U.S. flag An official website of the United States government
  1. Home
  2. Medical Devices
  3. Digital Health Center of Excellence
  4. Cybersecurity
  1. Digital Health Center of Excellence

March 13, 2024 - The FDA issued the draft guidance Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act. This draft guidance proposes updated recommendations to industry on cybersecurity considerations for cyber devices and provides recommendations for documentation in device premarket submissions.

November 15, 2023 - The FDA contracted with MITRE to develop the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks. Legacy medical devices are those that cannot be reasonably protected against current cybersecurity threats, and these devices can pose significant risks to the health care sector. Legacy devices were legally put on the market and may still be broadly in use. However, cybersecurity controls that may have been effective at their point of purchase may no longer be adequate now. Addressing this issue is complex and must be done in a way that minimizes negative impacts to patient care and safety. This publication outlines practical approaches and recommendations that build on previous work and can further drive sector-wide legacy device cyber risk management efforts.

On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") was signed into law. Section 3305 of the Omnibus -- "Ensuring Cybersecurity of Medical Devices" -- amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices (section 3305). The Omnibus states that the amendments to the FD&C Act shall take effect 90 days after the enactment of this Act, on March 29, 2023.

To mark the FDA cyber team's 10-year anniversary, here is an infographic showing some of the ways they have contributed to patient safety over the past decade.

Download (PDF - 252 KB)

March 13, 2024 - The FDA issued the draft guidance Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act. This draft guidance proposes updated recommendations to industry on cybersecurity considerations for cyber devices and provides recommendations for documentation in device premarket submissions.

September 26, 2023 - The FDA issued the final guidance Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This guidance provides recommendations on medical device cybersecurity considerations and what information to include in premarket submissions.

May 1, 2023 - The FDA has launched its third video: Tips for Health Care Facilities: Cybersecurity Incident Preparedness and Response. The video focuses on how to prepare for a cybersecurity event and help ensure patient safety during a prolonged cybersecurity event. 

For more information about cybersecurity in medical devices, we recommend you consult our guidance documents and read Cybersecurity in Medical Devices Frequently Asked Questions (FAQs).

All legally-marketed medical devices have benefits and risks. The FDA clears, authorizes, and approves devices to be marketed when there is a reasonable assurance that the devices are safe and effective for their intended use.

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

Threats and vulnerabilities cannot be eliminated and reducing cybersecurity risks is especially challenging. The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.


On This Page


Cybersecurity News and Updates

Legacy Medical Device Report: Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks is a MITRE report that outlines practical approaches and recommendations that build on previous work and can further drive sector-wide legacy device cyber risk management efforts.

Incident Response Playbook: Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook is a playbook that describes the types of readiness activities that will enable health delivery organizations (HDOs) to be better prepared for a cybersecurity incident involving their medical devices and gives product developers more opportunity to address the potential for large scale, multi-patient impacts that may raise patient safety concerns.

Threat Modeling Playbook: Playbook for Threat Modeling Medical Devices is an educational resource that discusses best practices for understanding basic threat modeling concepts and processes, and how to apply them to medical devices.

Speaker series: The joint FDA and University of California San Francisco-Stanford Center of Excellence in Regulatory Science and Innovation (CERSI) is a speaker series of virtual one-hour lectures to promote regulatory science –including innovative research, education, and scientific exchange. It takes place monthly, on the third Thursday of each month from noon to 1:00 p.m. EST

Videos:

Paper: Best Practices for Communicating Cybersecurity Vulnerabilities for Patients outlines information for the FDA, federal partners, and industry stakeholders to help thoughtfully inform patients and the public about cybersecurity vulnerabilities.

Mitigating Cybersecurity Risks

Medical device manufacturers (MDMs) and health care delivery organizations (HDOs) should take steps to ensure appropriate safeguards are in place.

  • Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
  • Health care delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
  • Both MDMs and HDOs are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.

FDA Fact Sheet:
THE FDA'S ROLE IN MEDICAL DEVICE CYBERSECURITY
Dispelling Myths and Understanding

Download the Fact Sheet (PDF - 175kb)


