IMDRF Guidance on Cybersecurity for Legacy Medical Devices

Introduction

The International Medical Device Regulators Forum (IMDRF) has issued important guidance on cybersecurity measures for medical devices through a phased approach. In 2020, the IMDRF published comprehensive cybersecurity guidance titled “Principles and Practices for a Risk-based Approach to Cybersecurity of Medical Devices.” However, stakeholders noted that this document did not adequately address legacy devices—older medical devices already in use in clinical settings. In response to these concerns, the IMDRF released a draft guidance specifically focused on legacy devices on May 4, 2022, titled “Principles and Practices for the Cybersecurity of Legacy Medical Devices,” and initiated a public consultation period for stakeholder comments.

Challenges Associated with Legacy Devices

Legacy devices are medical devices designed and manufactured during an era when cybersecurity was not as critically emphasized as it is today. These devices currently face emerging security risks due to the expansion of networked environments and the escalation of cyber threats. For many legacy devices approaching the end of their commercial lifecycle, manufacturers often do not implement proactive cybersecurity responses. This situation presents significant challenges for healthcare facilities and providers in implementing adequate cybersecurity measures.

Structure and Purpose of the Guidance

The draft guidance aims to clarify the roles and responsibilities of device manufacturers and healthcare providers throughout the entire total product lifecycle (TPLC) of legacy devices. The guidance presents practical approaches for implementing cybersecurity measures at each phase, from product development through end-of-life support.

Specifically, the guidance provides practices that encompass each stage of the legacy device lifecycle—including development, manufacturing, distribution, use, and disposal. These practices offer clear guidance on the types of security support device manufacturers can provide for older devices and the measures healthcare facilities should independently implement to manage cybersecurity risks associated with legacy devices.

Responsibility Allocation and Communication Between Stakeholders

A key feature of this guidance is its emphasis on clarifying responsibilities between manufacturers and healthcare providers, as well as providing methods for communication that foster mutual understanding and cooperation. In the case of legacy devices, manufacturers often have limited ability to provide ongoing support. Therefore, when both parties accurately understand their respective responsibilities and limitations, more appropriate cybersecurity measures can be implemented. The guidance suggests practical communication strategies to promote this mutual understanding.

While previous cybersecurity guidance focused primarily on measures during the development phase of new devices, this guidance shifts focus to legacy devices already in circulation. This approach attempts to present more realistic and implementable security strategies.

Availability and Application

The draft guidance released on May 4, 2022, accepted feedback from stakeholders through July 3, 2022. Following this consultation period, the IMDRF was expected to review the received comments and issue a finalized version of the guidance. This document serves as an important reference for numerous stakeholders, including medical device regulatory authorities, device manufacturers, healthcare facilities, and cybersecurity professionals.

Addressing cybersecurity for legacy devices is expected to become an increasingly important topic in medical device regulation going forward. Regulatory authorities in multiple countries share this concern, and as international harmonization of regulatory requirements progresses, this guidance is anticipated to contribute to the development of industry-wide best practices. In particular, regulatory bodies such as the European Medical Device Regulation (EU MDR) and Japan’s Pharmaceuticals and Medical Devices Agency (PMDA) have demonstrated similar interest in security measures for existing devices. Consequently, the content of this guidance is likely to be reflected in regulatory frameworks across multiple jurisdictions.