Author: Brandon Miller

Medical Device Cybersecurity Guidance

Posted on by Brandon Miller

The International Medical Device Regulation Forum (IMDRF) recently published updated cybersecurity guidance for the medical device industry. The medical device cybersecurity working groups at IMDRF have been busy lately, publishing multiple final documents about medical devices & software as medical device (SaMD). 

 

Regulatory Compliance

 

IMDRF’s medical device guidance provides steering assumptions for both regulatory compliance & medical device cybersecurity, which are appropriate for sponsors developing medical devices. Further, a primary objective of the guidance is simultaneously increasing patient safety & reducing external threats for providers and HCPs.

 

Global Harmonization

 

The guidance begins with harmonization concepts that could affect multiple departments inside a medical device manufacturer. Additionally, key areas for harmonization programs highlighted by the cybersecurity guidance include:

 

  • Product design
  • Risk management activities
  • Device labelling
  • Regulatory submission
  • Information sharing
  • Post-market activities

 

Product Life Cycle (PLC)

 

IMDRF’s cybersecurity guidance continues on with a deeper evaluation of risks associated across the product life cycle. It is recommended for potential vulnerabilities to be considered for any product life cycle stage, especially considering legacy devices that may be vulnerable to strategic risk. 

 

 

Product Design

 

Product design considerations include the initial phases of medical device development and continues until the end of support (EOS) once a product is discontinued. The four product design stages the cybersecurity guidance refers to when it comes to total product life cycle:

 

  • Development Stage
  • Support Stage
  • Limited Stage
  • End of Support

 

Development Stage (Stage 1)

 

The Development Stage occurs during the pre-commercialization phase before a medical device is approved by a regulatory body. This is when medical device manufacturers begin to incorporate security into the product concepts being designed. Design controls are critical in this stage for medical device manufacturers to leverage when considering how to mitigate risks.

 

Finally, an important deliverable of the Development Stage is product-related security documentation. The documentation is designed to help unfamiliar users to understand how to securely operate the medical device. 

 

Support Stage (Stage 2)

 

The Support stage is during the initial post-launch phase and may continue for many years. Medical devices in this stage are:

 

  • Currently used for providing patient care
  • Available for purchase on the open market
  • Contain major software, firmware, or programmable hardware components
  • Support for software, firmware or components is provided by the medical device manufacturer

 

Additionally, medical devices in the Support stage should receive full cybersecurity support. This support often includes software patches, software updates, hardware updates, and incremental support the manufacturer considers appropriate.

 

Limited Support Stage (Stage 3)

 

Medical device manufacturers continue to provide cybersecurity support during Stage 3. However, as product development transitions to a more current medical device design, different constraints are involved with the transition. Medical devices in Stage 3 often require additional network controls compared to medical devices in Stage 2:

 

  • Third-party components or software may be used more frequently than internally developed updates or patches
  • Cybersecurity best practices integration is often governed by the ease of following support practices outlined in the Stage 2
  • Medical device manufacturers must explain to users the existing limitations that are now recognized in the devices and services affected
  • Healthcare providers using the medical device should begin to take more of an active role in unmitigated features of security defense.

 

End of Support Stage (Stage 4)

 

Medical devices in Stage 4 are considered more vulnerable than any of the other stages. They may still be in use for providing patient care, but they have been publicly identified as no longer being supported by the medical device manufacturer. Each of these scenarios result in a medical device that cannot be consistently defended against modern cybersecurity dangers.

 

Critical facets healthcare information technology departments should look for include:

 

  • Medical devices that have been declared EOS by the medical device manufacturer
  • Medical devices that are not actively marketed or sold by the medical device manufacturer
  • Medical devices that contain software, firmware, or programmable hardware components no longer supported by software developers
  • Medical devices with known risks to device safety and effectiveness that are unmitigated

 

Risk Management

 

risk managementFurther, the guidance calls for a risk management approach to product lifecycle management featuring:

 

  • Security risk analysis
  • Security risk evaluation
  • Security risk control
  • Security risk acceptability

 

The cybersecurity guidance expands on product design and how security is incorporated and maintained through the product life cycle. This can be accomplished through using risk control and a secure development framework.