Cybersecurity Reports and White Papers

Date Title Description
11/30/2021 Playbook for Threat Modeling Medical Devices The Playbook for Threat Modeling is an educational resource for the medical device sector to learn how to effectively threat model. Many private and public sector organizations recommend threat modeling to help manage and respond to cyber threats and risks.
10/01/2021 Best Practices for Communicating Cybersecurity Vulnerabilities to Patients This paper outlines information for the FDA, federal partners, and industry stakeholders to help thoughtfully inform patients and the public about cybersecurity vulnerabilities.
05/10/2021 NIST Request on Presidential Executive Order: Comments Submitted by the FDA (PDF - 4MB) This paper provides relevant responses to the National Institute of Standards and Technology (NIST) call for position papers to fulfill the President's Executive Order (EO) on Improving the Cybersecurity of the Federal Government (EO 14028), issued on May 12, 2021. It highlights existing FDA guidance documents and international standards on the science of cybersecurity for the premarket review of medical devices and post-market surveillance of cybersecurity incidents and vulnerabilities.
06/17/2021 Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities The FDA released this discussion paper to consider cybersecurity issues that are unique to the servicing of medical devices and to seek input on these topics.

Cybersecurity Guidances

Date Title Description
03/13/2024 Draft Guidance: Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act This draft guidance proposes updated recommendations to industry on cybersecurity considerations for cyber devices and for documentation in device premarket submissions.
09/27/2023 Final Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices

In addition to the specific recommendations contained in this guidance, manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

The recommendations are intended to supplement these guidance documents:

12/27/2016 Final Guidance: Postmarket Management of Cybersecurity in Medical Devices Provides recommendations to industry for structured and comprehensive management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices throughout the product lifecycle.
01/14/2005 Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software A growing number of medical devices are designed to be connected to computer networks. Many of these networked medical devices incorporate off-the-shelf software that is vulnerable to cybersecurity threats such as viruses and worms. These vulnerabilities may represent a risk to the safe and effective operation of networked medical devices and typically require an ongoing maintenance effort throughout the product life cycle to assure an adequate degree of protection. The FDA issued guidance to clarify how existing regulations, including the Quality System (QS) Regulation, apply to such cybersecurity maintenance activities.

Cybersecurity Safety Communications and Other Alerts 

In each of the following cases, the FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted. However, left unpatched or otherwise mitigated, these vulnerabilities could allow unauthorized users to access, control, and issue commands to compromised devices, potentially leading to patient harm. Health care facilities can reduce the risk of unauthorized access by implementing recommendations in the safety communications and alerts listed below.

Date Safety Communication or Alert Description
09/20/2022 Medtronic MiniMed 600 Series Insulin Pump System Potential Cybersecurity Risk

Medtronic MiniMed 600 Series Insulin Pump System Potential Cybersecurity Risk. The FDA is alerting medical device users about a cybersecurity risk for the Medtronic MiniMed 600 Series Insulin Pump System (for example: MiniMed 630G and MiniMed 670G). There is a potential issue associated with the communication protocol for the pump system that could allow unauthorized access to the pump system. If unauthorized access occurs, the pump's communication protocol could be compromised, which may cause the pump to deliver too much or too little insulin. 

The MiniMed 600 series pump system has components that communicate wirelessly (such as the insulin pump, continuous glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device). For unauthorized access to occur, a nearby unauthorized person (person other than you or your care partner) would need to gain access to your pump while the pump is being paired with other system components.
The FDA is not aware of any reports related to this cybersecurity vulnerability.

Medtronic issued an Urgent Medical Device Correction to inform medical device users of this cybersecurity risk and included actions and recommendations for users to take.

The FDA is working with Medtronic to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability. The FDA will keep the public informed if significant new information becomes available. 

For additional questions about this cybersecurity risk, medical device users should reach out to Medtronic at 1-800-646-4633, option 1.

06/02/2022 Illumina Cybersecurity Vulnerability May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers The U.S. Food and Drug Administration (FDA) is informing laboratory personnel and health care providers about a cybersecurity vulnerability affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing instruments.
03/08/2022 Cybersecurity Alert: Vulnerabilities identified in medical device software components: PTC Axeda agent and Axeda Desktop Server

Cybersecurity Alert: Vulnerabilities identified in medical device software components: PTC Axeda agent and Axeda Desktop ServerThe FDA is alerting medical device users and manufacturers about a cybersecurity vulnerability identified for the Axeda agent and Axeda Desktop Server. The agent and desktop server are used in numerous medical devices across several medical device manufacturers and all versions of Axeda agent and Axeda Desktop Server are affected. On March 8, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory, ICSA-22-067-01, on these vulnerabilities.

The Axeda agent and Axeda Desktop Server are web-based technologies that allow one or more people to securely view and operate the same remote desktop, through the Internet. The Axeda agent and desktop server are owned and supported by the computer software company, PTC.

Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition. Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality.

