The people of Switzerland voted to pass the free trade agreement with Indonesia. After ratification of the agreement, many products will benefit from lower trade barriers and tariffs. Do you as a manufacturer plan to take advantage of these facilitations and bring your medical devices onto the Indonesian market? Or do you want to expand your existing product range on the Indonesian market and need support? We are happy to advise and support you with our comprehensive know-how in regulatory affairs and approvals.

As it is common worldwide, also in Indonesia specific obligations towards the health authorities apply to medical and diagnostic devices in order to ensure a good medical care of the Indonesian population. For specific inquiries, please contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

For a while now, cybersecurity incidents in the healthcare sector have been increasing and can no longer be dismissed as random incidents, vandalism by script kiddies or collateral damage of general malware campaigns. The healthcare sector, specifically health delivery organizations and their supply chain, have become a prime target for cybercrime and cyberwar actors. Legislators and regulators are reacting, as usual, by creating new legislation, guidelines and requirements, but focusing on health delivery organizations as operators of medical IT-networks (critical infrastructure). As security is only ever as strong as its weakest link, this also impacts medical device manufacturers. While the “what” is being defined by the regulators, figuring out the “how” remains with the operators and manufacturers.

So far, guidance and standardization have focused on (cyber)risk management in general (e.g. AAMI TIR 57) and left manufacturers with a lack of technical standards on how to actually mitigate identified risks. This lack of support on the technology side made many manufacturers turn to other industries, leading e.g. the IEC 62443 family to become a de facto standard for cybersecurity across multiple domains. While these standards have garnered widespread acceptance (e.g. some parts are listed as FDA recognized consensus standards) they don’t necessarily meet all the requirements of the healthcare sector. In recognition of this situation, the ISO and IEC started work on several new standards addressing the issue.

As part of that effort, the IEC has recently published IEC TR 60601-4-5:2021 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications.

The technical report reinforces the idea that security is a burden shared by the manufacturer and the operator of a medical device. It defines a scheme with which this burden can be assessed, documented and communicated between parties; it defines four security levels and a list of technical capabilities that need to be implemented by a medical device to reach a specific security level. The capabilities are based on those defined by IEC 62443-4-2:2019 (and IEC TR 80001-2-2:2012) and brought into alignment with the basic tenet of medical device development: patient safety.

As a member of the IEC 60601 standards family for electrical medical devices, it defines requirements to the medical device itself (product standard). But unlike the other standards in the family, the scope explicitly mentions that it can be applied to any medical device software, including SaMD.

The technical report's stated goal is to define testable security properties for a medical device; currently, no official test report form (TRF) exists. It is likely that one will be published in the near future, and that test labs will offer relevant tests.

The technical report is planned to be harmonized for the MDR.

For medical device manufacturers, the technical report thus provides guidance on how to address the security vs safety challenge when implementing the security mechanisms defined in IEC 62443-4-2:2019. It further helps assessing/attaining security levels of a device and identify the security measures external to the device to reach a specific target security level of an operator. It thus also defines information that needs to be provided to the operator for the secure use of the device. In that, it is expected to help the manufacturers meet the general safety and performance requirements (GSPR) 17.2, 17.4, 23.4 (ab) of the MDR.

Note that the report is essentially a wrapper around the IEC 62443-4-2:2019 standard, which is required reading for anyone trying to implement the security measures listed in the report. Also neither the report nor the standard go down to the “bits and bytes” level of engineering, which is left to the relevant technical standards or state-of-the-art knowledge of the engineer.

At the moment it is still too early to tell if the health delivery organizations/operators of medical IT-networks will apply a security-level scheme, as proposed by the IEC 60601-4-5 and IEC 62443-4-2 when purchasing medical devices. But with the relevant IEC and ISO committees collaborating on the topic, and the technical report being targeted for harmonization under the MDR, it seems likely that this might happen sooner or later.

In a recently published guidance document, the MDCG aims to provide guidance to the Member States on handling certain MDR provisions applicable as of May 2021, even though Eudamed is not fully functional. To comply with the current Directives, legal manufacturers and authorised representatives of CE-marked medical devices have to register in the EU country where they have their place of business. The transitional provisions of the MDR state that if Eudamed is not fully functional on the date of application, the corresponding provisions of Directives 90/385/EEC and 93/42/EEC continue to apply. The MDR introduces a much larger Eudamed database than the one that currently exists under the Directives alongside a variety of new registration requirements regarding stakeholders and data exchange and a publicly accessible version to increase transparency. MDCG 2021-1 includes information on how to addresses cases where the exchange of information would be difficult, based on the corresponding provisions of the Directives.

