Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices.
All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients.
Addressing cybersecurity threats, and thus reducing information security risks, is especially challenging. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.
FDA recommendations for mitigating and managing cybersecurity threats include:
- Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Hospitals and health care facilities should evaluate their network security and protect their hospital systems.
We look for and encourage reports of cybersecurity issues through our surveillance of devices already on the market.
The FDA’s ongoing efforts to protect the public health from cybersecurity vulnerabilities include:
- On January 12, 2017, the FDA held a webinar on the guidance: Postmarket Management of Cybersecurity in Medical Devices. Stakeholders were invited to learn more about the guidance and ask questions.
The final guidance, released on December 27, 2016, informed manufacturers of the Agency’s recommendations for structured and comprehensive management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices throughout the product lifecycle.
- In October 2016, the FDA entered into a new Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS). The NH-ISAC is a nonprofit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response. The MDISS is a nonprofit organization that develops best practices in public health, safety science, and physical cyber system security to address the complex challenges associated with healthcare technology cybersecurity risks. This MOU expands upon the collaboration previously established between the FDA and NH-ISAC in August 2014, and will enable an operational framework for medical device vulnerability information-sharing, as described in the final guidance for the Postmarket Management of Cybersecurity in Medical Devices.
The goals of this new collaboration and MOU are:
- To establish mechanisms by which information regarding medical device cybersecurity vulnerabilities and threats can be shared with the NH-ISAC, MDISS, and FDA in a trusted space; and
- To foster the development of a shared risk assessment framework to enable stakeholders to consistently and efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities, and take timely and appropriate action to mitigate the risks.
- The FDA issued three product-specific safety communications discussing cybersecurity vulnerabilities:
- On January 9, 2017, the FDA issued a Safety Communication confirming vulnerabilities in St. Jude Medical’s implantable cardiac devices and Merlin@home Transmitter. The FDA became aware of cybersecurity vulnerabilities in these devices after an independent research firm released information about these vulnerabilities.
- On July 31 2015, Hospira and an independent researcher confirmed that it is possible to access the Symbiq Infusion System remotely through a hospital’s network
- On May 13, 2015, the FDA issued a Safety Communication on vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The FDA and Hospira became aware of cybersecurity vulnerabilities in these infusion systems after an independent researcher released information about these vulnerabilities.
In each of the above cases, the FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted. However, these vulnerabilities could allow unauthorized users to remotely access, control, and issue commands to compromised devices, potentially leading to severe patient harm. Health care facilities can reduce the risk of unauthorized access by implementing recommendations in the safety communications.
- On October 29, 2014, the FDA held a webinar on the guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Stakeholders were invited to learn more about the guidance and ask questions.
The final guidance, issued on October 2, 2014, contains recommendations for medical device manufacturers on cybersecurity management and information that should be included in a pre-market submission. The recommendations are intended to supplement the following FDA guidance documents:
- On October 21-22, 2014, the FDA held a public workshop, Collaborative Approaches for Medical Device and Healthcare Cybersecurity, to seek input from the health care and public health sector on medical device and health care cybersecurity. The goals of the workshop were to encourage collaboration among stakeholders, identify challenges and discuss strategies and best practices for promoting medical device cybersecurity.
- On June 13, 2013, the FDA issued a safety communication, Cybersecurity for Medical Devices and Hospital Networks, in which the FDA recommends that medical device manufacturers and health care facilities take steps to ensure that appropriate safeguards are in place to reduce the risk of device failure due to cyber attack.
Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication
- Federal Register notice of availability: Postmarket Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and FDA
Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff(PDF - 1.2MB)
- FDA Voice - Managing Medical Device Cybersecurity in the Postmarket: At the Crossroads of Cyber-safety and Advancing Technology (December 27, 2016)
Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication
FDA Voice - National Cyber Security Awareness Month: Understanding the Interdependencies of Medical Devices and Cybersecurity (October 27, 2016) FDA outlines cybersecurity recommendations for medical device manufacturers: FDA Press Release (January 15, 2016)
- FDA Voice - FDA and the Cybersecurity Community: Working Together to Protect the Public Health (October 8, 2014)
- Information for Health care Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”
National Institute of Standards and Technology’s Preliminary Cybersecurity Framework