IMDRF on cybersecurity for legacy devices (support stage – communication)

Table Of Contents:

The International Medical Device Regulators Forum (IMDRF), an association of national regulating authorities collaborating for further improvement of the existing regulatory framework, has published a guidance document dedicated to the principles and practices for the cybersecurity of legacy medical devices – the ones that are no longer supported by their initial manufacturers – as such products could be especially vulnerable to cybersecurity threats due to not receiving updates and patches while still being in use. The document highlights the key points to be taken into consideration by medical device manufacturers, as well as healthcare professionals, in order to ensure the proper performance of legacy medical devices and the safety of patients. At the same time, provisions of the guidance are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations. The IMDRF also reverses the right to amend the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect the amendments introduced to the underlying regulations or the new information becomes available. 

It is also important to mention that cybersecurity matters are within the shared responsibility of all the parties involved in operations with medical devices, so their efficient cooperation is vitally important. 

The document describes in detail the key considerations related to each specific stage of the total product life cycle (TPLC). The present article is dedicated to the ones related to the Support Life Cycle Stage and outlines the main responsibilities of the parties involved, as well as the relevant expectations.

Communications: General

First of all, the document describes the approach to be applied with respect to communications. As it was mentioned before, communications are vitally important to ensure cybersecurity and withstand the relevant threats. The document additionally emphasises the importance of ensuring that all the communications during the Support stage are comprehensive. According to the guidance, as the very first step, each party involved in operations with medical devices should begin with determining the scope of documentation and information it requires, as well as the proper timing for it to be obtained. Once determined, these requirements should be communicated to and agreed with other parties involved. The guidance provides general recommendations to be considered, while the specific approach to be applied should be determined on a case-by-case basis.

Recommendations: Medical Device Manufacturers

The IMDRF starts with outlining the recommendations to be followed by medical device manufacturers. According to the guidance, the latter should:

1. Provide product security documentation reasonably needed by other parties to ensure the safety and proper performance of the medical device in question when used for its intended purpose, covering also the risk-related matters. According to the guidance, appropriate documentation may include:
1. Manufacturer Disclosure Statement for Medical Device Security (MDS2);
2. Software Bill of Materials (SBOM);
3. Security test report summaries, third-party security certifications, or similar;
4. Customer Security documentation (e.g., technical instructions to ensure secure deployment, operation & servicing including information on the interfaces, communication protocols, and networking, Cloud, or communication dependencies for the system).  
2. Provide Product Life Cycle Documentation – the one related to key milestones impacting the status of the device (e.g., the date when current support will cease), as well as the details on installation procedures. The guidance additionally emphasizes the importance of providing information as far in advance, as possible – the number of 2 years is provided as a reference based on the current practices. In particular, medical device manufacturers are expected to provide information related to:

• Affected device,

• The device’s operating system(s),

• The version of device deployed,

• Identification of software components,

• Expected date of service changes,

• The extent of any available maintenance after those changes,

• Additional compensating controls. 

1. Provide relevant updated Product Security and Life Cycle Documentation. The IMDRF acknowledges that security-related documentation could be subject to changes throughout the life cycle of the product. In order to ensure the important changes are duly communicated to all the parties involved, the medical device manufacturer is responsible for issuing and distributing the updates (could be in electronic form) describing the approach to be applied to address the newly identified risks. 
2. Provide Vulnerability and Patching Information. According to the guidance, once a new vulnerability is discovered, a medical device manufacturer is responsible for providing the relevant information, as well as the details on the way the said vulnerability could be successfully mitigated. As further explained by the IMDRF, it is expected that high priority should be placed on high-risk vulnerabilities where timely communication is required to prevent patient harm or device disruption; in addition, the mitigation method (e.g., over-air update, deployment of service personnel to install) and implementation instruments should be provided to the device operators. 
3. Provide Proactive Communications for Third-Party Components. Sometimes the components used for the device will reach the end of support before the overall devices, creating additional risks due to the lack of support for such components. In order to address such risks, medical device manufacturers should:

• Track the support status of the third-party components used within their device;

• Assess the risks that may exist if and when those third-party components become unsupported;

• Communicate new risks and any available mitigations to healthcare providers. 

Apart from the abovementioned aspects, medical device manufacturers are also responsible for communicating important information about product life cycle stages to patients. 

Recommendations: Healthcare Providers

The document also outlines the recommendations to be followed by healthcare providers using medical devices during and after the expiration of their intended use period. According to the guidance, with respect to the support stage, healthcare providers should:

1. Identify Information Needs for all the products they are using. 
2. Pre-Procurement Communications – requesting important information for medical device manufacturers in advance, before procuring the device. 

In summary, the present IMDRF guidance outlines the key considerations related to the support stage of the total product life cycle. The document highlights the most important aspects and also describes the responsibilities of all the parties involved.

Sources:

https://www.imdrf.org/documents/principles-and-practices-cybersecurity-legacy-medical-devices

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.