New IMDRF cybersecurity guidance: Crystal ball on regulator expectations

New IMDRF cybersecurity guidance: Crystal ball on regulator expectations

June 04, 2020
Business Affairs Parts And Service
Shared responsibility. Device cybersecurity is a shared responsibility between the manufacturer, healthcare provider, users, regulator, and vulnerability finders. All stakeholders are expected to “understand their responsibilities to work with other stakeholders to continuously monitor, assess, mitigate, communicate and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device.”
Information sharing. The guidance notes: “[c]ybersecurity information sharing is a foundational principle in the TPLC approach to safe and secure medical devices”. The guidance specifically encourages stakeholders to participate in Information Sharing Analysis Organizations to foster collaboration and communication as to cybersecurity incidents and threats.

Of particular interest and concern, the guidance addresses a conceptual framework where legacy medical devices that cannot be protected are decommissioned/phased out of existence. The guidance provides that no cyber support should be expected for medical device past the established cybersecurity "End of Support" date.

Servicing GE/Siemens Nuclear Medicine equipment with OEM trained engineers

Numed, a well established company in business since 1975 provides a wide range of service options including time & material service, PM only contracts, full service contracts, labor only contracts & system relocation. Call 800 96 Numed for more info.


The Guidance does acknowledge, importantly, that “compensating controls may be able to provide some level of protection. In the presence of available and successfully deployed compensating controls the medical device would not be considered legacy per this framework.” This is an important clarification, as there are reportedly available nano-segmentation and other solutions which may prevent health data security risks.

Robert Kerwin
Several other important takeaways are provided in the guidance including the recommendation to establish clear points of contact with device manufacturers on vulnerabilities. This 46-page IMDRF guidance is an important read for those searching for a crystal ball to better understand regulator cybersecurity expectations.

About the author: Robert Kerwin is general counsel to IAMERS, the International Association of Medical Equipment Remarketers and Servicers, Inc.

Back to HCB News

You Must Be Logged In To Post A Comment