IMDRF to launch new cybersecurity harmonization working group, criteria for accepting standards

Rethinking cybersecurity for a connected age
The new working group, co-chaired by the U.S. and Canada, aims to produce an international guidance document that provides regulatory definitions on the critical aspects of cybersecurity. (iStockPhoto/Goldcastle7)

The International Medical Device Regulators Forum—the global congregation of agencies aimed at harmonizing medtech principles, known as the IMDRF—is launching a new working group focused on device cybersecurity.

At AdvaMed’s annual Medtech Conference in Philadelphia, the FDA’s Jeff Shuren, director of the agency’s Center for Devices and Radiological Health and leader of the U.S. delegation, provided the first public debriefing from the IMDRF’s most recent meeting in Beijing, held Sept. 19-20.

The new working group, co-chaired by the U.S. and Canada, aims to produce an international guidance document that provides regulatory definitions of the critical terms of cybersecurity—such as privacy, exploit, theft, threat, vulnerability, harm and others.

Your Daily Newsletter — Free

Enjoying this story? Subscribe to FierceBiotech!

Biopharma is a fast-growing world where big ideas come along every day. Our subscribers rely on FierceBiotech as their must-read source for the latest news, analysis and data in the world of biotech and pharma R&D. To read on the go, sign up today to get biotech news and updates delivered right to your inbox!

It will also outline the cybersecurity responsibilities shared between all stakeholders, Shuren said, as well as explore the adoption of coordinated policies for the public disclosure of device vulnerabilities.

The guidance document is due to be completed by the forum’s September 2019 meeting in Russia.

In addition, the IMDRF’s standards working group will aim to help assure international standards development organizations (SDOs) produce regulatory-grade work, so it can be used in agency decision-making.

A critical aspect is that standards must include validated methodologies and measurements for success, Shuren said. To address that, the forum plans to publish a document on optimizing standards for regulatory use, and will liaise more closely with SDOs.

“One of the reasons that we do not recognize standards is because there’s not an objective basis for determining conformance with the standards,” he said. “We've been finding that a number of these standard development organizations are not taking the voice of regulators into account.”

“What you're going to see is IMDRF coming together as an organization, with all of the participating countries saying, with one voice, that you need to take our issues into account or we're not going to recognize your standards,” Shuren said.