The new article addresses the aspects related to the initial design development stage in terms of design and controls intended to ensure a medical device’s continued safety and proper performance. In particular, the article outlines the main responsibilities of the parties involved and highlights the key points to be taken into consideration with respect to communications between medical device manufacturers and healthcare providers, risk management, and transfer of responsibility as three main categories applicable to specific stages of the total product life cycle.

The International Medical Device Regulators Forum (IMDRF), a voluntary association of national regulating authorities collaborating to improve the existing legal framework, has published a guidance document dedicated to the principles and practices for the cybersecurity of legacy medical devices. The IMDRF acknowledges that medical devices are sometimes used even after the end of the intended use period. The document describes in detail the approach to be applied to mitigate the risks associated with the continued use of such products, especially when they are no longer supported by their manufacturers – the absence of updates and security patches could result in new vulnerabilities and risk factors to be addressed properly in order to ensure proper performance of such devices, as well as the safety of patients. 

Provisions of the guidance are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations, but rather to provide additional clarifications regarding the approach to be applied with respect to the cybersecurity of legacy medical devices, as well as recommendations to be followed by all the parties involved – the IMDRF additionally emphasizes that ensuring cybersecurity is a shared responsibility all the parties, including medical device manufacturers and also healthcare providers actually using the devices. 

The document outlines, inter alia, specific aspects to be considered at each stage of the total product life cycle (TPLC). The present article provides an overview of recommendations and clarifications regarding the Development Life Cycle Stage, including the matters related to communications, risk management, and the transfer of responsibility.


First of all, the document states the lack of information is one of the main challenges when it takes to legacy medical devices. This relates to information regarding technical failures of the device (e.g., security controls) or certain organizational challenges (a question about responsible persons within the internal structures of the parties involved). At the same time, since cybersecurity matters for medical devices are within the shared responsibility of the parties involved, ensuring efficient communications among them is vitally important. In order to address this, all the parties involved in operations with medical devices should duly develop and implement the appropriate communication strategies corresponding to particular stages of the product’s life cycle. 

When it takes to communications, the IMDRF emphasizes two important aspects, namely:

  • Feedback from healthcare providers in various life cycle stages may inform the medical device manufacturer’s design of future devices and device upgrades. Additional communication sections tied to subsequent TPLCS stages provide recommendations that address considerations after the healthcare provider has procured and deployed medical devices. 
  • Healthcare providers may provide feedback in this TPLC stage regarding their clinical and cybersecurity needs and expectations, informing the medical device manufacturers’ development.

Risk Management and Transfer of Responsibility

Another important aspect to be taken into consideration at the initial design development stage is risk management. In order to assist the parties involved, the IMDRF provides recommendations to be followed by each medical device manufacturer and healthcare provider. 

Recommendations for medical device manufacturers include, inter alia, the following ones: 

  • Medical devices should be designed to ensure that important security-related controls are incorporated from the beginning. This includes a secure development framework. When deciding on specific controls to be applied, the medical device manufacturer should consider the device’s intended use, as well as post-market monitoring of cybersecurity vulnerabilities capabilities. This includes but is not limited to, security risk assessment, threat modeling, and identification of vulnerabilities. The medical device manufacturer is also responsible for ensuring the availability of security patches. 
  • Should third-party providers be involved, medical device manufacturers should consider the situations when such providers will end support of the components supplied. 

In terms of risk management, there are no recommendations to be followed by healthcare providers since they are not involved in operations with medical devices at this stage. 

The same applies to the transfer of responsibility – since the medical device in question has not been provided to a healthcare provider yet, there are no recommendations related to the transfer of responsibility. As it is mentioned by the IMDRF, the transfer of knowledge and support begins during procurement discussions. 

In summary, the present IMDRF guidance describes the approach to be followed by medical device manufacturers during the initial design development stage in order to ensure the continued safety and proper performance of a medical device. The document outlines special considerations to be taken into account, such as additional controls to be implemented to ensure safety by design.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.