Medical Devices

Cybersecurity

Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.

To mitigate and manage cybersecurity threats, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.

Hospitals and health care facilities should evaluate their network security and protect the hospital system.

All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase health care providers’ ability to treat patients. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. Addressing cybersecurity threats and reducing information security risks is especially challenging because of the need to balance the protection of patient safety with promoting the development of innovative technologies and improved device performance.

The FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted at this time.

FDA Activities:
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.

By issuing draft guidance that contains recommendations to medical device manufacturers on cybersecurity management, the FDA is taking steps to strengthen the cybersecurity related to medical devices. In addition, we look for and encourage reports of cybersecurity issues through our surveillance of devices already on the market.

In a June 13, 2013, Safety Communication,Cybersecurity for Medical Devices and Hospital Networks, the FDA recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of device failure due to cyber attack.

The FDA’s Draft Guidance for Industry and FDA Staff: “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” released on June 14, 2013, identifies issues related to cybersecurity for manufacturers to consider in preparing premarket submissions for medical devices. This draft guidance is not final and is not in effect at this time. FDA will carefully consider comments received on this draft before issuing a final guidance. The final guidance will represent FDA’s policy concerning the content of Premarket Submissions for Management of Cybersecurity in Medical Devices.
 

Page Last Updated: 06/04/2014
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.