Pacemakers, insulin pumps and other medical devices are becoming more advanced. Most contain software and connect to the internet, hospital networks, your mobile phone, or other devices to share information. Because of this, it is important to make sure medical devices are cyber secure.
New technologies are being applied to all different types of devices—those that are implantable or wearable or used at home or in health care settings. The advances can offer care that is safer, more timely and more convenient. For example, patients with an implanted heart device can be monitored remotely, potentially reducing the number of visits to the doctor’s office. People with diabetes have new options for managing their blood-sugar levels because some glucose meters and insulin pumps can essentially talk to each other. Hospitals aiming to improve care and efficiency are using more devices that are networked together to share data.
Anytime a medical device has software and relies on a wireless or wired connection, it’s critical to pay close attention for any problems. The software behind these products, like all technologies, can become vulnerable to cyber threats, especially if the device is older and was not built with cybersecurity in mind.
FDA’s Role in Keeping Medical Devices Cyber Secure
The U.S. Food and Drug Administration regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. The FDA shares this responsibility with device manufacturers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Department of Commerce.
The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them.
If a vulnerability or weakness in software, hardware or other factor that could pose a risk is identified, the FDA may issue what is called a “safety communication.” These messages contain information about the vulnerability and recommended actions patients, providers and manufacturers can take. The FDA has issued multiple cyber safety communications. The FDA wants to make these messages as helpful as possible without causing unnecessary worry or burden on patients.
Keep Your Cybersecurity Vitals in Check to Maintain the Health of Your Medical Device
Medical devices are intended to improve health and help people live longer, healthier lives. The FDA is dedicated to help ensuring that connected medical devices are protected from cybersecurity threats. We are proactively working with manufacturers throughout the entire lifecycle of a product to protect patients.
Patients and caregivers can also play a critical role. Consider the following tips.
Protect your device and personal information:
- Use good password practices for your device. Create a unique password and do not share it with others.
- Keep your device within your physical control.
- Only connect your device to other devices and software if the device manufacturer or your health care provider indicate it is okay to do so.
- Keep your device updated. Updates may have useful things to protect you like patches or fixes for new cybersecurity risks. Stay up-to-date so your device has the best protection available.
- Check in with your device manufacturer or health care provider about other best practices specific to your device.
Devices can also show signs that something is wrong. Pay attention to symptoms that may need to be checked by your health care provider or the device manufacturer:
- Call your health care provider or device manufacturer if you see any inconsistencies, or strange behavior from your device.
- While you should ensure you keep your device up-to-date with any manufacturer-supplied patches, don’t try to apply other fixes to the device yourself—especially ones you may find on the internet. You could end up making a bad situation worse.
- Follow up on any alerts from your device.
- Make the most of your regularly scheduled check-ups with your health care provider. Have a list of questions about your device health ready to bring to your appointment. For example: What are the specific risks for my connected medical device? What (or what else) can I do to keep my device safe?
- Register your device with the manufacturer. It is an extra step, but it may help the manufacturer reach you more quickly to send you important information.
- Involve your family or caregivers. Educate them about your device or enlist their help if you are not tech savvy.
- If you experience a problem or injury that you think may be related to your medical device, seek appropriate medical attention.
- You can voluntarily report problems or injuries associated with devices through MedWatch, the FDA’s safety information and adverse event reporting program.
For more tips from the FDA’s medical device cybersecurity team, check out our video, Cybersecurity Awareness for Connected Medical Devices.