On 1 October 2019 the International Medical Device Regulators Forum (IMDRF) Medical Device Cybersecurity Working Group released a draft document titled "Principles and Practices for Medical Device Cybersecurity" (IMDRF draft). The document reflects the increasing concern evinced by cybersecurity events that have touched medical devices, hospitals, and healthcare networks. Recognizing the need for global convergence to address these threats, the IMDRF draft proposes a broad risk-based framework, with recommendations for harmonized standards and approaches.
Addressing cybersecurity vulnerabilities is a tricky business, as many stakeholders, including industry, government, and health care providers, among others, must work together. In many instances this involves complex retrofitting of existing systems and careful communication of complex situations. The need to tackle these challenges simultaneously around the world, while also being consistent with the concerns and requirements of a global set of regulators, emphasizes the need for harmonization. The IMDRF guidance provides recommendations for premarket considerations, managing postmarket risk, including with legacy devices, and for shared responsibility across the health care ecosystem. It is expected that working group member countries will adopt the approaches described in the IMDRF draft.