The new article describes in detail the approach to be applied with respect to the third and fourth stages of the total product life cycle, as well as to the risk assessment in the context of transition between the stages.
Table Of Contents:
The International Medical Device Regulators Forum (IMDRF), a voluntary association of national regulating authorities in the sphere of medical devices collaborating for further improvement of the existing regulatory framework, has published a guidance document dedicated to cybersecurity matters in the context of legacy devices. The document provides an overview of the most important aspects to be taken into consideration by all the parties involved, and also provides additional recommendations to be followed in order to ensure continued effectiveness of medical devices as well as the safety of patients. At the same, the document itself is non-binding in its legal nature, nor is intended to introduce new rules or impose new obligations. Moreover, recommendations provided therein could be subject to changes, should such changes be reasonably necessary due to the new information becoming available to the authorities and IMDRF.
The IMDRF acknowledges that some of the medical devices allowed to be marketed and used could actually be used longer than their expected use life period while even not being supported by their initial manufacturers. In such a case, they no longer receive updates and security patches intended to address new cybersecurity threats arising, resulting in additional cybersecurity risks the persons using such devices are exposed to. The present guidance describes the approach to be followed by all the parties involved in operations with medical devices including both medical device manufacturers and healthcare institutions, since cybersecurity-related matters are within the joint responsibility of all the parties.
In particular, the document describes in detail specific stages of the Total Product Life Cycle (TPLC) and highlights the most important matters to be considered at each stage from a cybersecurity perspective.
Limited Support
According to the guidance, devices within Limited Support Stage, which is the third stage, are the products that:
- Are used for providing patient care, and
- Have been declared EOL by the medical device manufacturer and are not currently marketed or sold by their respective medical device manufacturer, or
- Contain software, firmware, or programmable hardware components (e.g., CPU) which (a) are not supported by their developers and (b) whose risks to device safety and effectiveness are mitigated resulting in a device that can be reasonably protected against current cybersecurity threats.
As further explained by the IMDRF, at this stage medical device manufacturers are still responsible for addressing cybersecurity threats whenever possible. For instance, should be not feasible for the initial manufacturer to develop updates, compatible third-party products could be used.
During this stage, the device greatly relies on security measures and controls incorporated by design. At the same time, the initial product manufacturer should duly inform users about any possible limitations or threats that could still exist, and also communicate information about additional measures of security protection to be taken. In comparison to the products in the second stage, the devices that are in the third stage quite often require additional compensating controls.
End of Service
The fourth – End of Service (EOS) – stage applies to medical devices that:
- Are in use for providing patient care, and
- Have been declared EOS by the medical device manufacturer and are not currently marketed or sold by their respective medical device manufacturer, or
- Contain software, firmware, or programmable hardware components (e.g., CPU) which (a) are not supported by their developers and (b) whose risks to device safety and effectiveness are not mitigated resulting in a device that cannot be reasonably protected against current cybersecurity threats.
It is also stated that medical device manufacturers should inform the users that the device in question will no longer be supported, and also communicate information about potential risks and ways they can be mitigated.
Risk Assessment
The document also describes the approach to be applied with respect to assessing risk to trigger a transition to different life cycle stages. In particular, the IMDRF mentions that the dates when EOS is reached for a medical device and its software components could be different – for instance, a third-party software component may knowingly have a shorter supported lifetime when the device is sold or may be suddenly declared unsupported years before the medical device manufacturer announced End of Service date. Thus, in cases when the support of a software component developed by a third party is known in advance, the manufacturer should develop the plans covering the risks arising in this respect. The IMDRF additionally emphasizes the importance of managing the risks associated with potential sudden EOS declaration not being synchronized with the device itself. In this respect, the following approach should be considered:
- If a single comment within a device becomes EOL/EOS, then this serves as a trigger for an MDM to perform a risk assessment to determine if patient safety risk arise, and if so, what kind.
- If there are patient safety impacts and the device is in the Support Stage, MDMs should attempt to mitigate the risk of the unsupported component via an update or other design change.
- If there are patient safety impacts and the device is in the Limited Support Stage, MDMs should attempt to mitigate the risk of the unsupported component (e.g., via a design change or compensating control).
