Over 90 Total Lots Up For Auction at One Location - WA 04/08

New IMDRF cybersecurity guidance: Crystal ball on regulator expectations

June 04, 2020
Business Affairs Parts And Service
By Robert Kerwin

In the wake of the enormous increase in cybersecurity incidents, medical device regulators worldwide have been engaged in the development of premarket and postmarket guidance outlining cybersecurity expectations. In March, the International Medical Device Regulators Forum (“IMDRF”) released the guidance, “Principles and Practices for Medical Device Cybersecurity”.

It is the first IMDRF guidance document to focus exclusively on medical device cybersecurity. Where it is a consensus document produced by an IMDRF Working Group, it is expected to contribute greatly to much of the ongoing industry cyber standards work.

In 2011, following the cessation of the Global Harmonization Task Force, the IMDRF was conceived as a forum to discuss future directions of regulatory harmonization and convergence. It is a voluntary group composed of regulators. The regulators are committed to accelerating strategically the international harmonization of medical device regulations. The IMDRF members include the United States, Europe, China, Japan, Russia, Canada, Brazil, and Australia. Official Observers include the World Health Organization.

The March IMDRF Guidance now provides recommendations to stakeholders on the general principles and best practices for medical device cybersecurity. The IMDRF Working Group chairs for the project were Suzanne Schwartz of the FDA and Marc Lamoureux of Health Canada. The Guidance includes recommendations to minimize cybersecurity risks and to ensure maintenance and continuity of device safety and performance. Note: with respect to safe and effective design/manufacture of medical devices, the March IMDRF Guidance acknowledges that this guidance should be considered in conjunction with the IMDRF Essential Principles Guidance.

The March IMDRF Guidance addresses cybersecurity in the context of devices that either contain software or exist as software only. The scope of the guidance is expressly limited to consideration of the “potential for patient harm.” While recognizing the importance of cybersecurity for a manufacturer’s enterprise and for harms associated with breaches of data privacy, these are not considered in its scope. Among the key takeaways:

Total product lifecycle risks. Risks associated with cybersecurity threats and vulnerabilities should be considered throughout all phases in the TPLC (initial conception to end of support);

You Must Be Logged In To Post A Comment