To mitigate the cybersecurity vulnerability, PTC recommends that affected manufacturers:

  • Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
  • Configure Axeda agent and Axeda Desktop Server to only listen on the local host interface 127.0.0.1.
  • Provide a unique password in the AxedaDesktop.ini file for each unit.
  • Never use ERemoteServer in production.
  • Make sure to delete ERemoteServer file from host device.
  • Remove the installation file.
  • When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
  • When running the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
  • Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.

Upgrade the Axeda Desktop Server to Version 6.9 build 215. The Axeda agent loopback-only configuration is only available in Version 6.9.1 and above. Upgrading to Axeda agent 6.9.1 or above is required.

For additional questions about this vulnerability, medical device manufacturers should reach out to PTC.
Users of affected medical devices should contact the associated medical device manufacturer(s) to understand the potential impacts of these vulnerabilities to specific medical devices and follow the associated medical device manufacturer's suggested mitigations.

12/22/2021 Cybersecurity Alert: Fresenius Kabi Agilia Connect Infusion System

On Tuesday, December 21, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) published a vulnerability medical advisory ICSMA-21-355-01 on the Fresenius Kabi Agilia Connect Infusion System. Successful remote exploitation of these vulnerabilities could allow an attacker to gain access to sensitive information, modify settings, or perform arbitrary actions as an unauthorized user.

Affected components requiring a software security patch include:

  • Agilia Connect WiFi module of the pumps vD25 and prior;
  • Agilia Link+ v3.0 D15 and prior;
  • Vigilant Software Suite v1.0: Vigilant Centerium, Vigilant MasterMed and Vigilant Insight; and
  • Agilia Partner maintenance software v3.3.0 and prior.

Fresenius Kabi has created new versions to address these vulnerabilities. Fresenius Kabi also identified that approximatively 1,200 infusion pumps would need hardware changes. Until replacements can be made in customers' installations, Fresenius Kabi recommends users rely on CISA's recommendations for temporary alternatives. Health care delivery organizations are advised to follow the recommendations published by CISA and Fresenius Kabi to avoid cybersecurity risks that could affect the safety and essential performance of the Fresenius Kabi Agilia Connect Infusion System.

12/17/2021 Cybersecurity Vulnerability with Apache Log4j

The FDA is raising awareness of a cybersecurity vulnerability in Apache's Log4j software library, versions 2.0-beta9 to 2.14.1.

Log4j is broadly used in a variety of consumer and enterprise services, websites, and applications—as well as medical devices and supporting systems—to log security and performance information. There is active, widespread exploitation of the vulnerability across various industries. These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the safety and effectiveness of device functionality. At this time, the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) agency has established a website with additional information that the FDA encourages medical device manufacturers to review and follow the identified recommendations to address the vulnerability.

Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions. As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software and follow the above process to assess the device impact. Manufacturers who may be affected by this most recent issue should communicate with their customers and coordinate with CISA. As this is an ongoing and still evolving issue, we also recommend continued vigilance and response to ensure medical devices are appropriately secured.

Report any adverse events or suspected events through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. For more information, please see the guidance for manufacturers on medical device reporting.

08/17/2021 CISA Alert: Cybersecurity Vulnerabilities with BlackBerry QNX

The FDA is working closely with federal partners, medical device manufacturers, and the private sector to address cybersecurity vulnerabilities with BlackBerry's QNX Real Time Operating System (RTOS) version 6.5 Service Pack 1 and earlier. These vulnerabilities may introduce risks for certain medical devices, as well as pharmaceutical or medical device manufacturing equipment. The FDA is not aware of any confirmed adverse events related to these vulnerabilities.

The FDA has provided information to medical device and pharmaceutical manufacturers on steps they should take to mitigate cybersecurity issues and actions to take when they believe a cybersecurity incident has occurred. Manufacturers are already assessing whether they are affected by these vulnerabilities, evaluating the risk, and developing remediation actions. Manufacturers who may be affected by this most recent issue should communicate with their customers and coordinate with the Cybersecurity and Infrastructure Agency (CISA). 

