The new article highlights the aspects related to the support stage – a period when healthcare providers use a medical device while being fully supported by its manufacturer.

The International Medical Device Regulations Forum (IMDRF), a voluntary association of national regulating authorities in medical devices collaborating to improve the existing regulatory framework, has published a guidance document dedicated to principles and practices for the cybersecurity of legacy medical devices. The IMDRF acknowledges that some medical devices allowed for marketing and use could still be used after the expiration of the intended use life while not being supported by their initial manufacturers. This raises additional cybersecurity risks, as these products do not receive important safety patches and updates addressing the new vulnerabilities identified during this period. Thus, to ensure the proper performance of legacy medical devices and the safety of patients and other persons using them, special principles and practices should be followed. 

The document describes in detail the approach to be applied at each stage of the total product life cycle. For each stage, the guidance highlights the specific aspects and outlines the spheres of responsibilities of the main parties involved, including medical device manufacturers and healthcare providers. It is also important to mention that cybersecurity should be a shared responsibility of all the parties to the process, so their efficient cooperation is vitally important to ensure the newly identified risk are duly addressed and mitigated. 

The scope of the guidance covers, inter alia, the aspects related to risk management during the support stage of the total product life cycle. In particular, the guidance provides recommendations to be considered by each of the parties involved.

Recommendations: Medical Device Manufacturers

First, the IMDRF mentions that a medical device could contain third-party components, and the total product life cycle stages for them could be different from the ones for the product in general. The risk assessment to be carried out by the medical device manufacturer should cover the matters related to the potential impact this could have on the safety and effectiveness of the medical device. 

As further explained by the IMDRF, even when an unsupported component has exploitable vulnerabilities, there can be other compensating controls within or external to the medical device that could significantly reduce the likelihood of exploitation – for example, a network firewall could block or provide controlled limited access to a network port on a medical device which exposes a network vulnerability. At the same time, the manufacturers should not rely solely on firewalls. 

As mentioned before, communications play an important role in ensuring cybersecurity-related risks are properly addressed. In particular, medical device manufacturers should duly communicate important information related to potential risks and corresponding safety controls and precautions to all the parties involved. This includes, inter alia, communicating the date from which the original manufacturer will no longer support the product. 

According to the document, medical device manufacturers are also expected to carry out certain activities during the post-market stage, such as:

  • Collecting, documenting, and responding to customer complaints (including servicing);
  • Reporting adverse events/incidents as required by regulators;
  • Performing field safety corrective actions if necessary;
  • Engaging in proactive risk management, including vulnerability management;
  • Engaging in reactive risk management, including vulnerability management. 

Under the general rule, a medical device manufacturer should continue monitoring the product’s risk profile changes until the end of the support date. This includes notifying other parties involved of the most important changes that could potentially affect the performance of the product or the safety of patients. 

In certain cases, the period during which the device is supported by its manufacturer could be extended based on the agreement between the medical device manufacturer and the healthcare provider.

Recommendations: Healthcare Providers

Apart from recommendations to be considered by medical device manufacturers, the document also provides recommendations to be followed by healthcare providers using the device. According to the document, the risks associated with a medical device could evolve over time. Consequently, the approach to be applied to mitigate such risks should evolve as well to ensure the risks are properly addressed. The IMDRF additionally emphasizes that a healthcare provider’s responsibility increases as the device is being used. 

In this respect, the document highlights the following key points:

    1. Baseline Security Considerations: 
  • Applying network security controls to devices by assessing the importance and criticality of devices through a risk assessment process;
  • Performing a risk assessment to identify critical devices, which may also require additional network and physical controls and regular monitoring;
  • Maintaining active communication with medical device manufacturers for support and patching recommendations;
  • Employing configuration management to identify all current assets, data flows and track future configuration changes;
  • Maintaining IT security monitoring and patching processes that support cyber hygiene and vulnerability remediation. 

Apart from the above, the document also outlined considerations related to the operating environment, access controls, network segmentation, multifactor authentication, monitoring, and inventory. 

In summary, the present IMDRF guidance describes in detail the support stage of the total product life cycle. The document highlights the key aspects related to the responsibilities of the parties involved and emphasizes the ones that may impact the safety of patients.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.