• Shared responsibility.
Device cybersecurity is a shared responsibility between the manufacturer, healthcare provider, users, regulator, and vulnerability finders. All stakeholders are expected to “understand their responsibilities to work with other stakeholders to continuously monitor, assess, mitigate, communicate and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device.”
• Information sharing.
The guidance notes: “[c]ybersecurity information sharing is a foundational principle in the TPLC approach to safe and secure medical devices”. The guidance specifically encourages stakeholders to participate in Information Sharing Analysis Organizations to foster collaboration and communication as to cybersecurity incidents and threats.
Of particular interest and concern, the guidance addresses a conceptual framework where legacy medical devices that cannot be protected are decommissioned/phased out of existence. The guidance provides that no cyber support should be expected for medical device past the established cybersecurity "End of Support" date.
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
The Guidance does acknowledge, importantly, that “compensating controls may be able to provide some level of protection. In the presence of available and successfully deployed compensating controls the medical device would not be considered legacy per this framework.” This is an important clarification, as there are reportedly available nano-segmentation and other solutions which may prevent health data security risks.
Several other important takeaways are provided in the guidance including the recommendation to establish clear points of contact with device manufacturers on vulnerabilities. This 46-page IMDRF guidance is an important read for those searching for a crystal ball to better understand regulator cybersecurity expectations.
About the author: Robert Kerwin is general counsel to IAMERS, the International Association of Medical Equipment Remarketers and Servicers, Inc.
Back to HCB News