- The Cybersecurity Law came into effect in China’s territories on 1 June 2017.
- The new law is wide in scope, but is expected to impact the life sciences sector in two key areas: connected medical devices and ‘critical information infrastructure’ in medical institutions.
- The China Food and Drug Administration has published Guiding Principles to assist the implementation of the Cybersecurity Law in the medical device industry.
In June 2017, China introduced the Cybersecurity Law, which regulates the establishment, operation, maintenance, and use of networks within its territories, in addition to the government’s supervision and administration of network security. The new law is broad in scope, but has a particular bearing on the life sciences sector in two key areas: connected medical devices and the new concept of ‘critical information infrastructure’ (CII) used by medical institutions.
Nick Beckett, Managing Partner, Beijing Office, and Global Co-Head of Life Sciences & Healthcare at CMS, examines what the law means for China’s life sciences sector. This is an abridged extract from The Antidote – Summer 2017, published by CMS in September 2017.
Connected medical devices
The development of the Internet of Things (IoT) is transforming the medical device industry. More and more medical devices are now equipped with network connection functionalities, enabling remote monitoring and real-time information exchange among users, manufacturers and health service providers.
Connected medical devices, as with all computer systems, can be vulnerable to cybersecurity breaches, which might not only impact the safety and effectiveness of the devices but also expose users to health risks. For example, a hacked insulin pump injecting incorrect dosages can seriously damage a diabetes patient’s health. Also, due to the vulnerability of a particular connected device, the security of an entire network could be threatened. In addition, vast amounts of personal data of the users will be collected and processed through connected medical devices. Some of this data is very sensitive. Leakage of such data through cyber incidents might subject the relevant data controller (usually the online healthcare providers) to severe legal liabilities, not to mention reputational damage.
To address these issues and assist implementation of the Cybersecurity Law in the medical device industry, the China Food and Drug Administration (CFDA) published the Guiding Principles on the Technical Reviews of the Cybersecurity Registration of Medical Devices (Guiding Principles) in January 2017. The Guiding Principles apply to the registration of Type II and Type III medical devices that can be connected to networks to conduct electronic data exchanges or remote control, as well as Type II and Type III medical devices that use storage media to conduct data exchanges.
The technology used in medical devices, pre-installed software, and data confidentiality, integrity, and availability are among the issues addressed in the Guiding Principles.
While the Guiding Principles are not mandatory nor have legislative effect, the requirements set out will be considered by the CFDA during the examination of an application for medical device registration. Meanwhile, the Guiding Principles also encourage applicants to continuously be aware of cybersecurity issues involved in the design, development, manufacture, distribution, deployment, maintenance and other stages in the life cycle of a medical device. We expect to see more detailed standards and implementation rules published in the future to provide guidance in handling cybersecurity matters in this area.
Critical information infrastructure used by medical institutions
The Cybersecurity Law introduces a new concept ‘critical information infrastructure’ (CII), which refers to information infrastructure that is used in public communication and information services, energy, transportation, water resources, finance, public services, electronic government systems, and other important industries and areas, and that might seriously endanger national security, citizens’ wellbeing, and public interests if damaged or suffer a loss of function or data leakage.
According to a draft regulation, different government departments might be granted with the right to identify the CII within their respective jurisdictions. Currently, the specific scope of CII is not clear. But in a national cybersecurity examination organised by the government before the Cybersecurity Law was published, the websites, platforms (e.g. information exchange platforms, search engines) and operation-related infrastructure (e.g. control systems, data centres) used by hospitals, disease control institutions, and emergency centres are considered to be CII.
If the relevant government departments adopt the same approach, then the medical institutions operating their own CII will need to follow a series of requirements governing CII operators. For example, a CII operator is required to store exclusively within the territory of China, all personal information that it collects during its operation within China, unless the CII operator has otherwise passed the relevant government authorities’ assessments.
To learn more about the Cybersecurity Law and its implications for China’s life science sector, download the full report: