1. You are here:
  2. Homepage
  3. News & Insights Search
  4. IMDRF guidances address cybersecurity, personalized devices and surveillance

rf-fullcolor.png

 

Regulatory News
April 13, 2023
by Ferdous Al-Faruque

IMDRF guidances address cybersecurity, personalized devices and surveillance

The International Medical Device Regulators Forum (IMDRF) released four final guidances this week that address cybersecurity best practices, verification and validation for personalized medical devices and post-market surveillance communication between regulators.
 
In 2020, IMDRF published a guidance entitled, Principles and Practices for Medical Device Cybersecurity (N60), that addresses basic expectations for medical device cybersecurity practices. The organization has published two new cybersecurity guidances that build on the N60 guidance that address the software bill of materials (SBOM) and how to mitigate risks for legacy devices.
 
In 2018, the US National Telecommunications and Information Administration (NTIA) held a meeting with stakeholders to discuss software transparency which led it to recommend use of SBOMs. The SBOM includes a list of components in a device that may affect the cybersecurity of the product.
 
The SBOM guidance, published on 13 April, describes what an SBOM is on a “high-level” and includes best practices for medical device manufacturers when developing products.
 
“The SBOM is a resource which can be leveraged to improve cybersecurity risk management processes in both pre-market and post-market activities (i.e., the Total Product Lifecycle or TPLC),” IMDRF said in the guidance. “In the post-market, [medical device manufacturers] can use SBOM as a resource to supplement their vulnerability monitoring processes to identify at-risk devices released in the market.”
 
The organization said the guidance is meant to provide greater detail on how SBOMs can be implemented and how to ensure there is software transparency for stakeholders such as regulators.
 
IMDRF noted that the guidance does not address other SBOM-related issues or those related to use of cloud computing.
 
“Cloud services that are a component of the regulated medical device system may also present a risk to safety and effectiveness,” the organization said. “Manufacturers of regulated medical devices should be aware that cloud services and cloud software must also be reviewed in risk evaluations.”
 
The legacy devices cybersecurity guidance, published on 11 April, focuses on how to apply a TPLC approach to legacy devices. Such devices may present risks to patients as they cannot be sufficiently mitigated using steps such as software updates and may contain insufficient or no security controls.
 
IMDRF noted that while modern medical devices often have better cybersecurity than older ones, there are many modern devices that were not designed with adequate cybersecurity considerations and with measures to ensure their security during their useful lifespan.
 
“It is important to note, however, that device age is not a sole determinant of whether a device is legacy,” said IMDRF. “In other words, a newer device that cannot be reasonably protected against current cybersecurity threats, irrespective of its age, would still be considered legacy in the context of cybersecurity.”
 
“In organizations lacking the staff and resources to adequately execute TPLC plans, which is not uncommon, these legacy devices and their associated risks can persist indefinitely,” the organization added.
 
With that in mind, the guidance discusses how stakeholders can identify potential legacy devices, and different ways to address their cybersecurity shortcomings. IMDRF said it is meant to provide a variety of options without “distorting each jurisdiction’s regulatory system.”
 
IMDRF also published a guidance on verification and validation of personalized medical devices on 11 April, as well as a guidance on procedures and forms for exchanging post-market surveillance reports between IMDRF members.
 
The personalized devices guidance is meant to harmonize verification and validation aspects of a patient-matched medical device and a medical device production system (MDPS) across regulatory regimes. IMDRF said that having consistent and harmonized requirements can help reduce costs and use of resources not such for manufacturers trying to get their product on shelves across several markets but also regulatory authorities (RA) and conformity assessment bodies (CAB) who oversee such products.
 
This latest guidance spawned from IMDRF’s guidance entitled Definitions for Personalized Medical Devices (N49), which created harmonized definitions for various categories of personalized medical devices (PMDs), and its Personalized Medical Devices – Regulatory Pathways (N58) document, which provides recommendations for regulatory pathways for different categories of PMDs.
 
“The present guidance is a continuation of these two documents (N49 and N58) and is intended for use by industry, RAs, CABs, and others,” said IMDRF. “[It] further provides considerations for near or at point-of-care (defined as POC throughout this document) manufacturing and different models of regulatory oversight (manufacturing under special arrangements, MDPSs, fully regulated manufacturing) that may be implemented to ensure the quality, safety and performance of the medical devices produced.”
 
The guidance is laid out in two parts. The first half of the guidance provides technical considerations for verifying and validating different aspects of the design of PMDs while the second half does the same for MDPS.
 
Post-market surveillance reports guidance addresses two-way communication of confidential information for serious public health issues between certain regulatory agencies.
 
It details the criteria to be used for deciding when to exchange information, the procedures to follow when exchanging information, the forms to use for exchanging information and the requirements for participating in the National Competent Authority Report (NCAR) Exchange Program.
 
“The NCAR Exchange Program will be used to exchange information relating to significant concerns or potential trends that individual authorities have observed in their jurisdictions but have not yet resulted in recalls or Field Safety Corrective Actions (FSCAs),” the guidance states.
 
Currently, the program is limited to the IMDRF Management Committee (MC) regulators from Australia, Brazil, Canada, China, Europe, Japan, Russia Singapore, South Korea and the US. However, the guidance outlines a process for other IMDRF members to ask to participate in the NCAR Exchange Program.

Related topics

Africa Asia Compliance Diagnostics/IVDs Europe Global Medical Devices Middle East Oceania Product Lifecycle Regulatory Intelligence/Policy
Return to listing

Recommended content

FDA_Badge2_260326_ALF.png
01 Apr 2026

FDA warns device maker, contract testing lab for GMP violations

The US Food and Drug Administration (FDA) has cited a medical device manufacturer and a contract drug testing laboratory for violations of current good manufacturing practices (CGMP). Additionally, regulators said the medical device maker has been selling products without marketing authorization, despite the company arguing that its products should be considered pre-amendment devices and therefore not regulated by the agency.

Regulatory News

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.