The new article describes in detail additional controls to be implemented with respect to medical devices that are no longer supported by their manufacturers.

The International Medical Device Regulators Forum (IMDRF), a voluntary association of national regulating authorities in the sphere of medical devices, has published a guidance document dedicated to the principles and practices for cybersecurity for legacy medical devices—the ones that are still in use despite being no longer supported by their original manufacturers. The document provides additional recommendations to be followed by medical device manufacturers and healthcare providers in order to ensure the continued safety of medical devices and their proper performance when used for their intended purpose. The IMDRF acknowledges that medical devices are often used even after the expiration of their intended use period. Since such devices no longer receive security patches and updates, they become vulnerable to new cybersecurity threats. Thus, it is vitally important to ensure additional controls are implemented and additional measures are taken in order to address the respective risks. The IMDRF explicitly states that cybersecurity is a shared responsibility of all the parties involved and explains this approach further in detail in the present guidance. 

At the same time, it is important to mention that the provisions of the guidance are non-binding in their legal nature and are not intended to introduce new rules or impose new obligations on the parties involved, but rather to provide additional clarifications and assist medical device manufacturers and healthcare professionals in complying with the applicable regulatory requirements. 

The document describes in detail the responsibilities of the aforementioned parties at each specific stage of a total product life cycle, namely development, support, limited support, and end of support. In particular, the guidance covers aspects related to communication, risk management, and the transfer of responsibility.

Compensating Controls: Key Points

The scope of the guidance also covers matters related to compensating controls to be applied after the end of support for a medical device. According to the document, a compensating risk control measure (“compensating controls”) stands for a specific type of risk control measure deployed in lieu of, or in the absence of, risk control measures implemented as part of the device’s design. As further explained by the IMDRF, in the event of an identified health and safety risk or other non-compliance, the MDM shall implement further correction, corrective actions, and, where applicable, preventive actions to bring the device into compliance. 

As it was mentioned before, healthcare providers may decide to keep using the device even when the end of support date communicated by its original manufacturer is reached. This could take place, for instance, in cases where there is no proper alternative or when the limited budget of a healthcare institution impacts its ability to replace the device. Should it be decided to keep using the device that is no longer supported by its original manufacturer, a healthcare provider should consider the recommendations provided in the relevant documentation addressing the minimum compensating risk control measures the device should be subject to.

Compensating Risk Control Measures

The IMDRF acknowledges that the actual implementation of compensating risk control measures could be associated with additional expenses that could be significant for a healthcare provider. Thus, it is important to consider whether keeping the device in service after the end of support is viable and beneficial in comparison to its replacement with a new device. 

The guidance further provides a table outlining the general recommendations for compensating controls. At the same time, the IMDRF additionally emphasizes that the actual implementation of the said controls and their feasibility should be determined on a case-by-case basis, taking into consideration the operating environment and intended use of the device. Furthermore, the control measures described in the table are not exhaustive and could be applied in combination. Moreover, it is also important to take into consideration the general technological development in the relevant sphere. 

According to the guidance, potential controls include, inter alia, the following ones:

  • Physical access: restricting physical access to the device to authorized personnel only by placing the device in a restricted area with the appropriate physical entry controls in place and using tamper-evident seals as appropriate;
  • Removable media: restricting the use of removable media such as USB drives by policies in the systems Basic Input Output System/Unified Extended Firmware Interface Forum (BIOS/UEFI), though operating system policies or by physical means;
  • Network isolation:: ensuring the internal network of a healthcare facility is duly isolated and is not accessible from outside;
  • Network segregation: establishing a virtual local area network; 
  • Monitoring: conducting continuous monitoring in order to ensure timely identification of suspicious activity; 
  • Remote access: ensuring the remote access functionality of the device is no longer available;
  • Firewall, establishing a firewall in order to limit access to the device;
  • Anti-malware: installing and configuring anti-malware software compatible with the device and network against the data its used;

Backup and restore: implementing backup and restore procedures to protect against data loss in case of calamities


Another important aspect related to controls that the IMDRF pays attention to is education. In particular, the document emphasizes the importance of ensuring the staff using a medical device that is no longer supported by its original manufacturer is properly trained and is able to address potential cybersecurity threats. As further explained by the IMDRF, this includes training on operating the device in a secure manner as well as incident reporting. 

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.