The International Medical Device Regulators Forum (IMDRF) has released its draft guidance document dealing with the cybersecurity of medical devices. The draft, titled ‘Principles and Practices for Medical Device Cybersecurity’, with the intent of facilitating better international regulatory convergence on the topic.
The 45-page guidance document, developed by a working group led by officials from the US Food and Drug Administration (FDA) and Health Canada, includes both pre-market and post-market cybersecurity considerations for manufacturers, regulators, health providers and other stakeholders.
“Should the regulator require cybersecurity documentation for pre-market authorization, the manufacturer is encouraged to submit clear documentation describing, in relation to cybersecurity, the device’s design features, risk management activities, testing, labelling, and evidence of a post-market plan to monitor and respond to emerging threats”, the document explains.
The draft also includes discussions on vulnerability remediation and incident responses, with the draft explaining: “As vulnerabilities change over time, pre-market controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a post-market approach is necessary in which multiple stakeholders play a role. This post-market approach includes various elements and include: the operation of the device in the intended environment, information sharing, coordinated vulnerability disclosure, vulnerability remediation, incident response, and legacy devices”.
Public comments are welcomed until 2 December.
By coincidence, release of the draft coincides with a warning issued by FDA regarding various cybersecurity vulnerabilities that may allow for remote control of a range of medical devices and/or changes that may prevent devices from functioning properly.