Medical Devices


Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices.

All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients.

Addressing cybersecurity threats, and thus reducing information security risks, is especially challenging. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them.  There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.

FDA recommendations for mitigating and managing cybersecurity threats include:

  • Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
  • Hospitals and health care facilities should evaluate their network security and protect their hospital systems.

We look for and encourage reports of cybersecurity issues through our surveillance of devices already on the market.

FDA Activities:

The FDA’s ongoing efforts to protect the public health from cybersecurity vulnerabilities include:

  • On January 22, 2016, the FDA released the Postmarket Management of Cybersecurity in Medical Devices Draft Guidance to outline steps manufacturers should take to continually address cybersecurity risks with their devices in order to better protect the public health. The draft guidance outlines the agency’s expectations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.
  • The FDA issued two safety communications discussing cybersecurity vulnerabilities of two Hospira Infusion Pump Systems:
    • On May 13, 2015, the FDA issued a Safety Communication on vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The FDA and Hospira became aware of security vulnerabilities in these infusion systems after an independent researcher released information about these vulnerabilities.
    • On July 13, 2015 Hospira and an independent researcher confirmed that it is possible to access the Symbiq Infusion System remotely through a hospital’s network.

In both cases, The FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted. However, these vulnerabilities could allow unauthorized users to control the infusion pump and modify the dosage it delivers, potentially leading to over- or under-infusion of critical patient therapies. Health care facilities can reduce the risk of unauthorized access by implementing recommendations in the safety communications.


Page Last Updated: 11/01/2016
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.
Language Assistance Available: Español | 繁體中文 | Tiếng Việt | 한국어 | Tagalog | Русский | العربية | Kreyòl Ayisyen | Français | Polski | Português | Italiano | Deutsch | 日本語 | فارسی | English