 

Risk mitigation recommendations for medical device manufacturers include:

 

  • Security design and controls based on intended use of the medical device
  • Security risk assessments across the risk management process
  • Threat modelling to help determine operational risk

 

Security testing and communication for medical device manufacturers include:

 

  • Customer facing product security documentation & communication
  • Post-market monitoring of cybersecurity vulnerabilities
  • Identification of vulnerabilities in third party risk management
  • Vulnerability risk identification based on the device security design, controls, and mitigations

 

Ensuring availability of security patches & mitigations based on device risk:

 

  • Coordinated and clear communication to all affected users
  • Description related to the vulnerability and its corresponding mitigations
  • Identification of other mitigation options when a security patch is unavailable

 

Data Integrity

 

One of the core principles the guidance stresses is cybersecurity information, data integrity and the importance of information sharing. IMDRF encourages medical device industry stakeholders to implement a proactive pre- and post-market approach to cybersecurity information sharing.

 

Moreover, timely information can help the industry recognize threats, evaluate associated risks, and react quickly as needed. An increase in industry transparency could directly benefit healthcare providers, medical device users and medical device companies.

 

Security Updates

 

An important section of the medical device cybersecurity guidance details stakeholder responsibilities related communications, risk management, and transfer of responsibility. Specifically, it is important that medical device manufacturer communications are comprehensive & identify types of documentation needed and when the medical device user may need it. 

 

Product Security Documentation

 

Medical device manufacturers should ideally provide PLC documentation about security or support changes early in the Support stage. This helps HCP risk management during both the procurement & deployment of medical devices. Types of life cycle support for product security documentation includes:

 

  • Manufacturer disclosure statement for medical device security
  • Software Bill of Materials (SBOM)
  • Security test report summaries
  • Third-party security certifications
  • Customer security documentation

 

Product Life Cycle Documentation

 

Medical device companies should communicate the strategic life cycle milestones to their customers. Further, these interactions would include cybersecurity EOL and EOS dates if available. This helps to support HCPs during both the procurement & installation process.

 

Additionally, medical device manufacturers should provide this information as far in advance as possible. The goal is at least 2 years in advance to best support healthcare professionals with the following information:

 

  • Affected medical devices
  • Medical device operating system(s)
  • Version of medical device deployed
  • Medical device software components
  • Expected date of medical device service changes
  • Extent of medical device maintenance after a service change occurs
  • Additional design controls that help all involves parties

 

Vulnerability & Patching Information

 

If a vulnerability is uncovered, medical device companies should provide related vulnerability information. Further, the guidance specifically mentions the importance of both the appropriate mitigation or available software patch. Additionally, the guidance stresses an elevated priority be placed on high-risk vulnerabilities where timely communication is required. This communication is designed to help prevent both patient injury or device interruption.

 

Finally, the mitigation method and implementation instructions should be provided to the medical device operators. These security updates include both an over-air update or deployment of service personnel to help install the remedy.

 

Proactive Communications for Third-Party Components

 

Medical device software and other digital components within a medical device will reach EOL/EOS before the product itself does. In these cases, risk can increase based on the lack of support for these elements. To help compensate for these security risks, the cybersecurity guidance suggests medical device companies should:

 

  • Validate the list of third-party components used in medical devices
  • Track support status updates of third-party components used within their device
  • Assess the risks that exist when third-party components become unsupported
  • Communicate new risks and available risk mitigations to healthcare providers

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

 

Brownfield vs. Greenfield Facilities: Key Considerations for Onshoring Manufacturing

Posted on by Brandon Miller

brownfield greenfield

The global pandemic and continued supply chain disruptions have prompted many U.S. pharmaceutical and medical device manufacturers to reassess their reliance on offshore production. As organizations place greater emphasis on quality assurance, regulatory compliance, and supply chain resilience, onshoring manufacturing has become a strategic priority. Bringing operations back to the United States allows companies to strengthen oversight, enhance manufacturing reliability, and establish greater control over GMP processes.

 

One of the most important early decisions in this process is choosing between a brownfield facility or a greenfield manufacturing site. This choice influences implementation timelines, operational efficiency, regulatory readiness, and long-term scalability.

 

What Is a Brownfield Facility?

 

A brownfield manufacturing facility is an existing structure that can be repurposed to support new or expanded operations. Companies may lease or purchase the facility and complete the modifications required to support production. In many cases, the site already includes established utilities, cleanroom environments, operational workflows, and experienced personnel.

