Skip to main content
close search
site logo
Dive Brief

IMDRF cybersecurity guidance favors total product life cycle approach

Published Oct. 3, 2019
By
Contributor
Adobe Stock

Dive Brief:

  • The International Medical Device Regulators Forum shared draft principles and practices Tuesday for pre- and postmarket medical device cybersecurity.

  • The document is intended to facilitate regulatory convergence in an area that has been the focus of a series of publications from FDA and other agencies in recent years.

  • Like FDA, IMDRF supports a total product life cycle approach to the cybersecurity of medical devices, and described a security risk management process designed to identify, evaluate and control risks at each step from initial conception to end of support. 

Dive Insight:

Rising concern about the risks posed by vulnerabilities in medtech software has made cybersecurity a focus for regulators around the world in recent years. FDA has published two documents, covering pre- and postmarket cybersecurity, and regulatory agencies, including Australia’s Therapeutic Goods Administration (TGA), have also put forward proposals.

IMDRF, a consortium of medical device regulators from countries including the U.S. and Australia, set out to more closely align the different approaches adopted around the world by creating its own global document.

"Convergence of global healthcare cybersecurity efforts is necessary to ensure that patient safety is maintained while encouraging innovation and allowing timely patient access to safe and effective medical devices," IMDRF wrote. "All stakeholders are encouraged to harmonize their approaches to cybersecurity across the entire life cycle of the medical device."

That thinking led to a draft document that overlaps with those released by FDA and TGA, reflecting the role national agencies played in its creation. The IMDRF working group was led by employees of FDA and Health Canada.

The document discusses how companies should approach cybersecurity before and after their devices come to market. Pre-market, IMDRF wants companies to factor in design principles such as secure communications and data confidentiality in the development process. The goal is to cut the risk of problems post-market by considering how a device will interface with other technologies and store data.

Absent from the IMDRF draft is FDA’s controversial tiered approach to cybersecurity, described in draft guidance last year as aiming to differentiate between standard and higher risks, based in part on potential for patient harm.

IMDRF’s post-market advice addresses healthcare providers and manufacturers separately. The draft states healthcare providers have a shared responsibility for cybersecurity and should consider adopting a risk-management process for devices connected to their IT infrastructure. The section aimed at manufacturers recommends information sharing and transparency.   

The draft is open for comment until Dec. 2.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Digital Health
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell