IMDRF finalizes guidances on cybersecurity, personalized devices and conformity assessment bodies
The International Medical Device Regulators Forum (IMDRF) this week finalized four technical documents covering cybersecurity, personalized devices and conformity assessment bodies.(RELATED: IMDRF Offers New Guidance on Cybersecurity, Regulatory Focus 2 October 2019; IMDRF Seeks Input on Regulatory Pathways for Personalized Medical Devices, Regulatory Focus, 28 May 2019; IMDRF Drafts Requirements for Recognition of Conformity Assessment Bodies, Regulatory Focus 8 August 2019).
Cybersecurity
In its 46-page guide for medical device cybersecurity, IMDRF discusses general principles and practices for device cybersecurity, as well as pre- and postmarket issues for device makers, regulators and other stakeholders to consider.
“Convergence of global healthcare cybersecurity principles and practices is necessary to ensure that patient safety and medical device performance is maintained. To date, however, current disparate regulations across governments lack the global alignment needed to ensure medical device cybersecurity,” IMDRF writes.
The document explains that medical device cybersecurity should follow a total product lifecycle (TPLC) approach with different principles and elements considered at different stages.
On the premarket end, the document discusses security requirements and design, risk management principles, security testing, labeling and considerations for regulatory submissions.
For the postmarket side, the document provides insights on devices in their intended use environment, information sharing, vulnerability disclosures and legacy devices. The document also provides specific postmarket advice factors for device makers, regulators and security researchers.
Personalized medical devices
For personalized medical devices, IMDRF presents a harmonized approach to applying existing regulatory pathways to personalized medical devices and discusses special considerations for regulating different types of personalized devices.
In light of advances in additive and subtractive manufacturing and 3D modeling, which have allowed for the proliferation of more complex personalized devices, IMDRF says a harmonized regulatory approach is needed to ensure adequate regulatory oversight while reducing compliance costs and improving patient access.
With the current myriad approach across jurisdictions, IMDRF says that, “Growing numbers of patients are receiving these medical devices, to meet their particular needs, without there being adequate regulatory oversight in place.”
The document defines three categories of personalized devices: custom-made devices, patient-matched devices and adaptable devices. The document also provides a decision tree for determining which category a device falls under and provides specific recommendations for the regulatory requirements for each type.
Conformity assessment bodies
IMDRF’s 26-page technical document provides recommendations for the requirements regulators should have for recognizing conformity assessment bodies that conduct regulatory reviews for medical devices.
The document is meant to be read alongside another IMDRF document, Competence, Training, and Conduct Requirements for Regulatory Reviewers, and IMDRF says it plans to develop additional documents addressing assessment and recognition for medical device marketing reviews in the future.
“This collection of IMDRF GRRP documents will provide the fundamental building blocks by providing a common set of requirements to be utilized by the regulatory authorities for the recognition and monitoring of entities that perform regulatory reviews and other related functions,” IMDRF writes.
Within the document, IMDRF explains the structural, resource, process, management system and information requirements necessary for recognizing conformity assessment bodies to conduct regulatory reviews for medical devices.
IMDRF