Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly “connected” to the Internet, hospital networks, and to other medical devices.
To mitigate and manage cybersecurity threats, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.
Hospitals and health care facilities should evaluate their network security and protect the hospital system.
All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase health care providers’ ability to treat patients. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. Addressing cybersecurity threats and reducing information security risks is especially challenging because of the need to balance the protection of patient safety with promoting the development of innovative technologies and improved device performance.
The FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted at this time.
We look for and encourage reports of cybersecurity issues through our surveillance of devices already on the market.
FDA’s ongoing efforts to protect the public health from cybersecurity vulnerabilities include:
- On October 29, 2014, the FDA is holding a webinar on the Final Guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” The webinar will explain the guidance and provide a forum for asking questions stakeholders may have. Registration is not necessary.
- On October 21-22, 2014, the FDA is holding a public workshop “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” to seek input from the healthcare and public health sector on medical device and healthcare cybersecurity. The goals of the workshop are to encourage collaboration among stakeholders, identify challenges and discuss strategies and best practices for promoting medical device cybersecurity.
- On October 2, 2014 the FDA issued final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” that contains recommendations to medical device manufacturers on cybersecurity management and information that should be included in a pre-market submission.
The recommendations contained in Content of Premarket Submissions for Management of Cybersecurity in Medical Devices are intended to supplement the following FDA guidance documents:
- On August 26, 2014, the FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC). NH-ISAC is a non-profit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response. The goal of the FDA’s collaboration with NH-ISAC includes:
- fostering stakeholder collaborations and communication;
- creating awareness about the National Institute of Standards and Technology voluntary cybersecurity framework;
- encouraging healthcare public health stakeholders to develop innovative strategies to assess and mitigate cyber security vulnerabilities, and,
- building a foundation of trust within the healthcare public health sector that encourages the timely sharing of cybersecurity vulnerabilities that can have a negative effect on patient safety.
- In a June 13, 2013, Safety Communication, Cybersecurity for Medical Devices and Hospital Networks, the FDA recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of device failure due to cyber attack.
- Reminder from FDA: Cybersecurity for Networked Medical Devices is a Shared Responsibility [ARCHIVED]
- FDA Guidance to Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software
- Information for Health care Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”
National Institute of Standards and Technology’s Preliminary Cybersecurity Framework FDA Voice - FDA and the Cybersecurity Community: Working Together to Protect the Public Health