Medical Devices

Cybersecurity

October is National Cybersecurity Awareness Month. The FDA believes this a good time to reinforce the importance of medical device cybersecurity and the role we all play in medical device safety. For general tips and information about cybersecurity and cyber safety, visit the Department of Homeland Security's Stop.Think.Connect.™ Campaign website.

You can also find more information about FDA’s medical device cybersecurity activities on this page, including a fact sheet that separates myths from facts and links to the latest guidances for industry regarding the premarket and postmarket management of medical device cybersecurity.

All medical devices carry a certain amount of benefit and risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. Medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats, Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

Threats and vulnerabilities cannot be eliminated, therefore, reducing security risks is especially challenging. The heath care environment is complex and manufacturers, hospitals, and facilities must work together to manage security risks. 

The FDA’s recommendations for mitigating and managing cybersecurity threats include:

  • Medical device manufacturers (MDMs) and health care delivery organizations (HDOs) should take steps to ensure appropriate safeguards are in place. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. These organizations are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
  • Health care delivery organizations should evaluate their network security and protect their hospital systems.

We look for and encourage reports of cybersecurity issues through our surveillance of devices already on the market.

FDA Activities:

The FDA’s ongoing efforts to protect the public health from cybersecurity vulnerabilities include:

  • On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The draft guidance provided recommendations to industry regarding cybersecurity device design, labeling, and the documentation that the FDA recommends be included in premarket submissions for devices with cybersecurity risk. 

    The FDA will hold a public workshop on January 29-30, 2019 to bring together diverse stakeholders to discuss, in-depth, the draft guidance, and the sub-topic of the draft guidance regarding a Cybersecurity Bill of Materials (CBOM), which can be a critical element in identifying assets, threats, and vulnerabilities.

  • In October 2018, the FDA supported the development of the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The playbook describes the types of readiness activities that’ll enable health delivery organizations (HDOs) to be better prepared for a cybersecurity incident involving their medical devices and gives product developers more opportunity to address the potential for large scale, multi-patient impacts that may raise patient safety concerns.

    In addition, the FDA entered into two new Memoranda of Understanding with multiple stakeholder groups to create information sharing analysis organizations (ISAOs): MedISAO , and Sensato-ISAO. The goal of these ISAOs is to provide manufacturers with the opportunity to share information about potential vulnerabilities and emerging threats with the FDA and to help manufactures protect patients by addressing those issues earlier.

    The FDA also entered a Memorandum of Agreement (MOA) with the Department of Homeland Security (DHS). The agreement implements a framework for greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. This collaboration between the two agencies is intended to lead to better and more timely responses to potential threats to patient safety.

  • On May 18-19, 2017, the FDA partnered with the National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS, S&T) to hold a public workshop, Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis. The goals of the workshop were to: examine opportunities for FDA engagement with new and ongoing research; catalyze collaboration among stakeholders to identify regulatory science challenges; discuss innovative strategies to address those challenges; and to encourage proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity.
     
  • On January 12, 2017, the FDA held a webinar on the guidance: Postmarket Management of Cybersecurity in Medical Devices. Stakeholders were invited to learn more about the guidance and ask questions.
     
    The final guidance, released on December 27, 2016, informed manufacturers of the Agency’s recommendations for structured and comprehensive management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices throughout the product lifecycle.
  • In October 2016, the FDA entered into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS). The NH-ISAC is a nonprofit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response. The MDISS is a nonprofit organization that develops best practices in public health, safety science, and physical cyber system security to address the complex challenges associated with healthcare technology cybersecurity risks. The MOU expanded upon the collaboration previously established between the FDA and NH-ISAC in August  2014, and will enable an operational framework for medical device vulnerability information-sharing, as described in the final guidance for the Postmarket Management of Cybersecurity in Medical Devices.
     
    The goals of this collaboration and MOU are:
     
    • To establish mechanisms by which information regarding medical device cybersecurity vulnerabilities and threats can be shared with the NH-ISAC, MDISS, and FDA in a trusted space; and
    • To foster the development of a shared risk assessment framework to enable stakeholders to consistently and efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities, and take timely and appropriate action to mitigate the risks.
       
  • The FDA issued six product-specific safety communications discussing cybersecurity vulnerabilities:
     
    • On October 11, 2018, the FDA issued a Safety Communication informing patients and health care providers about the release of a software update to address the cybersecurity vulnerabilities associated with Medtronic’s cardiac implantable cardiac device programmers.
    • On April 17, 2018, the FDA issued a Safety Communication informing patients and health care providers about the release of an additional firmware update to address premature battery depletion and confirmed cybersecurity vulnerabilities identified in Abbott’s (formerly St. Jude Medical) implantable cardiac devices.
    • On August 29, 2017, the FDA issued a Safety Communication informing patients and health care providers about the release of a firmware update to address cybersecurity vulnerabilities identified in Abbott’s (formerly St. Jude Medical) implantable cardiac pacemakers. The firmware update continues Abbott’s efforts to mitigate confirmed vulnerabilities discovered by an independent research firm in 2016.
    • On January 9, 2017, the FDA issued a Safety Communication confirming vulnerabilities in St. Jude Medical’s implantable cardiac devices and Merlin@home Transmitter. The FDA became aware of cybersecurity vulnerabilities in these devices after an independent research firm released information about these vulnerabilities.
    • On July 31 2015, Hospira and an independent researcher confirmed that it is possible to access the Symbiq Infusion Systemdisclaimer icon remotely through a hospital’s network
    • On May 13, 2015, the FDA issued a Safety Communication on vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The FDA and Hospira became aware of cybersecurity vulnerabilities in these infusion systems after an independent researcher released information about these vulnerabilities.

In each of the above cases, the FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted. However, these vulnerabilities could allow unauthorized users to remotely access, control, and issue commands to compromised devices, potentially leading to severe patient harm. Health care facilities can reduce the risk of unauthorized access by implementing recommendations in the safety communications.


Resources


Additional Information

Page Last Updated: 10/17/2018
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.
Language Assistance Available: Español | 繁體中文 | Tiếng Việt | 한국어 | Tagalog | Русский | العربية | Kreyòl Ayisyen | Français | Polski | Português | Italiano | Deutsch | 日本語 | فارسی | English