Summary of the IMDRF Guidance on Principles and Practices for Legacy Devices Cybersecurity

The world of healthcare has experienced rapid digitization and technological advancements in recent years. While modern medical devices benefit from improved designs that include cybersecurity considerations, there are still many devices in use that lack the robust cybersecurity measures found in modern technology. Such “legacy medical devices” could contain insufficient or no security controls, even though they may have contained state-of-the-art controls at the time when they were developed. Additionally, due to being indispensable for healthcare, legacy devices might be in use well beyond their End of Support period from the manufacturer. The unanticipated legacy devices cybersecurity threats result in possible serious risks to patients, including unauthorized access, data breaches, and even the potential for altering treatment parameters. 

To address this growing concern, the International Medical Device Regulators Forum (IMDRF) has released a comprehensive guidance that operationalizes the legacy device conceptual framework articulated in the IMDRF N60 guidance and provides detailed recommendations to the stakeholders involved, namely medical device manufacturers (MDMs) and healthcare providers (HCPs).

1. Legacy Devices Cybersecurity - Risk Management 

The IMDRF document advises that, in order to effectively manage the dynamic nature of cybersecurity risk, this risk should be addressed and mitigated throughout the total product life cycle (TPLC) of the device. This thorough assessment would identify potential vulnerabilities and threats associated with legacy medical devices and help prioritize mitigation strategies and allocate appropriate resources. The incorporation of cybersecurity controls and mitigations should, however, not adversely affect the safety of the device and ensure its essential performance is maintained.

2. Legacy Devices Cybersecurity - Overview 

The guidance, which is complementary to the IMDRF N60 guidance, focuses on the relationship between medical device manufacturers (MDMs) and healthcare providers (HCPs) throughout the product lifecycle and provides at the end a list of compensating controls for legacy devices. Additionally, the document describes in detail the framework for assessing the risks that would trigger the transition between different life cycle stages for legacy devices (e.g. from Support to Limited Support).

Specifically, the IMDRF guidance addresses the responsibilities and expectations of MDMs and HCPs during four main TPLC stages for cybersecurity: Development, Support, Limited Support, and EOS with respect to communication, risk management, and transfer of responsibility. 

While during the Support stage, devices should receive full cybersecurity support such as software patches, software and hardware updates, security monitoring, backup/ recovery from the MDM, not all of these practices will carry over into the later stages of legacy progression. It is recommended that during the Limited Support stage, MDMs should continue to provide all cybersecurity support that can be reasonably achieved. MDMs should communicate to users they can no longer assure support for devices before the device enters the End of Support stage. Cybersecurity responsibility for devices used beyond the End of Support stage as communicated by the MDM resides in totality with the HCP. A stepwise transfer of responsibility could be agreed upon by the parties if feasible. 

3. Legacy Devices Cybersecurity - Communication Strategies 

It is thus crucial to have in place strategies for collaboration and information sharing and to establish and enforce legacy communications strategies at multiple stages of a device’s TPLC. Specifically, during the Support stage, the organizations (MDMs, HCPs) should identify the type of information they might require and agree on a framework for the communication of this information. Communication between MDMs and HCPs should increase during the Limited Support stage, especially in what information about inherited risks is concerned, as well as information on mitigation and device replacement options. 

In conclusion, as the healthcare industry continues to advance, addressing legacy devices cybersecurity risks is crucial. The IMDRF's principles and practices provide a valuable framework for manufacturers, regulators, and healthcare providers to strengthen the security of these devices and safeguard patient safety. By following these guidelines and implementing robust cybersecurity measures, the industry can mitigate risks and ensure the continued delivery of safe and effective healthcare services.

If you need help with strengthening your legacy devices' cybersecurity, please contact us at: info@quaregia.com. We have 20 years of experience with medical device software in all its facets.

Last updated 2023-05-16