Hong Kong, 3 February 2026 – The Department of Health’s Medical Device Division (MDD) has officially updated two critical Technical References under the Medical Device Administrative Control System (MDACS). These documents, TR-007 (Software Medical Devices and Cybersecurity) and TR-008 (Artificial Intelligence Medical Devices), have been revised to address the rapid advancement of digital health technologies and global regulatory trends. The updates aim to strike a balance between facilitating innovation Software as a Medical Device and ensuring robust patient protection through a Total Product Life Cycle (TPLC) approach.
As part of the Hong Kong medical device regulation updates, manufacturers of Software as a Medical Device must now comply with enhanced cybersecurity and AI/ML requirements to ensure patient safety and regulatory alignment.
HONG KONG MEDICAL DEVICE REGULATION TIMELINE FOR MANUFACTURERS
The publication of these updated Technical References triggers the following effective date:
3 February 2026: The updated versions of TR-007 and TR-008 officially come into force. Manufacturers submitting new listing applications or managing existing listed devices must adhere to these revised requirements from this date forward.
MEDICAL DEVICE CYBERSECURITY STANDARDS : KEY REGULATORY CHANGES
1. Cybersecurity Enhancements (TR-007)
The revised TR-007 introduces stricter “basic cybersecurity requirements” that manufacturers must document in their technical submissions, in line with Hong Kong medical device regulation and medical device cybersecurity standards.
- Password Security: Manufacturers must avoid universal default passwords. Devices must use unique passwords per device or require a user-initiated change.
- Attack Mitigation: Systems must include mechanisms to make brute force authentication attacks impractical, adhering to medical device cybersecurity standards.
- Lifecycle Monitoring: A formal patching and updates plan is now required to maintain safety in response to newly discovered vulnerabilities, aligning with Hong Kong medical device regulation.
- Incident Recovery: Manufacturers must provide a recovery plan to restore devices to normal operating conditions following a cybersecurity incident, ensuring compliance with both AI medical device regulation and medical device cybersecurity standards.
2. AI and Machine Learning Requirements (TR-008)
The updated TR-008 provides a more detailed framework for AI-MD (Artificial Intelligence Medical Devices) and ML-MD (Machine Learning Medical Devices):
- Dataset Transparency: Manufacturers must define the source, size, and attribution of training, validation, and test datasets. Training and validation sets should not overlap to prevent bias.
- Continuous Learning Capability (CLC): For devices that learn after deployment, manufacturers must present complete information on process controls and verification measures.
- Safety Mechanisms: Systems must include the ability to “roll back” to a previous stable algorithm version if anomalies are detected during real-world use.
- User Labelling: Labels should now include specific warnings to avoid user over-reliance on the AI output.
RESOURCES
To assist with compliance, the following documents and contacts are available:
- Full Technical References: TR-007:2026(E) and TR-008:2026(E).
- Change Management: For version updates, refer to Guidance Notes GN-10.
- MDD Enquiries: Contact the Medical Device Division at 3107 8484 or via email at [email protected].