By Robert Kerwin
In the wake of the enormous increase in cybersecurity incidents, medical device regulators worldwide have been engaged in the development of premarket and postmarket guidance outlining cybersecurity expectations.
In March, the International Medical Device Regulators Forum (“IMDRF”) released the guidance, “Principles and Practices for Medical Device Cybersecurity”
It is the first IMDRF guidance document to focus exclusively on medical device cybersecurity. Where it is a consensus document produced by an IMDRF Working Group, it is expected to contribute greatly to much of the ongoing industry cyber standards work.
Numed, a well established company in business since 1975 provides a wide range of service options including time & material service, PM only contracts, full service contracts, labor only contracts & system relocation. Call 800 96 Numed for more info.
In 2011, following the cessation of the Global Harmonization Task Force, the IMDRF was conceived as a forum to discuss future directions of regulatory harmonization and convergence. It is a voluntary group composed of regulators. The regulators are committed to accelerating strategically the international harmonization of medical device regulations. The IMDRF members include the United States, Europe, China, Japan, Russia, Canada, Brazil, and Australia. Official Observers include the World Health Organization.
The March IMDRF Guidance now provides recommendations to stakeholders on the general principles and best practices for medical device cybersecurity. The IMDRF Working Group chairs for the project were Suzanne Schwartz of the FDA and Marc Lamoureux of Health Canada. The Guidance includes recommendations to minimize cybersecurity risks and to ensure maintenance and continuity of device safety and performance. Note: with respect to safe and effective design/manufacture of medical devices, the March IMDRF Guidance acknowledges that this guidance should be considered in conjunction with the IMDRF Essential Principles Guidance
The March IMDRF Guidance addresses cybersecurity in the context of devices that either contain software or exist as software only. The scope of the guidance is expressly limited to consideration of the “potential for patient harm.” While recognizing the importance of cybersecurity for a manufacturer’s enterprise and for harms associated with breaches of data privacy, these are not considered in its scope. Among the key takeaways:
• Total product lifecycle risks.
Risks associated with cybersecurity threats and vulnerabilities should be considered throughout all phases in the TPLC (initial conception to end of support);