The International Medical Device Regulators Forum (IMDRF) Medical Device Cybersecurity Guide (MDCG) Working Group Proposed document guidance on "Principles and Practices for the Cybersecurity of Legacy Medical Devices" for public comment.
This guidance document is intended to provide stakeholders with clear ways of identifying potential legacy devices and practical, feasible approaches for implementing cybersecurity of legacy medical devices. It is intended to provide Stakeholders with a variety of options to implement without distorting each jurisdiction’s regulatory systems and this work is intended to be complementary to the IMDRF N60 guidance.
Specifically, this document is intended to:
• Explain legacy medical device cybersecurity within the context of the TPLC Framework (Development, Support, Limited Support, and End of Support) with clearly defined responsibilities for MDMs and HCPs at each phase;
• Provide recommendations for MDMs and HCPs in communication (including vulnerability management), risk management, and transfer of responsibility to the HCP;
• Provide recommendations regarding compensating controls after End of Support
• Provide implementation considerations for MDMs and HCPs in addressing existing legacy devices that were developed prior to the TPLC Framework for medical device cybersecurity and are still in use.
This document is designed to provide concrete recommendations on how to apply the TPLC to legacy devices to aid in the implementation of the framework put forward in the preceding IMDRF N60 guidance and is complementary to the IMDRF N60 guidance.