New IMDRF committee to tackle cybersecurity threats

Dive Brief:

The International Medical Device Regulators Forum will add a new cybersecurity working group chaired by the U.S. and Canada, FDA devices chief Jeff Shuren said on Wednesday, outlining takeaways from the group's management committee in Beijing last week.
IMDRF final documents will also be issued within days or weeks on definitions for personalized medical devices, essential principles of safety and performance and optimizing standards, Shuren said at The MedTech Conference in Philadelphia.
Shuren also outlined work in progress by the regulatory standards working group of the body, including work on acceptance criteria and validated methodology, noting that several standards organizations are “not taking the voice of regulators into account.”

Dive Insight:

The IMDRF was established in 2011 to harmonize regulatory standards across different countries, and now includes the U.S., European Union, China, Japan, South Korea, Russia, Singapore, Australia and Brazil.

The rise of fast-moving new technology in the space is making harmonization across jurisdictions even more key, three regulators involved in the voluntary group told a panel. Cyber threats in the medical device space are seen as on the rise.

The House Energy and Commerce Committee in April issued a request for information on how to improve cybersecurity in the medical device sector. Congress is concerned that older "legacy" technologies may be more vulnerable to security threats than their modern counterparts.

The effort is part of a response to the 2017 global ransomware attack dubbed WannaCry that underscored the cybersecurity risks facing device makers, hospitals and healthcare facilities. The massive cyberattack froze computers at hospitals across the United Kingdom and disrupted businesses in more than 100 countries. Hundreds of thousands of devices were infected, according to the House committee.

Shuren, a member of the IMDRF's management committee, said the new working group will first seek to write guidance to define cybersecurity and related terms, including information security, privacy, vulnerability and other clinical terms.

It will also "clarify that cybersecurity is a shared responsibility" he said, with a goal of a proposed document by September.

The personalized medical devices document will spell out common definitions related to the burgeoning field, with Shuren noting it is now possible to mass produce individualized devices. Three categories include custom made, patient match medical device and adaptable medical device.

On regulatory standards, Shuren said IMDRF members are coming together, saying to standards groups in some cases are not listening to regulators. IMDRF members are "saying with one voice, you need to take our issues into account or we're not going to recognize" your work.

The FDA device center chief called on industry for help in getting the word out. "This is incredibly important to the IMDRF members," Shuren said.

Speaking more broadly on the need for harmonizing standards in the medical device realm, U.K. regulator John Wilkinson noted rising demand for innovation, evidence and the speed of new technology in recent years, including the advent of machine learning and software as a medical device.

"Software and machine learning – every regulator worldwide is challenged by how it works," said Wilkinson, director of devices for the U.K.'s MHRA. "I'm looking to my colleagues in the international community to help me" figure out these issues, he added.