 

Some organizations may even have suitable brownfield options within their own corporate network. During evaluation, many rely on GMP facility design review to ensure the site meets modern standards.

 

Advantages of Brownfield Sites

 

Brownfield facilities are often preferred for their speed and efficiency. Since construction is not required, manufacturers can begin operations much sooner. This shortens transition timelines, reduces downtime, and supports faster technology transfer. Existing quality systems such as QMS, ERP platforms, CAPA management systems, and electronic documentation tools can also be integrated into the new operational framework. Organizations often turn to quality management system optimization to ensure alignment.

 

Challenges of Brownfield Sites

 

Older buildings may have structural or layout limitations that restrict scalability. Aging equipment may introduce inefficiencies or require significant upgrades to meet current expectations under FDA and EU guidance. Before transitioning, manufacturers should assess the site’s validation status and consider FDA inspection readiness services to identify potential compliance gaps.

 

What Is a Greenfield Facility?

 

A greenfield manufacturing site involves constructing a new facility from the ground up. This approach gives pharmaceutical and medical device companies complete freedom to design a building aligned with modern GMP compliance standards and advanced technologies.

 

Greenfield sites also allow companies to incorporate optimized cleanroom layouts and contamination control strategies that support sterile manufacturing and are consistent with EU Annex 1–style risk management.

 

Advantages of Greenfield Sites

 

A new build allows manufacturers to design workflows that reduce contamination risk, integrate advanced utilities, and install state-of-the-art equipment. A greenfield project also enables scalable infrastructure planning for future growth and long-term efficiency. Many companies leverage regulatory compliance support early in the design phase to ensure alignment with FDA and global expectations.

 

Challenges of Greenfield Sites

 

Greenfield facilities have longer timelines, higher upfront costs, and expanded staffing requirements. Construction delays, permitting schedules, and supply chain challenges can further extend project timelines. Organizations frequently use process validation support and technology transfer services to ensure smooth startup once the facility becomes operational.

 

Choosing the Right Onshoring Strategy

 

Selecting between a brownfield and a greenfield strategy requires a comprehensive assessment of:

  • The complexity of your manufacturing process
  • Speed-to-market requirements and timelines
  • Long-term capacity and scalability needs
  • Regulatory risk and inspection risk (FDA, global)
  • Maturity of your quality system and digital infrastructure
  • Total cost of ownership (capex, opex, validation)

 

Get Expert Support From Regulatory Compliance Associates®

 

Whether you are planning a brownfield retrofit or building a greenfield facility, establishing a strong compliance foundation from the very beginning is essential. Regulatory Compliance Associates® (RCA) delivers full-lifecycle support for life science companies, including:

  • GMP facility design reviews
  • Quality system implementation and remediation (QMS)
  • Inspection readiness and training, including mock FDA inspections, pre-inspection coaching, and audit preparation
  • Regulatory consulting for FDA submissions, global strategy, and agency communications
  • Process validation, technology transfer, and risk management to ensure robust, compliant operations
  • Supplier quality assurance to support stable raw materials and component sourcing

 

Partnering with RCA helps you align your onshoring strategy with regulatory needs, reduce compliance risk, and accelerate operational readiness. Our deep bench of industry and former-FDA experts will translate complex requirements into practical, actionable plans tailored to your organization.

 

Contact Regulatory Compliance Associates® today to connect with a subject matter expert and begin building a compliant, efficient, and future-ready manufacturing operation.

Compliance & Product Launch

Posted on by Brandon Miller

Why has product launch become more complex after the pandemic & how have the “roots of compliance” changed the EU regulatory environment?

 

 

In this sound bite from RCA Radio, host Brandon Miller is joined by Kinga Demetriou, an Expert Certifier at BSI, as they discuss how the pandemic changed the “roots of compliance” in the EU regulatory environment.

 

  • Since the pandemic, quick routes to market such as EUAs have been stopped leading to market servaliance company’s putting more scrutiny on products (e.g. PPE masks)
  • Manufactures have found out that offering a products in different markets take a lot of recourses to understand the roots of compliance depending on the location
  • Different market access requirement have been introduced depending on geography
  • New rules and certifications are in place making it more complex to launching products in multiple markets

 

Listen to the full Podcast on Global Regulatory Trends –> Click Here

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

Addressing Troublesome Design Protocols

Posted on by Brandon Miller

What should you do if you are having trouble executing your design protocols? 

