The International Medical Device Regulators Forum shared draft principles and practices Tuesday for pre- and postmarket medical device cybersecurity.
The document is intended to facilitate regulatory convergence in an area that has been the focus of a series of publications from FDA and other agencies in recent years.
Like FDA, IMDRF supports a total product life cycle approach to the cybersecurity of medical devices, and described a security risk management process designed to identify, evaluate and control risks at each step from initial conception to end of support.
Rising concern about the risks posed by vulnerabilities in medtech software has made cybersecurity a focus for regulators around the world in recent years. FDA has published two documents, covering pre- and postmarket cybersecurity, and regulatory agencies, including Australia’s Therapeutic Goods Administration (TGA), have also put forward proposals.
IMDRF, a consortium of medical device regulators from countries including the U.S. and Australia, set out to more closely align the different approaches adopted around the world by creating its own global document.
"Convergence of global healthcare cybersecurity efforts is necessary to ensure that patient safety is maintained while encouraging innovation and allowing timely patient access to safe and effective medical devices," IMDRF wrote. "All stakeholders are encouraged to harmonize their approaches to cybersecurity across the entire life cycle of the medical device."
That thinking led to a draft document that overlaps with those released by FDA and TGA, reflecting the role national agencies played in its creation. The IMDRF working group was led by employees of FDA and Health Canada.
The document discusses how companies should approach cybersecurity before and after their devices come to market. Pre-market, IMDRF wants companies to factor in design principles such as secure communications and data confidentiality in the development process. The goal is to cut the risk of problems post-market by considering how a device will interface with other technologies and store data.
Absent from the IMDRF draft is FDA’s controversial tiered approach to cybersecurity, described in draft guidance last year as aiming to differentiate between standard and higher risks, based in part on potential for patient harm.
IMDRF’s post-market advice addresses healthcare providers and manufacturers separately. The draft states healthcare providers have a shared responsibility for cybersecurity and should consider adopting a risk-management process for devices connected to their IT infrastructure. The section aimed at manufacturers recommends information sharing and transparency.
The draft is open for comment until Dec. 2.