In summary, the present IMDRF guidance document describes in detail the approach to be applied in the context of risk assessment and also provides additional clarifications regarding the “Limited Support” and “End of Service” stages of the total product life cycle. The document emphasizes the importance of introducing additional measures necessary to ensure the safety and proper performance of a medical device when it is no longer supported by the manufacturer.
How Can RegDesk Help?
RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.
Want to know more about our solutions? Speak to a RegDesk Expert today!
-->- SEO Powered Content & PR Distribution. Get Amplified Today.
- EVM Finance. Unified Interface for Decentralized Finance. Access Here.
- Quantum Media Group. IR/PR Amplified. Access Here.
- PlatoAiStream. Web3 Data Intelligence. Knowledge Amplified. Access Here.
- Source: https://www.regdesk.co/imdrf-guidance-on-cybersecurity-for-legacy-devices-limited-support-end-of-service-and-risk-assessment/
- :has
- :is
- :not
- 1
- a
- About
- access
- actually
- Additional
- Additionally
- address
- addressing
- advance
- against
- alerts
- All
- also
- an
- and
- announced
- any
- applications
- applied
- approach
- ARE
- article
- AS
- aspects
- Assessing
- assessment
- assessments
- associated
- Association
- At
- Authorities
- available
- BE
- becomes
- becoming
- been
- before
- being
- between
- both
- by
- CAN
- cannot
- care
- case
- cases
- centralized
- change
- Changes
- clients
- collaborating
- comment
- communicate
- Companies
- comparison
- compatible
- compliance
- component
- components
- consideration
- considered
- contents
- context
- continued
- control
- controls
- could
- covering
- CPU
- critical
- Current
- Currently
- Cybersecurity
- cycle
- Date
- Dates
- dedicated
- Design
- detail
- Determine
- develop
- developed
- developers
- device
- Devices
- different
- document
- due
- e
- each
- effectiveness
- emphasizes
- end
- ensure
- EOS
- Even
- exist
- existing
- expansion
- expected
- expert
- experts
- explained
- exposed
- feasible
- followed
- following
- For
- Forum
- Fourth
- Framework
- from
- further
- Global
- global expansion
- greatly
- guidance
- Hardware
- Have
- healthcare
- help
- highlights
- holistic
- HTTPS
- if
- Impacts
- importance
- important
- impose
- improvement
- in
- Including
- Incorporated
- inform
- information
- initial
- instance
- institutions
- Intelligence
- intended
- International
- into
- introduce
- introducing
- involved
- IT
- ITS
- itself
- joint
- jpg
- Kind
- Know
- known
- Legacy
- Legal
- Life
- lifetime
- limitations
- Limited
- longer
- manage
- management
- management system
- managing
- Manufacturer
- Manufacturers
- Markets
- Matters
- max-width
- May..
- measures
- medical
- medical device
- medical devices
- mentions
- Mitigate
- more
- Moreover
- most
- National
- Nature
- necessary
- network
- never
- New
- no
- nor
- obligations
- obtain
- of
- often
- on
- Operations
- or
- order
- Other
- our
- over
- overview
- particular
- parties
- party
- Patches
- patient
- patient care
- patients
- perform
- performance
- period
- persons
- perspective
- Pharma
- plans
- platform
- plato
- Plato Data Intelligence
- PlatoData
- possible
- potential
- Prepare
- present
- Product
- Products
- proper
- protected
- protection
- provided
- provides
- providing
- publish
- published
- question
- Questions
- reached
- real-time
- receive
- recommendations
- regarding
- Regulators
- regulatory
- require
- respect
- respective
- responsibility
- responsible
- resulting
- Risk
- risk assessment
- risks
- rules
- Run
- Safety
- same
- Second
- security
- Security Measures
- serves
- service
- should
- Simple
- since
- single
- So
- Software
- sold
- Solutions
- some
- Sources
- speak
- specific
- Stage
- stages
- standards
- stated
- Still
- subject
- such
- sudden
- SUMMARY
- support
- Supported
- system
- taken
- than
- that
- The
- the joint
- their
- then
- There.
- therein
- they
- Third
- third-party
- this
- threats
- Through
- time
- Title
- to
- Total
- transition
- trigger
- Update
- Updates
- use
- used
- users
- using
- Verification
- via
- voluntary
- want
- ways
- WELL
- What
- when
- whenever
- which
- while
- whose
- will
- with
- within
- worldwide
- years
- you
- zephyrnet