Eudamed is composed of the following six interconnected modules:

• Actors registration
• UDI/Devices registration
• Notified Bodies and Certificates
• Clinical Investigations and performance studies
• Vigilance and post-market surveillance
• Market Surveillance

With the MDR fully applying on 26 May 2021, the actor registration module is the only and first of the Eudamed modules currently available. The European Commission launched the Eudamed actor registration module on a voluntary basis on 1 December 2020. This allows competent authorities to assign SRNs (single registration numbers) to each economic operator, which is a precursor to device registration (and plays a role in the documentation of a medical device under MDR). Device registration in Eudamed will not be possible until the UDI/Device Registration module goes live.

When launching the first module, the Commission made clear that it is not in the position to enforce the use of the actor registration module, but asked EU competent authorities to promote the registration process in Eudamed and avoid double registration at a national level. Owing to each country's need to maintain an oversight of the manufacturers on its market, some countries will extend national manufacturer registration to CE-marked products under the MDR and manufacturers, and authorised representatives are subject to double registration if they choose to make use of the available module.

The new MDCG guidance aims to provide a harmonised approach by outlining administrative practices and alternative technical solutions to exchange information until the database is ready. MDCG 2021-1 shows in tabular form how individual specifications in the MDR are to be implemented in the period until Eudamed is available. The document suggests that as soon as a functionality corresponding to a requirement is available in Eudamed, the system may be used even before the notice of full functionality of Eudamed has been published. It also includes relevant information on how to deal with regulatory requirements having no corresponding provision in the Directives, such as:

• Making publicly available of the summary of safety and clinical performance (SSCP):The SSCP shall be made available to the public upon request without undue delay or the manufacturer shall specify where it is made available to the public.
• Data exchange between notified bodies and expert panels during clinical evaluation consultation procedure: Notified bodies should notify the relevant parties by uploading the required information to a dedicated secure directory in CircaBC, using a pre-defined template as soon as it becomes available (organised by the Commission).
• Periodic safety update report (PSUR): For class III devices and for classes IIa, and IIb implantable devices, manufacturers should deliver the PSURs to the relevant notified bodies by appropriate means. Notified bodies should provide the PSURs evaluations to the manufacturers and make them available upon request to the competent authority.

In order to access the Brazilian market, medical devices have to be notified or registered with ANVISA, depending on their risk class. With RDC No. 423/2020, the Brazilian regulator has recently eliminated the Cadastro pathway for the registration of Class II medical devices and IVDs. This was a considerable reduction of the registration requirements for the manufacturers of these devices. The process of registration in Brazil can be very burdensome because certain products are subject to additional certification requirements, depending on their characteristics. Most electro-medical devices, independent of their risk class, have to be certified by the National Institute of Metrology, Standardization and Industrial Quality (INMETRO). Following the trend towards simplifying some regulatory hurdles in Brazil, Ordinance No. 384/2020 has introduced significant changes for manufacturers of devices that require INMETRO certification and will reduce the effort to obtain and maintain this certification.

The new ordinance was published on 18 December 2020 and took effect 10 days later. It included a transition period for certificates issued under previous ordinances. Existing certificates issued under Ordinance No. 54/2016 will have to be reviewed and revised, based on the new ordinance, during the next maintenance audit, once the transition period of six months has passed. Existing certificates issued under the repealed Ordinance No. 350/2010 (and issued before 30 April 2018) may be audited and renewed until the certificate expires.

Depending on when your INMETRO certificate was issued and based on the specific ordinance, the next maintenance audit will already use the new, eased requirements. Ordinance No. 384/2020 has introduced the following changes to the INMETRO certification process:

• On-site inspections: The new ordinance changes the requirement for on-site inspections, which will no longer be required for all certification procedures. Whether an on-site audit will be required will be based on previous audits, including under MDSAP or ISO 13485. Should the auditing entity decide that an on-site audit is unnecessary, the certification will be based on a desktop audit.
• Test reports: The new ordinance changes how recent test reports must be: for small and medium-sized equipment, test reports may be older than two years, while for large equipment, test reports may be older than four years. Test reports must reflect the current version of the device to be certified/under review. Changes to the device lead to new testing unless the manufacturer can provide a rationale as to why changes to the device do not justify further testing.
• Duration of validity: The new ordinance changes the expiration of certificates, since they no longer expire. Maintenance audits have to be performed regularly (every 15 months or annually).

The changes reduce the burden on medical device manufacturers, particularly regarding the requirements for the actuality of test reports. To avoid unnecessary testing, we recommend checking the current certificates and using the applicable transition period to plan and adapt your renewal processes.

PORTARIA Nº 384, DE 18 DE DEZEMBRO DE 2020 (DIÁRIO OFICIAL DA UNIÃO, 18.12.2020).