International – IMDRF proposes legacy device cybersecurity guidance after stakeholder feedback

Communication between manufacturers and healthcare providers is key to ensuring patients with legacy medical devices are kept safe according to proposed cybersecurity guidance from the International Medical Device Regulators Forum (IMDRF). The draft is the result of feedback from a 2020 guidance that stakeholders said did not sufficiently address legacy products.

The draft guidance, published 4 May, outlines what is considered a legacy device, and how stakeholders can keep them safe from cybersecurity threats. The guidance follows the 2020 IMDRF document, which included a framework for legacy devices, but was intended to broadly outline how medical devices in general can be designed and maintained.

Aftin Ross, senior special advisor for emerging initiatives at the US Food and Drug Administration (FDA), told Regulatory Focus, after the 2020 guidance was published, stakeholders asked for more details on legacy products.

“We were getting a lot of questions about the legacy framework, how it would actually be implemented and looking for more granularity,” said Ross, who also serves on the IMDRF’s cybersecurity work group. As a result, IMDRF decided legacy devices needed their own guidance…