By Robert Kerwin
In the wake of the enormous increase in cybersecurity incidents, medical device regulators worldwide have been engaged in the development of premarket and postmarket guidance outlining cybersecurity expectations.
In March, the International Medical Device Regulators Forum (“IMDRF”) released the guidance, “Principles and Practices for Medical Device Cybersecurity”
It is the first IMDRF guidance document to focus exclusively on medical device cybersecurity. Where it is a consensus document produced by an IMDRF Working Group, it is expected to contribute greatly to much of the ongoing industry cyber standards work.
In 2011, following the cessation of the Global Harmonization Task Force, the IMDRF was conceived as a forum to discuss future directions of regulatory harmonization and convergence. It is a voluntary group composed of regulators. The regulators are committed to accelerating strategically the international harmonization of medical device regulations. The IMDRF members include the United States, Europe, China, Japan, Russia, Canada, Brazil, and Australia. Official Observers include the World Health Organization.
The March IMDRF Guidance now provides recommendations to stakeholders on the general principles and best practices for medical device cybersecurity. The IMDRF Working Group chairs for the project were Suzanne Schwartz of the FDA and Marc Lamoureux of Health Canada. The Guidance includes recommendations to minimize cybersecurity risks and to ensure maintenance and continuity of device safety and performance. Note: with respect to safe and effective design/manufacture of medical devices, the March IMDRF Guidance acknowledges that this guidance should be considered in conjunction with the IMDRF Essential Principles Guidance
The March IMDRF Guidance addresses cybersecurity in the context of devices that either contain software or exist as software only. The scope of the guidance is expressly limited to consideration of the “potential for patient harm.” While recognizing the importance of cybersecurity for a manufacturer’s enterprise and for harms associated with breaches of data privacy, these are not considered in its scope. Among the key takeaways:
• Total product lifecycle risks.
Risks associated with cybersecurity threats and vulnerabilities should be considered throughout all phases in the TPLC (initial conception to end of support);
• Shared responsibility.
Device cybersecurity is a shared responsibility between the manufacturer, healthcare provider, users, regulator, and vulnerability finders. All stakeholders are expected to “understand their responsibilities to work with other stakeholders to continuously monitor, assess, mitigate, communicate and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device.”
• Information sharing.
The guidance notes: “[c]ybersecurity information sharing is a foundational principle in the TPLC approach to safe and secure medical devices”. The guidance specifically encourages stakeholders to participate in Information Sharing Analysis Organizations to foster collaboration and communication as to cybersecurity incidents and threats.
Of particular interest and concern, the guidance addresses a conceptual framework where legacy medical devices that cannot be protected are decommissioned/phased out of existence. The guidance provides that no cyber support should be expected for medical device past the established cybersecurity "End of Support" date.
The Guidance does acknowledge, importantly, that “compensating controls may be able to provide some level of protection. In the presence of available and successfully deployed compensating controls the medical device would not be considered legacy per this framework.” This is an important clarification, as there are reportedly available nano-segmentation and other solutions which may prevent health data security risks.
Several other important takeaways are provided in the guidance including the recommendation to establish clear points of contact with device manufacturers on vulnerabilities. This 46-page IMDRF guidance is an important read for those searching for a crystal ball to better understand regulator cybersecurity expectations.
About the author: Robert Kerwin is general counsel to IAMERS, the International Association of Medical Equipment Remarketers and Servicers, Inc.