NB Position Papers on Cybersecurity and “Off-Label” Use

Team-NB recently published various position papers. Two of the latest publications concern Cybersecurity and “Off-Label” use of medical devices under MDR.

Team-NB is the European Association for Medical devices of Notified Bodies.

Cybersecurity: connected medical devices and digitisation

Together with new opportunities and improvements, the rising use of connected medical devices and ongoing digitisation in healthcare bring different types of risks to the safety and security of medical devices. To ensure safe use of medical devices, it is crucial to define a regulatory framework for such products.

In this context, the NB position paper on cybersecurity lists the following recommendations:

  • ensure the harmonised adoption of standards (e.g., IEC 81001-5-1 and IEC TR 60601-4-5)
  • harmonise the approach to security risk assessment, for instance, by using a systematic threat modelling technique to minimise threats
  • harmonise high level penetration test requirement, by performing appropriate penetration test reports throughout the life cycle of the device
  • adapt a secure development life cycle (SDL), e.g., by following IEC 81001-5-1
  • address the importance of Cybersecurity Post Market Surveillance (Cybersecurity PMS), by auditing this aspect in the MDR/IVDR conformity assessment

Data generated from ‘Off-Label’ Use of a device

The second position paper focuses on data generated from “Off-label” use of  a medical device. There are various definitions and interpretations on the term “Off-Label”. Generally, it can be stated that “any information that comes with a product is considered labelling and when the product is used for a clinical indication that is not approved, it is regarded as off-label use”.

Even if manufacturers must not promote the misuse of a medical device, it is sometimes difficult to predict areas of future misuse. Nonetheless, manufacturers must eliminate or control risks related to any misuse once identified. Indeed, the MDR imposes that the manufacturer’s post market clinical follow up (PMCF) plan must identify “systematic misuse or off-label use of the device with a view to verifying that the intended purpose of the device is correct”. According to Article 2 of the MDR, data included in the PMCF deriving from off-label use of the device can also be considered clinical data.

Can off-label data be used to expand the intended purpose/indications?

To demonstrate conformity with the general safety and performance requirements, the clinical data provided should be sufficient. In particular, this refers to quality and quantity of the data. Generally, “off-label” data fail to meet certain key requirements. Typically, “off-label” use presents following aspects:

  • data are not sufficient, especially in quality
  • the collection of data does not take place according to formal protocols
  • manufactures should take measures to reduce the misuse but also identify if there is a genuine need for the newly identified use. In case there is need, the manufacturer should formalise the process of collecting such data

Therefore, the use of data derived from “off-label” use of medical devices presents limitations and lack of sufficient quality and quantity. Nevertheless, when collected in a formal manner with appropriate plans and protocols, “off-label” data can support a conformity assessment.

Find all most recent position papers in our Library of Documents.

Leave a Reply

Your email address will not be published.