The new article highlights the aspects related to the “End of Support” stage of the total product life cycle and outlines the key points to be taken into consideration at this stage in order to ensure the proper performance of medical devices as well as the safety of patients.

The International Medical Devices Regulators Forum (IMDRF), a voluntary association of national regulating authorities collaborating for further improvement of the existing regulatory framework, has published a guidance document dedicated to principles and practices for the cybersecurity of legacy medical devices—the ones that are no longer supported by their initial manufacturers. Sometimes medical devices are used even upon expiration of their intended use period as initially set forth by the manufacturer, resulting in patients being exposed to additional risks, including, inter alia, those related to cybersecurity matters, due to such devices no longer receiving safety patches and updates. 

The document describes in detail the approach to be followed in order to improve protection against new cybersecurity risks and vulnerabilities arising and also outlines the responsibilities of all the parties involved in operations with medical devices. As it is explicitly stated by the IMDRF, cybersecurity is a shared responsibility and requires efficient cooperation between all stakeholders, including medical device manufacturers and healthcare providers. 

The document provides an overview of the most important principles and practices, as well as recommendations to be followed by all parties involved. At the same time, provisions of the guidance are non-binding in their legal nature and are not intended to introduce new rules or impose new obligations. Moreover, recommendations provided in the guidance could be subject to changes, should such changes be reasonably necessary to reflect new information becoming available to the IMDRF. 

For each of the stages, the document outlines the main responsibilities of the parties involved in terms of communications, risk management, and the transfer of risk.

Communications

Under the general rule, by the time a device enters the End of Support (EOS) stage, the medical device manufacturer should have informed the healthcare provider of the EOS date and when the device will reach the EOS stage. As further explained by the IMDRF, at this stage, additional cybersecurity support responsibilities may transfer to the healthcare provider (should the latter be reasonably unable to assume some of them, the transfer could be conducted gradually). 

According to the guidance, at this stage, medical device manufacturers should:

  • Provide Product Security Information for Security Maintenance. In particular, medical device manufacturers are obliged to provide important information related to the medical device in question; healthcare providers would reasonably need to manage cybersecurity risks associated with the product without having the manufacturer involved. In particular, this information could include: 
    • Any additional responsibilities healthcare providers will assume to ensure the device remains secure, which may include site-specific controls;
    • Support available beyond the cybersecurity EOS date;
    • Available upgrade path for the device;
    • Decommissioning information.
  • Releasing public information (by virtue of the appropriate notification) in order to ensure the interested parties (e.g., resellers or the ones considering the purchase of the device) are duly notified of the change to the support status of the product in question and are aware of potential risks associated with the continued use. 
  • Communicate patient risks received as part of post-market expectations via reactive vulnerability management, as appropriate. 

According to the guidance, the responsibilities of healthcare providers at this stage include requesting additional information from medical device manufacturers reasonably needed to ensure the safety and proper performance of medical devices. At this stage, healthcare providers may also check the availability of additional support to be provided either by the original manufacturer (under the extended contract) or by a third party capable of providing such support.

Risk Management

The scope of the guidance also covers aspects related to risk management. For instance, the IMDRF mentions that even after the end of support, medical device manufacturers are still responsible for certain activities related to the post-market stage as set forth by the applicable national regulations. It is also important to mention that in the case of a significant risk to patient safety, additional action could be required in order to ensure the said risk is properly managed. 

At this stage, healthcare providers should:

  • Take into account the risks associated with the end of support when considering the purchase of second-hand medical devices.
  • Focus on the following considerations:
    1. Ensure the implementation of a strong, qualified, appropriately resourced cybersecurity program that has endorsement from senior leadership;
    2. Ensure the implementation of a robust inventory management system, with automation if possible;
    3. Include the legacy device in on-going organizational risk management activities;
    4. Proactively monitor trusted sources of information;
    5. Enhance countermeasures, including, but not limited to, network segmentation, user access roles, security testing, network monitoring, and disconnection from the network.

Apart from the above, healthcare providers should also conduct a periodic evaluation of the alternatives available.

Transfer of Responsibility

As it was mentioned before, the final transfer of responsibilities from a medical device manufacturer to a healthcare provider takes place at this stage. Thus, healthcare providers should complete the acceptance of responsibilities and risks or commence the transition to a new medical device (replacement). According to the guidance, sometimes it is evident to users that a device fails or does not operate as intended, triggering internal service or decommissioning; in others, support for protection against threats may also become nonexistent. Anyway, in both scenarios, there is a potential for harm to be caused to a patient. Thus, healthcare providers are responsible for the development and implementation of a strong inventory management system and also for a rigorous assessment of the risks associated with the use of medical devices after the end of support. 

In summary, the present IMDRF guidance outlines the spheres of responsibility of medical device manufacturers and healthcare providers at the end of the support stage. The document highlights the key points to be taken into consideration in order to ensure continued safety and proper performance, as well as protection against cybersecurity risks.  

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.