Medical Devices


Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.

To mitigate and manage cybersecurity threats, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.

Hospitals and health care facilities should evaluate their network security and protect the hospital system.

All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase health care providers’ ability to treat patients. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. Addressing cybersecurity threats and reducing information security risks is especially challenging because of the need to balance the protection of patient safety with promoting the development of innovative technologies and improved device performance.

The FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted at this time.

We look for and encourage reports of cybersecurity issues through our surveillance of devices already on the market.

FDA Activities:

FDA’s ongoing efforts to protect the public health from cybersecurity vulnerabilities include:

  • On October 29, 2014, the FDA is holding a webinar on the Final Guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”   The webinar will explain the guidance and provide a forum for asking questions stakeholders may have.  Registration is not necessary.   

Page Last Updated: 10/23/2014
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.