Japan Outlines New Medical Device Cybersecurity Regulation

On March 9, 2023, a new regulation for ensuring cyber security was issued in the Essential Requirements Criteria in Japan. The Essential Requirements Criteria’s Article 12 already had 2 clauses, but clause 3 on cybersecurity has now been added. In short, medical devices using programs are now required to ensure safety and basic performance by implementing risk management throughout the medical device software life cycle – according to JIS T 2304 (IEC 62304). The new Japanese regulation stipulates that, in addition to the conformity to the JIS T 2304 (IEC 62304), for medical devices connected to other IT devices and medical devices connected to the Internet, cyber security measures based on JIS T 81001-5-1 (IEC 81001-5-1) are required to reduce cyber security risks to acceptable levels.

This new regulation was put into practice on April 1, 2023, with a one-year transitional period until March 31, 2024. When applying for device approval after the end of the transitional period, it is required that device manufacturers demonstrate conformity to the above cyber security regulation. This provision and transition period also applies to already approved products.  Hence, device manufacturers will need to update their registrations accordingly.

Written by: Ames Gross – President and Founder, Pacific Bridge Medical (PBM)
Mr. Gross founded PBM in 1988 and has helped hundreds of medical companies with regulatory and business development issues in Asia. He is recognized nationally and internationally as a leader in the Asian medical markets. Mr. Gross has a BA degree, Phi Beta Kappa, from the University of Pennsylvania and an MBA from Columbia University.

Source used in the article:https://www.pmda.go.jp/english/safety/info-services/devices/0007.html