Christopher Gates, Director of Product Security, Velentium09.06.23
Recently, I was attending the Health Sector Coordinating Council’s (HSCC) cybersecurity working group on Model Contract Language for MedTech Cybersecurity (or MC2), Version 2,1 and the term “End of Life” as it applies to medical devices came up while we were revising one of the recommended contract clauses.
Everyone in the working group is a medical device cybersecurity expert, yet we all had conflicting opinions about:
One of our fundamental issues was this working group was composed of experts from medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). These two groups have different ways of referring to the same “End of…” phases.
First, it should be noted that everyone has a different opinion of what “End of Life” for a device means; so much so that to avoid confusion, we should probably not even use this term in favor of more descriptive options. Or maybe we should only use “End of Life” to refer to the entire collective process?
At this point, I know some readers are saying, “But the device is at its End of Life when we stop making it. What is all this talk about phases?” Well, it isn’t quite that simple.
After a quick review of the usual consensus and regulatory standards, we were left with four standards that mention these “End of…” activities. They are:
The IMDRF standard goes into much more detail and includes time periods and the topic of software components that have already reached a retirement phase. This standard introduces some new terminology for these retirement phases such as:
However, TIR97:2019 was published three years before the FDA or IMDRF standards, and it describes the retirement process in a very approachable fashion, addressing all of the topics in the other two and bringing in some of its own. (Not the least of which is a timeline graphic that does an excellent job of conveying the process.) It is the TIR97:2019 graphic that serves as the basis for the remainder of this article.
After completing our review, we of the HSCC’s cybersecurity working group then combined these four standards and applied our collective experience to describe some typical timelines for each “End of…” phase, which resulted in the Figure 1 graphic.
Hopefully, this article and accompanying graphic can help serve as a reference for our industry on terminology to use and further normalize best practices to follow when retiring medical devices.
Reference
Christopher Gates is the director of Product Security at Velentium. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.
Everyone in the working group is a medical device cybersecurity expert, yet we all had conflicting opinions about:
- What this topic should really be called
- When the various “End of…” phases really occur
- What the time period for each phase should really be
One of our fundamental issues was this working group was composed of experts from medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). These two groups have different ways of referring to the same “End of…” phases.
First, it should be noted that everyone has a different opinion of what “End of Life” for a device means; so much so that to avoid confusion, we should probably not even use this term in favor of more descriptive options. Or maybe we should only use “End of Life” to refer to the entire collective process?
At this point, I know some readers are saying, “But the device is at its End of Life when we stop making it. What is all this talk about phases?” Well, it isn’t quite that simple.
After a quick review of the usual consensus and regulatory standards, we were left with four standards that mention these “End of…” activities. They are:
- September 2019: Association for the Advancement of Medical Instrumentation (AAMI) - AAMI TIR97:2019 Principles for medical device security—Postmarket
- risk management for device manufacturers
- April 2022: FDA - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff
- April 2022: International Medical Device Regulators Forum (IMDRF) - Principles and Practices for the Cybersecurity of Legacy Medical Devices
- March 2023: HSCC - Health Industry Cybersecurity - Managing Legacy Technology Security (HIC-MaLTS)
The IMDRF standard goes into much more detail and includes time periods and the topic of software components that have already reached a retirement phase. This standard introduces some new terminology for these retirement phases such as:
- Development
- Support
- Limited Support
- End of Support
- Decommission
- Decommission: To remove from active service
- End of Life (EOL): The life cycle stage of a product starting when the manufacturer no longer sells the product beyond its useful life as defined by the manufacturer and the product has gone through a formal EOL process including notification to users.
- End of Support (EOS): The life cycle stage of a product starting when the manufacturer terminates all service support activities and service support does not extend beyond this point.
However, TIR97:2019 was published three years before the FDA or IMDRF standards, and it describes the retirement process in a very approachable fashion, addressing all of the topics in the other two and bringing in some of its own. (Not the least of which is a timeline graphic that does an excellent job of conveying the process.) It is the TIR97:2019 graphic that serves as the basis for the remainder of this article.
After completing our review, we of the HSCC’s cybersecurity working group then combined these four standards and applied our collective experience to describe some typical timelines for each “End of…” phase, which resulted in the Figure 1 graphic.
- End of Production: This term signifies the point at which the manufacturer ceases production of a particular medical device. It indicates the company will no longer manufacture or produce new units of that device. This may be due to various reasons such as the introduction of a newer version, the unavailability of components, market forces, or the decision to focus on different product lines. However, devices that have already been manufactured may still be in warehouses, distribution, circulation, and available for use. A period of 24 months should exist between notifying HDOs and the end of production.
- End of Marketing: The end of marketing indicates the manufacturer will no longer actively promote or advertise the medical device. The device may still be available for purchase and support, but the manufacturer will not actively promote it to customers. This is what is called “End of Life” by the HSCC’s HIC-MaLTS standard.
- End of Guaranteed Support: When a manufacturer declares the end of guaranteed support, it means they will no longer provide specific commitments or warranties for the device. This typically includes services such as technical assistance, user training, maintenance training, repairs, spare parts availability, and software updates. After this point, the manufacturer may still offer support on a case-by-case basis, but it may come with limitations or additional costs. A period of 24 months should exist between notifying HDOs and the end of guaranteed support.
- End of Support: This term refers to the discontinuation of ongoing assistance or maintenance for a medical device. It encompasses a broader range of services beyond just “guaranteed support.” End of Support may include technical support, repairs, access to documentation or manuals, and other forms of assistance. This is also a time of “risk transference,” where all risk associated with further use of the device after End of Support is formally transferred from the MDM to the HDO. Part of this transference includes the transfer of all cybersecurity knowledge, such as known vulnerabilities, unsupported software components, software bill of material(s), etc. Once support ends, the manufacturer may no longer provide any assistance related to the device's operation or maintenance. A period of 36 months should exist between notifying HDOs and the end of support.
- Decommission: This phase defined by the IMDRF is not represented on the graphic as this is a process determined and performed solely by the HDO at some point following the End of Support phase. Since this activity is based on an HDO’s appetite for risk in the continued use of a retired medical device and may vary widely between different HDOs, we provide no recommended time period between these two life cycle phases.
Hopefully, this article and accompanying graphic can help serve as a reference for our industry on terminology to use and further normalize best practices to follow when retiring medical devices.
Reference
Christopher Gates is the director of Product Security at Velentium. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.