The new article addresses the aspects related to establishing efficient communication between medical device manufacturers and healthcare providers with respect to medical devices used and also provides definitions of the most important terms and concepts.

The International Medical Device Regulators Forum (IMDRF), a voluntary association of national regulating authorities cooperating for further improvement of the regulatory framework for medical devices, has published a guidance document dedicated to cybersecurity matters with respect to medical devices that are no longer supported by their initial manufacturers (legacy devices). The purpose of the document is to highlight the key points to be taken into consideration in order to address the cybersecurity risks arising when the medical device is still in use, but no longer receives software updates and security patches from its manufacturer, addressing the newly identified security issues and vulnerabilities. The document describes the approach to be applied in order to ensure the safety of patients, as well as the proper performance of medical devices after their manufacturers cease supporting them. 

 

First of all, the IMDRF explicitly states that cybersecurity is actually a shared responsibility among all the parties involved in operations with medical devices.

Terms and Definitions

In order to assist medical device manufacturers and other parties dealing with medical devices in interpreting provisions of the existing legislation and following the requirements set forth therein, the document provides definitions of the most important terms and concepts used including, inter alia, the following ones:

  • Application software stands for (1) software designed to help users perform particular tasks or handle particular types of problems, as distinct from software that controls the computer itself, (2) software or a program that is specific to the solution of an application problem;
  • Compensating Risk Control Measure – a specific type of risk control measure deployed in lieu of, or in the absence of, risk control measures implemented as part of the device’s design;
  • Configuration – the manner in which the hardware and software of an information processing system are organized and interconnected;
  • Coordinated Vulnerability Disclosure (CVD) is a process through which researchers and other interested parties work cooperatively with a manufacturer in finding solutions that reduce the risks associated with disclosure of vulnerabilities;
  • Essential Performance stands for the performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk; 

Software Bill of Materials (SBOM) stands for a list of one or more identified components, their relationships, and other associated information.

Total Product Life Cycle Framework

The document further provides an overview of the general principles to be followed with respect to cybersecurity matters related to legacy medical devices by all the parties involved. These principles are intended to serve as a basis for further improvement of the existing regulatory framework. 

Under the general rule, risks associated with cybersecurity threats and vulnerabilities should be considered throughout all stages in the life of a medical device, from its initial development to the end of service. The IMDRF acknowledges that in certain cases medical devices could still be in use after the expiration of the projected use period – in other words, in such cases, the clinical utility of a device exceeds its supportability. Thus, related matters should be taken into consideration by medical device manufacturers from the very beginning. 

In this respect, the IMDRF distinguishes limited support, defined as a transitional period during which medical device manufacturers and healthcare providers should coordinate their activities related to the upcoming end of support or upgrade/replacement of the product. As explained by the IMDRF, end of support stands for the time when a healthcare provider becomes the party mostly responsible for cybersecurity-related matters. However, the manufacturer will still be responsible for certain aspects in accordance with the applicable national legislation and requirements set forth therein. The said transition process includes various activities related to communications and risk management before the responsibility would actually be transferred from the manufacturer to the healthcare provider using the device. The document further describes each of these activities in detail and provides recommendations associated thereto.

Communication

According to the document, in order to ensure the effectiveness of cybersecurity measures, as well as the proper level of protection against cybersecurity threats, it is vitally important to establish open and transparent communication between all the parties involved in operations with medical devices. For instance, medical device manufacturers are the ones responsible for planning the end of support and actions to be taken in this respect for the devices that are still in service after that date. In particular, manufacturers are expected to communicate the estimated end-of-support dates so the healthcare providers will be able to plan their activities accordingly. Based on the information about the end of support date, as well as other information when making a decision on whether to put the device in question out of service or continue using it and assume additional responsibility due to the device no longer being supported by its manufacturer. 

The IMDRF encourages the parties involved to take all the steps necessary to ensure that important information related to medical devices is duly communicated. In particular, it is stated that information that is provided or communicated should be proactively sent to the other party, or the other party should be actively made aware that such information is available for retrieval; while communication policies and procedures that make information passively available, without active notification, are not recommended and should be avoided where possible. 

In summary, the present IMDRF guidance provides an overview of the approach to be applied with respect to medical devices that are no longer supported by their manufacturers. The document pays special attention to the matters associated with communication between the parties involved and its importance for ensuring the continuous safety of medical devices after the end of support.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.