Listen to this highlight from RCA Radio where Walter Mason explains what needs to be done if you have troubles executing your design protocols even after training.

 

 

Listen to the entire episode where we take an in-depth look at protocols for biologics and their importance. RCA Radio Episode 13.

 

What can you do?

  • Go to the developer and let them know that it is not working for you
  • Talk through the design protocols in general
  • Procede step-by-step through the design protocols process
  • Look back at the FDA guidance documents
  • Get feedback on your design protocols
  • Implement changes in your training or to the protocol itself

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

Medical Device Cybersecurity

Posted on by Brandon Miller

For medical device manufacturers, technology can be a double-edged sword. The innovative technologies that elevate the quality of life for patients can also be used to potentially undermine the organization using the device. The consequences can affect the device itself if we do not implement good IoT cybersecurity and FDA cybersecurity protocols. At Regulatory Compliance Associates®, we offer a wide variety of services for medical device security to help ensure that your product is protected from cyber-attacks.

 

With a well-planned design, along with full visibility of product development and the supply chain, RCA can help strengthen your device’s cybersecurity posture throughout. We partner with medical device companies for the entire life cycle, including from the development of your product to the regulatory submission to your notified body.

 

Cybersecurity Medical Device Services

 

  • Supporting cybersecurity aspects of design control using secure design principles for the entire Product Lifecycle.
  • Performing Gap analyses on your device’s current cyber resilience.
  • Utilizing threat risk modeling to identify potential vulnerabilities or the absence of appropriate safeguards for future threats. 
  • Generation of regulatory submission documentation per the FDA’s cybersecurity guidance, as well as the EUMDR MDCG 2019-16 cybersecurity guidance.
  • Perform a cyber risk analysis to manage confidentiality, integrity, and availability and reduce attack surface area.
  • Create a software bill of material for purchased components of the product to better manage vulnerabilities.
  • Independent 3rd party validation of cybersecurity requirements.
  • Analysis and evaluation of current ISO 14971 risk management procedures.

 

Trustworthy Medical Device Cybersecurity

 

  • Contains hardware, software, and/or programmable logic that is based on FDA cybersecurity guidance and regulatory standards.
  • Provides a reasonable level of availability, reliability, and correct operation.
  • Is reasonably suited to performing its intended functions.
  • Adheres to generally accepted security procedures.

 

Cybersecurity Medical Device Best Practices

 

  • Identify assets, threats, and vulnerabilities.
  • Assess the impact of threats and vulnerabilities on the device’s safety and performance.
  • Assess the likelihood of a threat as well as the likelihood of a vulnerability being exploited.
  • Determine security risk levels and suitable mitigation strategies.
  • Evaluate residual security risk and risk acceptance criteria.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].

How Brexit is Impacting Medical Device Companies

Posted on by Brandon Miller

Medical Device Regulations Changes coming with Brexit.

Listen to this highlight from RCA Radio where Seyed Khorashahi breaks down the UK’s Medical Device Regulations resulting from Brexit and choosing not to join the EU MDR.

 

 

Listen to the entire episode where we go over Brexit and all of the important things happening in the Medical Device industry here.

Looking for help adhering to the New Brexit Regulations? Contact Us Now →

Changes with Brexit

The UK will not be transitioning to the EU MDR or IVDR and will be staying with MDD, AIMD, and IVDD. They plan on making changes in the future as necessary for the UK market.

 

CE Marking

The MHRA will recognize the CE Mark for devices until June 30th, 2023. This applies to products CE marked under the

  • MDD, IVDD, AIMDD, and as well as MDR and IVDR.
  • Class I and General IVD manufacturers can continue to self declare.

 

Conformity Assessment Marking (UK CA)

  • UK Notified Bodies will become UK approved bodies starting January 1st, 2021
  • Device Manufactures can use UK approved bodies for UK CA marking starting on January 1st, 2021
  • UK CA marking will be mandatory on July 1st, 2023

 

MHRA Registration Requirement Dates

 

  • May 1st, 2021
    • Class III medical devices & IVD list A devices
    • Class II b implantable devices
  • September 1st, 2021
    • Class II b non-implantable and II a & IVD list b products
  • September 1st, 2022
    • Class I medical devices and general IVDs

 

UK Responsible Person

Manufactures without a presence in the UK will need a UK responsible person which can be an individual or company similar to EU authorized representative.

 

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].