The International Medical Device Regulators Forum, a voluntary association of medical device regulating authorities focused on the improvement of the regulatory framework, issued guidance dedicated to the principles and practices for cybersecurity for medical devices.
Purpose of the Guidance
The need in addressing cybersecurity threats arises from the wide use of wireless technologies and medical devices connected to the network, providing that vitally important data is being transmitted, which sometimes exposes patients to the risks related to interventions or errors. The document is intended to assist all the parties involved in operations with medical devices to implement the security measures sufficient to mitigate the aforementioned risks to the lowest extent possible. According to the position expressed by the IMDRF, it is important to deal with the disparities in regulatory approaches used by national regulating authorities to develop generally accepted principles.
The document provides specific recommendations to be implemented by the stakeholders (including the manufacturers of medical devices, as well as healthcare institutions, regulating authorities and patients) intended to mitigate risks associated with cybersecurity aspects of using medical devices for medical purposes. The scope of the IMDRF guidance on cybersecurity covers both medical devices containing software and ones existing in the form of software themselves, usually referred to as a Software as a Medical Device (SaMD). It is also important to mention that the scope of the document covers only the aspects related to the potential harm to the patients` health, while other cybersecurity aspects, such as personal data protection, are actually falling outside of the scope of the present guidance. Another important point is that the document describes only device-specific measures and not the ones to be implemented to ensure the security on the enterprise level.
In particular, the present IMDRF guidance on cybersecurity is intended to:
- Provide recommendations on cybersecurity measures to be implemented on the stages of design and development in accordance with the risk-based approach,
- Describe the way the responsibility should be spread proportionally among all the parties involved in operations with medical devices,
- Provide device-specific recommendations that could be implemented on all stages of the lifecycle of a medical device,
- Encourage the further harmonization of regulatory approaches, including the unification of terms and best practices,
- Establish the exchange with information related to identified threats and vulnerabilities, as well as on the incidents that occurred.
At the same time, the IMDRF emphasizes that actual implementation of the cybersecurity principles described in the present guidance should be performed in line with the current national legislation on medical devices and cybersecurity.
General Cybersecurity Principles for Medical Devices
The guidance outlines the general principles the approach to cybersecurity for medical devices should be based on. These principles are applicable for all the parties involved in operations with medical devices, and for all processes and operations. The IMDRF states that it is important to facilitate further implementation of these principles by national medical device regulating authorities to improve the general level of security and protection.
- Global Harmonization. The national regulating authorities should coordinate their efforts in the cybersecurity sphere to ensure the highest level of patient safety, that could be achieved through harmonization of approaches in the most important spheres, e.g. medical device development and design or risk management.
- Total Product Life Cycle. It is stated that cybersecurity threats should be properly assessed on all stages of the total product life cycle (TPLC), including design, manufacturing, and testing, as well as post-market surveillance. At the same time, the proper balance between cybersecurity protection and the safety and performance of the device should be maintained when implementing new measures.
- Shared Responsibility. Medical device manufacturer shall not be the only party responsible for cybersecurity issues – the responsibility shall be shared between all the parties involved, including the patients (users), healthcare institutions and professionals, regulating authorities. It is important for all parties to collaborate to ensure the highest level of protection and the effectiveness of the implemented measures.
- Information Sharing. According to the IMDRF guidance on cybersecurity, information sharing is one of the most important principles listed therein. It is vitally important to make the information related to the identified threats and vulnerabilities available to other parties. For this purpose, the Information Sharing Analysis Organizations (ISAOs) have been introduced. In accordance with this principle, each party shall maintain transparency and duly disclose the information on any vulnerabilities identified.
Cybersecurity Measures on the Pre-Market Stage
As it was already stated before, cybersecurity measures should be implemented on all stages of the total product life cycle. At the same time, most of them should be implemented by the manufacturer during the pre-market stage. In particular, the measures to be implemented by the manufacturer at this stage include the following ones:
- Implementation of the security features when developing and designing the device,
- Utilization of the appropriate risk management strategies,
- Performing security testing,
- Providing potential users of the device with the information necessary and sufficient to use the device in a safe and effective way,
- Developing a plan of post-market activities in the context of cybersecurity.
The IMDRF emphasizes that the manufacturers shall act proactively and implement measures necessary to mitigate both identified and foreseeable risks.
The document also provides a list of security principles to be implemented on the design stage, namely:
- Security of communications,
- Data protection,
- The integrity of the device,
- User authentication,
- Maintenance of the software,
- Physical access security,
- Availability and reliability.
All these principles should be incorporated when developing medical device software.
Labeling and Security Documentation
The IMDRF guidance on cybersecurity also describes the information to be provided by the manufacturers with the device to ensure the users are properly informed on all security measures to be taken when using the device for the intended purpose.
According to the guidance, the labeling should include the following information:
- Instructions for use and specifications related to the cybersecurity measures,
- Information regarding backup features,
- Description of all ports and connections, including the information on their intended purpose,
- Diagrams describing the system.
The medical device should be also accompanied by customer security documentation describing the most important aspects related to cybersecurity issues. This documentation shall include the following information:
- Details on the supporting infrastructure requirements,
- Recommendations on security configurations, including the indications of the particular parameters to be used,
- Recommendations on the secured network deployment, if it is applicable due to the type of the device, and also the information about the actions to be taken in case of any vulnerabilities identified or cybersecurity incidents occurred,
- Details about the way the system informs the user about anomalous conditions and errors,
- Guidelines on backup and recovery, and also on installing updates,
- Description of components in the form of a Software Bill of Materials (SBOM) – an exhaustive list of components the software is composed of.
Besides the information described hereabove, the IMDRF guidance on cybersecurity measures for medical devices also provides an overview of the documentation required for the regulatory submission, recommendations on information sharing, incident reporting, and vulnerability remediations.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.