The document highlights the key points regarding the regulatory approach to be applied with respect to cybersecurity-related matters associated with legacy medical devices.

The International Medical Devices Regulators Forum (IMDRF), a voluntary association of national medical device regulatory agencies collaborating for further improvement of the existing framework and ensuring the safety and effectiveness of medical devices made available for healthcare professionals and patients, has published a guidance document dedicated to principles and practices for the cybersecurity of legacy devices. The document provides non-binding recommendations to be taken into consideration by medical device manufacturers and other parties involved in order to ensure compliance with the applicable regulatory requirements, as well as the safety and proper performance of the products they are responsible for. The document itself does neither establish new rules nor introduce new obligations but rather provides additional clarification and guidance. Furthermore, the IMDRF reserves the right to make changes to the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect recent regulatory developments and new information becoming available to the IMDRF.  

Regulatory Background 

The purpose of the present guidelines is to establish the core principles and outline best practices in terms of security to be followed within the entire lifecycle of the product. In particular, the document addresses the matters of cybersecurity-related issues associated with medical devices used beyond the initial life cycle as intended by their manufacturers. The authority acknowledges that sometimes medical devices could be used even when they are no longer supported (in terms of patches or updates) by medical device manufacturers. Such use creates additional risks to be properly addressed in order to ensure the safety of patients. For instance, such products are based on the technology level of the time they were created, while due to the rapid technological development special measures and control implemented at that time could become outdated and, consequently, ineffective. When describing such products, the IMDRF applies the term “legacy medical devices”. It also explicitly stated that device age is not a sole determinant of where the device is legacy; in other words, a newer device that cannot be reasonably protected against current cybersecurity threats, irrespective of its age, would still be considered legacy in the context of cybersecurity. For instance, this could happen in organizations facing a lack of staff and personnel. 

Legacy medical devices could still be used to provide health care, resulting in patients being exposed to additional risks associated with potentially inefficient controls and other factors. Thus, the IMDRF finds it necessary to suggest certain recommendations to be taken into consideration by the parties involved in operations with legacy medical devices, including the manufacturer and healthcare providers. In particular, the guidance describes the approach to be applied when identifying legacy medical devices, as well as the particular steps to be taken in order to address cybersecurity risks associated with such products.

Applicability Scope 

According to the guidance, recommendations provided therein are intended to describe the way the Total Product Life Cycle (TPLC) approach should be applied with respect to legacy medical devices. These recommendations are applicable to any and all medical devices subject to regulation under the existing legal framework including both general and in vitro diagnostic medical devices. The document is mostly focused on products either containing software or existing as software themselves. 

It is also important to mention that the scope of the present guidance and recommendations provided therein is limited to the aspects related to safety in terms of potential harm to be caused to patients. This includes the risks associated with potentially erroneous results of assessments conducted using a medical device, and similar matters. At the same time, the aspects related to data protection are falling outside the scope of the guidance. Furthermore, the “legacy” status of a medical device is considered only in the context of cybersecurity, while all other aspects associated with this status are not taken into account. 

The IMDRF further acknowledges that based on the definition of a legacy medical device as set forth herein, numerous products could be considered “legacy” and thus require special attention in order to ensure the effectiveness of the respective controls.  It is also stated that a key characteristic of a TPLC framework for legacy devices is effective communication between medical device manufacturers and healthcare providers to allow for timely and planned introduction and decommission of devices to minimize the number of legacy devices remaining in use. The IMDRF also emphasizes the importance of ensuring that information about the legacy status of a medical device and potential risks associated thereto is duly communicated to patients when necessary. It is also stated that the recommendations provided herein do not apply to resellers due to the different obligations they have in comparison to medical device manufacturers. 

As explained by the IMDRF, the present guidance is intended to:

  • Explain legacy medical device cybersecurity within the context of the TPLC Framework with clearly defined responsibilities for medical device manufacturers and healthcare providers;
  • Provide recommendations for medical device manufacturers and healthcare providers in communication, risk management, and transfer of responsibility to the healthcare providers;
  • Provide recommendations regarding compensating controls after the End of Support; and
  • Provide implementation considerations for medical device manufacturers and healthcare providers in addressing existing legacy devices that were developed prior to the TLPC Framework for medical device cybersecurity and are still in use. 

In addition to the above, the document confirms that cybersecurity-related matters constitute a shared responsibility for all the parties involved in operations with medical devices. 

In summary, the present IMDRF guidance describes the concept of legacy medical devices in terms of cybersecurity, outlines the risks associated thereto, and explains how such risks could be mitigated. The document also highlights the most important aspects to be considered in this respect in order to ensure the public health protection and safety of patients. 

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.