03/03/2020 SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices The FDA is informing patients, health care providers, and manufacturers about the SweynTooth family of cybersecurity vulnerabilities, which may introduce risks for certain medical devices.
01/23/2020 Cybersecurity Vulnerabilities in Certain GE Healthcare Clinical Information Central Stations and Telemetry Servers The FDA is raising awareness among health care providers and facility staff that cybersecurity vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers may introduce risks to patients while being monitored.
10/01/2019 Urgent/11 Cybersecurity Vulnerabilities May Introduce Risks During Use of Certain Medical Devices The FDA is informing patients, health care providers and facility staff, and manufacturers about cybersecurity vulnerabilities for connected medical devices and health care networks that use certain communication software.
06/27/2019 Certain Medtronic MiniMed Insulin Pumps Have Potential Cybersecurity Risks: FDA Safety Communication The FDA has become aware of potential cybersecurity risks in certain Medtronic MiniMed Paradigm insulin pumps. The FDA recommends patients replace affected pumps with models that are better equipped to protect them from these potential risks.
03/21/2019 Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication The FDA became aware of cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic's implantable cardiac devices, clinic programmers, and home monitors. The FDA recommends that health care providers and patients continue to use these devices as intended and follow device labeling.
10/11/2018 Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers Medtronic released a software update to address the cybersecurity vulnerabilities associated with Medtronic's cardiac implantable cardiac device programmers.
04/17/2018 Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices Abbott released an additional firmware update to address premature battery depletion and confirmed cybersecurity vulnerabilities identified in Abbott's (formerly St. Jude Medical) implantable cardiac devices
08/29/2017 Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers Abbott released a firmware update to address cybersecurity vulnerabilities identified in Abbott's (formerly St. Jude Medical) implantable cardiac pacemakers. The firmware update continues Abbott's efforts to mitigate confirmed vulnerabilities discovered by an independent research firm in 2016.
01/09/2017 Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter The FDA became aware of cybersecurity vulnerabilities in these devices after an independent research firm released information about these vulnerabilities.
05/13/2015 LifeCare PCA3 and PCA5 Infusion Pump Systems by Hospira - Security Vulnerabilities The FDA and Hospira became aware of cybersecurity vulnerabilities in these infusion systems after an independent researcher released information about these vulnerabilities. On July 31 2015, Hospira and an independent researcher confirmed that it is possible to access the Symbiq Infusion System remotely through a hospital's network.
06/13/2013 Cybersecurity for Medical Devices and Hospital Networks The FDA recommends that medical device manufacturers and health care facilities take steps to ensure that appropriate safeguards are in place to reduce the risk of device failure due to cyberattack.

To receive safety communications on medical devices, including cybersecurity-related safety communications, subscribe to our Medical Devices Safety and Recalls emails.

Reporting Cybersecurity Issues to the FDA

As a part of our surveillance of medical devices on the market, the FDA monitors reports of cybersecurity issues with devices.

Memoranda of Understanding on Cybersecurity in Medical Devices

The table below provides an overview of the cybersecurity information sharing agreements that the FDA has with various stakeholders to help us further protect and promote the public health.

MOU/MOA Parties Description
MOU 225-18-028 National Health Information Sharing & Analysis Center, Inc. (NHISAC) and MediSAO (information sharing analysis organization) The goal of these Information Sharing and Analysis Organizations (ISAOs) is to provide manufacturers with the opportunity to share information about potential vulnerabilities and emerging threats with the FDA and to help manufactures protect patients by addressing those issues earlier.
MOU 225-18-030 Health Information Sharing & Analysis Center, Inc. (H-ISAC), formerly known as the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC), and Sensato Critical Infrastructure ISAO The goal of these ISAOs is to provide manufacturers with the opportunity to share information about potential vulnerabilities and emerging threats with the FDA and to help manufacturers protect patients by addressing those issues earlier.
MOA: DHS-FDA Medical Device Cybersecurity Collaboration Department of Homeland Security (DHS) The agreement implements a framework for greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. This collaboration between the two agencies is intended to lead to better and more timely responses to potential threats to patient safety.

Workshops and Webinars on Cybersecurity

Date

Topic

Purpose

11/02/2023 Webinar: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Provided background on this final guidance which provides recommendations on medical device cybersecurity considerations and what information to include in premarket submissions.
09/10/2019 Patient Engagement Advisory Committee Meeting: Cybersecurity in Medical Devices - Communication That Empowers Patients

Provided background to the committee regarding the complexity of integrating medical device cybersecurity risk into health risk communications so that they can provide recommendations to the FDA on this topic.

