IMDRF Offers New Guidance on Cybersecurity

In its first guidance document to deal exclusively with the cybersecurity of medical devices, the International Medical Device Regulators Forum (IMDRF) this week released new general principles and best practices to facilitate better international regulatory convergence on the topic.

The 45-page guidance document, developed by a working group led by officials from the US Food and Drug Administration (FDA) and Health Canada, includes both pre-market and post-market cybersecurity considerations for manufacturers, regulators, health providers and other stakeholders.

On the pre-market end, IMDRF includes recommendations on risk management, security testing and regulatory submission requirements where manufacturers can document their cybersecurity activities.

“Should the regulator require cybersecurity documentation for pre-market authorization, the manufacturer is encouraged to submit clear documentation describing, in relation to cybersecurity, the device’s design features, risk management activities, testing, labelling, and evidence of a post-market plan to monitor and respond to emerging threats,” IMDRF explains.

On the post-market end, the draft discusses measures to enhance transparency for different stakeholders, such as via coordinated vulnerability disclosure. The draft also features discussions on vulnerability remediation and incident response, among other topics.

“As vulnerabilities change over time, pre-market controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a post-market approach is necessary in which multiple stakeholders play a role. This post-market approach includes various elements and include: the operation of the device in the intended environment, information sharing, coordinated vulnerability disclosure, vulnerability remediation, incident response, and legacy devices,” IMDRF explains.

Stakeholders have until 2 December to comment on the IMDRF draft guidance.

And the release of the draft coincides with a warning issued Tuesday by FDA regarding various cybersecurity vulnerabilities that may allow for remote control of a range of medical devices and/or changes that may prevent devices from functioning properly.

IMDRF Principles and Practices for Medical Device Cybersecurity