Skip to content

International Medical Device Regulators Forum (IMDRF) Principles and Practices for Medical Device Cybersecurity

Principles and Practices for Medical Devices. International Medical Device Regulators Forum (IMDRF) have produced guidance for all stakeholders involved in the cybersecurity of medical devices including in vitro medical devices.

This document focuses exclusively on medical device cybersecurity regarding the potential for patient harm, it does not consider other types of harm such as data privacy breaches. The document emphasizes the importance of cybersecurity as a shared responsibility among all stakeholders: medical device manufacturers, healthcare providers, users, regulators, and vulnerability finders. It encourages all stakeholders to "harmonize their approaches to cybersecurity across the entire life cycle of the medical device". On the one hand, the guideline gives pre-market considerations for manufacturers to address cybersecurity considerations during the design and development of a medical device prior to market entry. It gives examples referring to international standards bodies such as ISO, AAMI, IEC, NIST, OWASP and JSP. On the other, the document also provides post-market considerations to all stakeholders including healthcare providers, patients, and manufacturers. The guideline offers a series of processes that should be applied by healthcare providers in terms of IT considerations as well as training among all users to prevent cybersecurity incidents. Moreover, the guideline emphasizes the importance of information sharing between regulators, medical device manufacturers, healthcare providers and users. It especially encourages manufacturers to adopt coordinated vulnerability disclosure procedures.

Info

Guidelines:

  • IMDRF considers risks associated with cyber security threats and vulnerabilities should be considered throughout all phases in the life of a medical device, from initial conception to end of support (EOS). It also should be applied throughout the total product life cycle (TPLC) where cyber security risk is evaluated and mitigated in the various phases of the TPLC including but not limited to design, manufacturing, testing, and post-market monitoring activities.
  • Manufacturers should address some pre-market elements during the design and development of a medical device prior to market entry.
  • Designing security features into the product.
  • The application of accepted risk management strategies
  • Security testing
  • Provision of useful information for users to operate the device securely
  • Having a plan in place for post-market activities
  • They have to consider the intended use environment as well as reasonably foreseeable misuse scenarios.
  • Security requirements should also be identified during the requirements capture stage of the life cycle design process.
  • The manufacturer should consider how the device would interface with other devices or networks.
  • The manufacturer should consider design features that validate all inputs (not just external) and take into account communication with devices and environments that only support less secure communication.
  • The manufacturer should consider how data transfer to and from the device is secured to prevent unauthorized access, modification, or replay.
  • The manufacturer should consider if safety-related data that is stored on or transferred to/from the device requires some level of protection such as encryption.
  • The manufacturer should consider if confidentiality risk control measures are required to protect message control/sequencing fields in communication protocols or to prevent the compromise of cryptographic keying materials.
  • The manufacturer should evaluate the system-level architecture to determine if design features are necessary to ensure data non- repudiation.
  • The manufacturer should consider risks to the integrity of the device such as unauthorized modifications to the device software.
  • The manufacturer should consider controls such as anti-malware to prevent viruses, spyware, ransomware, and other forms of malicious code of being executed on the device.
  • The manufacturer should consider user access controls that validate who can use the device or allows granting of privileges to different user roles or allow users access in an emergency. Additionally, the same credentials should not be shared across devices and customers.

Tags: cybersecuritypatient safety