1. You are here:
  2. Homepage
  3. News & Insights Search
  4. IMDRF Offers New Guidance on Cybersecurity

rf-fullcolor.png

 

Regulatory News
October 2, 2019
by Zachary Brennan

IMDRF Offers New Guidance on Cybersecurity

In its first guidance document to deal exclusively with the cybersecurity of medical devices, the International Medical Device Regulators Forum (IMDRF) this week released new general principles and best practices to facilitate better international regulatory convergence on the topic.

The 45-page guidance document, developed by a working group led by officials from the US Food and Drug Administration (FDA) and Health Canada, includes both pre-market and post-market cybersecurity considerations for manufacturers, regulators, health providers and other stakeholders.

On the pre-market end, IMDRF includes recommendations on risk management, security testing and regulatory submission requirements where manufacturers can document their cybersecurity activities.

“Should the regulator require cybersecurity documentation for pre-market authorization, the manufacturer is encouraged to submit clear documentation describing, in relation to cybersecurity, the device’s design features, risk management activities, testing, labelling, and evidence of a post-market plan to monitor and respond to emerging threats,” IMDRF explains.

On the post-market end, the draft discusses measures to enhance transparency for different stakeholders, such as via coordinated vulnerability disclosure. The draft also features discussions on vulnerability remediation and incident response, among other topics.

“As vulnerabilities change over time, pre-market controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a post-market approach is necessary in which multiple stakeholders play a role. This post-market approach includes various elements and include: the operation of the device in the intended environment, information sharing, coordinated vulnerability disclosure, vulnerability remediation, incident response, and legacy devices,” IMDRF explains.

Stakeholders have until 2 December to comment on the IMDRF draft guidance.

And the release of the draft coincides with a warning issued Tuesday by FDA regarding various cybersecurity vulnerabilities that may allow for remote control of a range of medical devices and/or changes that may prevent devices from functioning properly.

IMDRF Principles and Practices for Medical Device Cybersecurity
 
Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.