IMDRF guidance covers principles and practices for cybersecurity of legacy medical devices

The International Medical Device Regulators Forum (IMDRF) published last week a document that sets forth foundational security principles and best practices that span the total product life cycle (TPLC) of medical devices. Global adoption of the guidance is predicated on consistent implementation of the recommendations contained within it. Focused attention on some specific challenges in the guidance is important for such implementation and is a natural progression towards further advancing the resilience of medical device cybersecurity throughout the TPLC.

Titled ‘Principles and Practices for Medical Device Cybersecurity’ and also referred to as ‘IMDRF N60 guidance,’ the document considers cybersecurity in the context of legacy medical devices that either contain software, including firmware and programmable logic controllers, such as pacemakers and infusion pumps or exist as software only, such as software as a medical device (SaMD). 

It is important to note that due to most regulators’ authority over medical device safety and performance, the scope of this guidance is limited to consideration of the potential for patient harm. For example, threats that could impact performance, negatively affect clinical operations, or result in diagnostic or therapeutic errors are considered in the scope of this document. While other types of harm, such as those associated with breaches of data privacy, are important, they are not considered within the scope of this document. 

To transition from this current state into a more ideal future state, the IMDRF N60 guidance proposed a TPLC framework for legacy devices. A key characteristic of this framework is effective communication between MDMs (medical device manufacturers) and HCPs (Healthcare professionals) to allow for the timely and planned introduction and decommission of devices to minimize the number of legacy devices remaining in use. While beyond the scope of this guidance, MDMs and HCPs should communicate life cycle stage information to patients where relevant. 

Specifically, the IMDRF document is intended to explain legacy medical device cybersecurity within the context of the TPLC framework comprising development, support, limited support, and end of support (EOS), with clearly defined responsibilities for MDMs and HCPs at each stage. It also looks at providing recommendations for MDMs and HCPs in communication including vulnerability management, risk management, and transfer of responsibility to the HCP, and delivering recommendations regarding compensating controls after EOS. It also offers implementation considerations for MDMs and HCPs in addressing existing legacy devices that were developed prior to the TPLC Framework for medical device cybersecurity and are still in use.

As emphasized in the preceding IMDRF N60 guidance, “this document continues to recognize that cybersecurity is a shared responsibility among all stakeholders, including, but not limited to, MDMs and distributors, HCPs, users, regulators, and software vendors. It is important to note that differences across medical device types and regulatory jurisdictions may give rise to specific circumstances where additional considerations are required,” it added.

The current IMDRF guidance provides a list of general principles for legacy devices for all stakeholders to consider when developing, regulating, using, and monitoring medical devices. These general principles are foundational to the improvement of the cybersecurity posture of health systems around the world that include legacy devices. 

The guidance lays down that risks associated with cybersecurity threats and vulnerabilities should be considered throughout all stages in the life of a medical device, right from development to EOS, particularly when it comes to risk management, communication, and transfer of responsibility. It is known that, in practice, clinical life may extend beyond EOS, where decommissioning could occur sometime after EOS if an HCP decides to continue using the device beyond EOS. It is known that in many cases, the clinical utility of a device exceeds its supportability. 

It should be acknowledged by all stakeholders that a medical device should have a planned life cycle for cybersecurity that includes the TPLC stages of development – support, limited support, and EOS, the IMDRF guidance said. Limited support is a transitional period for the MDM and HCP to coordinate and prepare for the eventual transition to EOS or product upgrade/replacement. EOS is considered the time point where the responsibility for the cybersecurity of a medical device is primarily transferred to the HCP. 

After EOS, the MDM may still be responsible for certain post-market activities dependent upon jurisdictional regulations, the guidance added. There will be numerous activities related to communications, risk management, and transfer of responsibility that occur over time in the lead-up to the medical device EOS to ensure that MDMs and HCPs can adequately prepare for each life cycle stage.

The IMDRF guidance lays down that effective protection against threats requires open and transparent communication between stakeholders. MDMs are expected to plan for EOL (End of Life) and EOS. MDMs should strive to communicate when to expect EOL and EOS as soon as possible, even as a part of device procurement and installation. Early awareness enables users to appropriately plan for EOL and EOS dates by obtaining information from the MDM to inform the next steps regarding device maintenance.

Using this information, the HCP would either decommission the device or assume additional responsibility for maintaining its security. Throughout the document, recommendations related to communications either from the MDM or the HCP should be understood to involve active outreach and/or engagement between these parties or other stakeholders.

The IMDRF guidance outlines that medical device cybersecurity is a shared responsibility between stakeholders, notably between MDMs and HCPs. This shared responsibility is particularly important when it comes to legacy devices. “To appropriately manage risk for legacy devices, MDMs should design their devices in a way that optimizes cybersecurity in the Support Stage and minimizes security risk after EOS in the future.” 

Furthermore, it added that HCPs should actively engage with MDMs to obtain an SBOM (Software Bill of Materials), ensure that the device operates with appropriate cybersecurity safeguards as recommended by the MDM (including associated IT infrastructure), ensure that those cybersecurity safeguards are maintained, and plan for the device’s EOS date. 

Last month, the U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency published final guidance establishing new cybersecurity requirements for cyber devices, which includes information that a sponsor of a premarket submission for a cyber device must provide in its submission.

Ahead of the FDA release, the U.S. Healthcare and Public Health Sector Coordinating Council (HSCC) released ‘Model Contract Language,’ which provides a reference for shared cooperation and coordination between healthcare delivery organizations (HDOs) and MDMs. The template addresses the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.