecurity protection
technology
to use this site you can be utilized. The applicant may follow
consentvarious
to our use of
international and national standards to build
cookies in accordance
up their cybersecurity protection capability.
with our Privacy and
c. Off-the-shelf software: the applicant is expected
Cookies Statement.
to pay close attention to the cybersecurity risks
VIEW STATEMENT
associated with off-the-shell software and adopt
relevant maintenance procedures, as well as notify
users of relevant information in a timely manner.
Actions to consider

The CFDA Guidelines and CSL are good reminders for businesses to
assess cybersecurity risk issues connected to the use and function
of their networks and products. Similarly, companies should
continue to be vigilant on the collection and protection of
personal data, and ensure that they comply with the relevant
data privacy laws.

To avoid delay on the registration of networked medical products,

and prevent exposure to potential penalties under the CSL, we
recommend that medical device companies consider the following
steps:

Seek advice and adopt cybersecurity protection

measures to meet the specific standards under the
CFDA Guidelines.

https://www.bakermckenzie.com/en/insight/publications/2017/03/new-china-cybersecurity-guidelines 4/5
8/22/2018 New China Cybersecurity Guidelines for Registration of Networked Medical Devices | Insight | Baker McKenzie

Closely monitor the latest developments of the CSL and

its implementing rules in relation to the cybersecurity
We useprotection
cookies on requirements
our of medical devices.
website. To learn more
about how we use cookies
and how to change your
cookies settings if you do
not want cookies on your
computer, please see our
Privacy and Cookies
Statement. By continuing
Explore More Insight
to use this site you
consent to our use of
cookies in accordance
with our Privacy and VIEW ALL
Cookies Statement.

VIEW STATEMENT

© 2018 Baker McKenzie

https://www.bakermckenzie.com/en/insight/publications/2017/03/new-china-cybersecurity-guidelines 5/5