IMDRF proposes legacy device cybersecurity guidance after stakeholder feedback

Regulatory NewsRegulatory News | 06 May 2022 |  By 

Kevin Fu (L) and Astin Ross of the FDA.

Communication between manufacturers and healthcare providers is key to ensuring patients with legacy medical devices are kept safe according to proposed cybersecurity guidance from the International Medical Device Regulators Forum (IMDRF). The draft is the result of feedback from a 2020 guidance that stakeholders said did not sufficiently address legacy products.
The draft guidance, published 4 May, outlines what is considered a legacy device, and how stakeholders can keep them safe from cybersecurity threats. The guidance follows the 2020 IMDRF document, which included a framework for legacy devices, but was intended to broadly outline how medical devices in general can be designed and maintained.
Aftin Ross, senior special advisor for emerging initiatives at the US Food and Drug Administration (FDA), told Regulatory Focus, after the 2020 guidance was published, stakeholders asked for more details on legacy products.
“We were getting a lot of questions about the legacy framework, how it would actually be implemented and looking for more granularity,” said Ross, who also serves on the IMDRF’s cybersecurity work group. As a result, IMDRF decided legacy devices needed their own guidance.
Legacy devices have been a major headache for regulators and other stakeholders because they often come from a time when cybersecurity was not a consideration or because threats have evolved to a point where their countermeasures are no longer effective. As a result, IMDRF acknowledges that legacy devices need further considerations compared to newer products to ensure cybersecurity over their total product lifecycle (TPLC).
“It is important to note, however, that device age is not a sole determinant of whether a device is legacy,” the guidance states. “In other words, a newer device that cannot be reasonably protected against current cybersecurity threats, irrespective of its age, would still be considered legacy. In organizations lacking the staff and resources to adequately execute TPLC plans, which is not uncommon, these legacy devices and their associated risks can persist indefinitely.”
The guidance lists the various stages of a legacy device’s TPLC, from development through end of support. At every stage, the guidance outlines how manufacturers and healthcare providers should communicate to ensure they understand each other’s responsibilities.
“We know that medical technologies can stay in the field much longer than have been intended… in some parts it's because those devices still function,” said Ross.
She said part of the reason IMDRF decided to publish the document was to provide recommendations to healthcare organizations on what they may want to consider if they decide to continue using connected devices beyond their expected lifecycles.
“It's [also] really just to get people thinking about, even at the time that they're buying, what that life cycle of support might look like, because every device that comes out today at some point is going to be a legacy device,” Ross added.
Kevin Fu, acting cybersecurity director at the FDA Center for Devices and Radiological Health, echoed the importance of the proposed IMDRF guidance.
"I just think it's so good to have this proposed document out there because a lot of these topics need to come out in the open rather than sort of pretend there aren't issues with legacy devices,” he told Regulatory Focus. “I like how this document becomes much more specific on that for both the health care delivery stakeholders and the medical device manufacturer stakeholders."
In the past, manufacturers have often stated that they can’t reasonably be expected to provide cybersecurity support to legacy devices indefinitely and have instead said customers should buy newer versions of their devices to get better cybersecurity protections.
Fu notes the guidance parses the cybersecurity TPLC of medical devices into four stages that he hopes becomes normal vernacular for manufacturers and healthcare providers when thinking about the life of a product. In the guidance, regulators say the ideal time to talk about when a manufacturer will no longer provide support for their product is during the procurement discussion phase.
The main takeaway for manufacturers is they need to think about cybersecurity of their products throughout the TPLC lens and communicate with customers what services they plan to provide during that timeframe, according to Ross. Ultimately, she says the process is meant to be a partnership between manufacturers and providers so they can help each other keep their products safe. Manufacturers “can’t just wash their hands” without providing risk information so the end-user can make the most informed decision she added.
“So communicate, communicate, communicate and provide what documentation you have to support that risk management,” she said.
Fu, echoed those sentiments.
“With the communications, I think of the words transparency and responsibility, and understanding who's responsible and risk management,” he added.
Ross noted that the IMDRF cybersecurity work group is accepting stakeholder feedback on the guidance through the end of the summer and plans on submitting a final draft to IMDRF’s management committee in the beginning of 2023. If it’s approved by the committee, stakeholders may expect the final draft to be publicly published as early as next spring.
While IMDRF is working on finalizing its legacy medical devices cybersecurity guidance, the US government’s Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is also working on a legacy medical device cybersecurity guidance that is meant to be complimentary to the IMDRF’s document and provides even more granularity according to Ross.
“We do have stakeholders who are participating in the [HSCC] effort who are participating in the [IMDRF] effort as well,” she said, “And my understanding is that effort will go into additional granularity with regard to some of these best practices and will also seek to address… already existing legacy devices.”
Ross noted that unlike other IMDRF documents, the group realized they needed healthcare provider input in developing the guidance.
“I think that was really helpful in the development [of the document] and I think it was also really helpful for manufacturers to hear directly what some of the concerns were from the healthcare providers,” she said. “And I think that helped to make this a richer, balanced document.” 
Ross also noted the IMDRF cybersecurity working group is also working on a draft document to address software bill of materials which has been another major topic in the world of medical device cybersecurity.
Draft guidance


© 2023 Regulatory Affairs Professionals Society.

Discover more of what matters to you