The new article highlights the aspects related to the limited support stage of the total product life cycle and provides recommendations to be followed by the parties involved.

The International Medical Device Regulators Forum (IMDRF), a voluntary association of national regulating authorities collaborating for further improvement of the medical device regulatory framework, has published a guidance document dedicated to the principles and practices for cybersecurity of legacy medical devices – the ones that are still in use by healthcare providers while being no longer supported by their manufacturers. The association acknowledges that medical devices are often used even upon expiration of their initial intended use period, resulting in patients being exposed to additional risks due to such devices no longer receiving security patches and updates intended to address the new cybersecurity threats and vulnerabilities arising. The document describes in detail cybersecurity considerations corresponding to each of the states of a total product life cycle and also outlines the key points associated thereto. It is also important to mention that provisions of the document are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations, but rather to provide additional clarifications and recommendations to be considered. Moreover, the approach described in the guidance could be subject to changes, should such changes be reasonably necessary based on the new information becoming available.

The scope of the guidance covers, inter alia, the aspects related to the limited support life cycle stage. In particular, the document outlines the key responsibilities of all the parties involved in terms of communications, risk management, and transfer of responsibility.

Limited Support Life Cycle Stage: Communications

According to the guidance, during this stage communication between the parties involved should be more intense. In particular, information about risks should be duly communicated to healthcare providers so they can take it into account when continuing the use of the device. It is also important to communicate information about the necessary actions to mitigate the respective risks, as well as potential replacement options. 

In particular, medical device manufacturers should:

  1. Release Customer Notifications Indicating Move to Limited Support by virtue of which healthcare providers affected will be notified about the upcoming end of support date starting from which the device will no longer be supported by the manufacturer. This information will allow healthcare providers to plan their activities properly and take necessary decisions regarding further use of the device. 

  • Release Public Information Indicating a Move to Limited Support. In the same way, information about the change in the product’s status should be communicated to all the parties affected, including resellers or other parties intended to purchase and use the device. 
  • Continue to provide services and documentation to the extent it is practical, including communications related to the vulnerabilities identified. 
  • Provide Life Cycle Planning Information, including:
  • Alerts indicating that some maintenance has stopped when parts of the medical device (i.e., device software) are no longer supported;
  • Security notifications and advisories;
  • Device-specific information advisories about compensating controls; and
  • Any intended use restrictions which result from life cycle stage changes. 
  • Provide Product Security Documentation. Apart from providing vitally important security-related information outlined hereabove, the manufacturer should also provide the relevant documentation. The latter should address the aspects related to compensating controls including, inter alia, firewalls, VPNs, network isolation, etc. 

The document further describes the recommendation with respect to communications to be considered by healthcare providers using the affected device. In this regard, the guidance mentions that communications applicable to the support stage should be continued, with the healthcare provider requesting additional information from medical device manufacturers when needed. It is also stated that as healthcare providers may be evaluating whether to purchase resold or second-hand devices, they may also want to ask whether additional support may be available such as through extended contracts or third-party support. 

Risk Management

The scope of the guidance also covers the responsibilities of the parties in the context of risk management. For instance, according to the document, medical device manufacturers should ensure continued compliance with their post-market obligations. At the same time, it is important to mention that the frequency and level of efforts associated with proactive vulnerability management as a part of risk management activities may decrease. 

At this stage, most of the responsibilities are with the healthcare provider. According to the document, healthcare providers should:

    1. Consider EOL/EOS Risks When Evaluating Whether to Purchase Resold or Second-hand Device. As further explained in the document, this includes additional research on the status of the product, risks associated thereto, and availability of support.
    2. Consider specific aspects when approaching EOS based on the information provided by the manufacturer. In particular, should the healthcare provider decide to continue the use of the device, it should consider the following aspects in order to identify properly the risks associated thereto:
  • What time frame beyond the expected service life is the device projected to be used for clinical care?
  • Will there be maintenance costs over the time the device is projected to be used for clinical care?
  • How do the maintenance costs compare to upgrading the device?
  • How could a new or upgraded device improve clinical care while also improving cyber resilience? 
  • Does the healthcare provider have the tools to maintain the security of this device?
  • Does the healthcare provider have the financial resources to maintain the security of this device?
  • Does the healthcare provider have the expertise to maintain the security of this device?

It is also important to mention that the above list is not exhaustive, and only provides examples illustrating the approach to be applied.

Transfer of Responsibility

According to the guidance, the limited support stage is a transition from the support stage to the end of support or replacement of the product itself. As explained, a decision should be taken with respect to the future course of action. 

In summary, the present IMDRF guidance describes in detail the approach to be applied during the limited support stage of the total product life cycle. The document outlines the main aspects to be taken into consideration by the parties involved in terms of communications and risk management. 

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.