This document is designed to provide concrete recommendations on how to apply the TPLC to legacy devices to aid in the implementation of the framework put forward in the preceding IMDRF N60 guidance. This document is complementary to the IMDRF N60 guidance, and the scope of relevant medical devices (including in vitro diagnostic (IVD) medical devices), as well as the focus on potential for patient harm remain unchanged.
It considers cybersecurity in the context of legacy medical devices that either contain software, including firmware and programmable logic controllers (e.g., pacemakers, infusion pumps) or exist as software only (e.g., Software as a Medical device (SaMD)). It is important to note that due to most regulators’ authority over medical device safety and performance, the scope of this guidance is limited to consideration of the potential for patient harm. For example, threats that could impact performance, negatively affect clinical operations, or result in diagnostic or therapeutic errors are considered in scope of this document. While other types of harm, such as those associated with breaches of data privacy, are important, they are not considered within the scope of this document.
Legacy devices were previously defined in IMDRF N60 guidance as medical devices that cannot be reasonably protected against current cybersecurity threats. This document therefore only addresses legacy devices within the context of cybersecurity, and not all other situations in which a device may be considered “legacy” (e.g., an older model of a medical device).
Given the above definition of legacy, many devices currently in use would be considered legacy devices.
To transition from this current state into a more ideal future state, the IMDRF N60 guidance proposed a TPLC Framework for legacy devices, which is further elaborated in this document. A key characteristic of this framework is effective communication between MDMs and HCPs to allow for timely and planned introduction and decommission of devices to minimize the number of legacy devices remaining in use.
While beyond the scope of this guidance, MDMs and HCPs should communicate life cycle stage information to patients where relevant. Resellers (e.g., re-labellers) are also outside the scope of this guidance as they often do not have the same regulatory obligations as MDMs.
Specifically, this document is intended to:
• Explain legacy medical device cybersecurity within the context of the TPLC Framework (Development, Support, Limited Support, and End of Support) with clearly defined responsibilities for MDMs and HCPs at each stage;
• Provide recommendations for MDMs and HCPs in communication (including vulnerability management), risk management, and transfer of responsibility to the HCP;
• Provide recommendations regarding compensating controls after End of Support; • Provide implementation considerations for MDMs and HCPs in addressing existing legacy devices that were developed prior to the TPLC Framework for medical device cybersecurity and are still in use.
As was emphasized in the preceding IMDRF N60 guidance, this document continues to recognize that cybersecurity is a shared responsibility among all stakeholders, including, but not limited to, MDMs and distributors, HCPs, users, regulators, and software vendors.
It is important to note that differences across medical device types and regulatory jurisdictions may give rise to specific circumstances where additional considerations are required.