Committee provided recommendations that:

  • address which factors should be considered by the FDA and industry when communicating cybersecurity risks to patients and to the public, including but not limited to the content, phrasing, the methods used to disseminate the message and the timing of that communication.
  • address concerns patients have about changes to their devices to reduce cybersecurity risks as well as the role of other stakeholders such as health care providers in communicating cybersecurity risks to patients
01/29-30/2019 Public Workshop: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Brought together diverse stakeholders to discuss, in-depth, the draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and the sub-topic of the draft guidance regarding a Cybersecurity Bill of Materials (CBOM), which can be a critical element in identifying assets, threats, and vulnerabilities.
05/18-19/2017 Public Workshop: Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis Examined opportunities for FDA engagement with new and ongoing research; catalyzed collaboration among stakeholders to identify regulatory science challenges; discussed innovative strategies to address those challenges; and encouraged proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity.
01/12/2017 Webinar: Postmarket Management of Cybersecurity in Medical Devices Provided information about the guidance and opportunity to ask questions.
01/20-21/2016 Public Workshop, Moving Forward: Collaborative Approaches to Medical Device Cybersecurity Highlighted past collaborative efforts and increased awareness of existing maturity models which are used to evaluate cybersecurity status, standards, and tools in development.
10/29/2014 Webinar: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Provided information about the guidance and opportunity to ask questions.
10/21-22/2014 Public Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity Encouraged collaboration among stakeholders, identified challenges and discussed strategies and best practices for promoting medical device cybersecurity.

Other Collaborations on Cybersecurity in Medical Devices

International Medical Device Regulators Forum (IMDRF): The FDA serves as a co-chair of the IMDRF working group tasked with drafting a global medical device cybersecurity guide. The purpose of the guide is to promote a globally harmonized approach to medical device cybersecurity that at a fundamental level ensures the safety and performance of medical devices while encouraging innovation. The guide is thus intended to provide medical device cybersecurity advice for stakeholders across the device lifecycle on topics including but not limited to medical device cybersecurity terminology, stakeholders' shared responsibility, and information sharing. The finalized guide was published on March 18, 2020.

Healthcare and Public Health Sector Coordinating Council (HSCC): The FDA serves as a co-chair of the Government Coordinating Council (GCC) for the HPH HSCC. Specifically, this is a public-private partnership among healthcare industry leaders and the government to address the most pressing security and resiliency challenges to the healthcare sector as a whole including cybersecurity. As a co-chair of a task group within the HSCC cybersecurity working group, the FDA participated in the development of the Medical Device and Health IT Joint Security Plan (JSP). The JSP is a total product lifecycle reference guide to developing, deploying and supporting cybersecure technology solutions in the health care environment.

MITRE and MDIC Threat Modeling Bootcamps: In 2020, the FDA funded a series of threat modeling bootcamps, developed and hosted by MDIC and MITRE in partnership, to highlight the importance of threat modeling during the development, deployment, and maintenance of connected medical devices, and to provide training to industry representatives on threat modeling best practices and strategies. In addition to the bootcamps, the FDA has funded MDIC and MITRE to produce the Playbook for Threat Modeling Medical Devices, a threat modeling playbook that stakeholders throughout the sector may use to learn more about threat modeling best practices, and how to incorporate them into their own organizations and processes.

MITRE Corporation: In November 15, 2022, in collaboration with MITRE, the FDA updated the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, a resource to help health care organizations prepare for cybersecurity incidents. The playbook focuses on preparedness and response for medical device cybersecurity issues that impact device functions.

Updates to the playbook include:

  • Emphasizing the need to have a diverse team participating in cybersecurity preparedness and response exercises – including clinicians, health care technology management professionals, IT, emergency response, and risk management and facilities staff.
  • Highlighting considerations for widespread impacts and extended downtimes during cybersecurity incidents which benefit from the use of regional response models and partners.
  • Adding a resource appendix making it easier to find tools, references, and other resources to help health care organizations prepare for and respond to medical device cybersecurity incidents (including ransomware).

A Playbook Quick Start Companion Guide is also available. The guide is a shorter version of the playbook that discusses preparedness and response activities health care organizations might want to start with as they are developing their medical device incident response program.

Medical Device Innovation Consortium (MDIC): In September 2018, as a member of an MDIC Steering Committee, the FDA supported the development of an MDIC's report Medical Device Cybersecurity Report: Advancing Coordinated Vulnerability Disclosure. The report encourages the adoption of coordinated vulnerability disclosure (CVD) policies by medical device manufacturers (MDMs) in an effort to promote medical device cybersecurity and patient safety. CVD policies establish formalized processes for obtaining cybersecurity vulnerability information, assessing vulnerabilities, developing remediation strategies, and disclosing the existence of vulnerabilities and remediation approaches to various stakeholders—often including peer companies, customers, government regulators, cybersecurity information sharing organizations, and the public. This report addresses the importance of CVD policies for MDMs and stakeholders across the medical device ecosystem.

FDA Cybersecurity News Releases

 

 

Subscribe to Digital Health

Sign up to receive email updates on Digital Health.

Back to Top