All medical devices carry a certain amount of benefit and risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks.
Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
Threats and vulnerabilities cannot be eliminated, therefore, reducing security risks is especially challenging. The heath care environment is complex, and manufacturers, hospitals, and facilities must work together to manage security risks.
On This Page
- Mitigating Cybersecurity Risks
- Cybersecurity Guidances
- Cybersecurity Safety Communications
- Reporting Cybersecurity Issues
- MOUs on Cybersecurity in Medical Devices
- Workshops and Webinars on Cybersecurity
- Other Collaborations on Cybersecurity
- Cybersecurity in the News
Medical device manufacturers (MDMs) and health care delivery organizations (HDOs) should take steps to ensure appropriate safeguards are in place.
- Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
- Health care delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
- Both MDMs and HDOs are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
FDA Fact Sheet:
THE FDA'S ROLE IN MEDICAL DEVICE CYBERSECURITY
Dispelling Myths and Understanding
Download the Fact Sheet (PDF - 175kb)
|10/18/2018||Draft Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (PDF - 603kb)||Provides recommendations to industry regarding cybersecurity device design, labeling, and documentation to be included in premarket submissions for devices with cybersecurity risk.
The recommendations are intended to supplement these guidance documents:
|12/27/2016||Final Guidance: Postmarket Management of Cybersecurity in Medical Devices (PDF - 1.2MB)||Provided recommendations to industry for structured and comprehensive management of postmarket cybersecurity vulnerabilities for marketed and distributed medical devices throughout the product lifecycle.|
|1/14/2005||Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (PDF - 148kb)||Outlines general principles that the FDA considers to be applicable to software maintenance actions required to address cybersecurity vulnerabilities for networked medical devices—specifically, those that incorporate off-the-shelf (OTS) software|
In each of the following cases, the FDA is not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted. However, these vulnerabilities could allow unauthorized users to remotely access, control, and issue commands to compromised devices, potentially leading to severe patient harm. Health care facilities can reduce the risk of unauthorized access by implementing recommendations in the safety communications.
|06/27/2019||Certain Medtronic MiniMed Insulin Pumps Have Potential Cybersecurity Risks: FDA Safety Communication||The FDA has become aware of potential cybersecurity risks in certain Medtronic MiniMed Paradigm insulin pumps. The FDA recommends patients replace affected pumps with models that are better equipped to protect them from these potential risks.|
|03/21/2019||Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication||The FDA became aware of cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The FDA recommends that health care providers and patients continue to use these devices as intended and follow device labeling.|
|10/11/2018||Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers||Medtronic released a software update to address the cybersecurity vulnerabilities associated with Medtronic's cardiac implantable cardiac device programmers.|
|04/17/2018||Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices||Abbott released an additional firmware update to address premature battery depletion and confirmed cybersecurity vulnerabilities identified in Abbott's (formerly St. Jude Medical) implantable cardiac devices|
|08/29/2017||Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers||Abbott released a firmware update to address cybersecurity vulnerabilities identified in Abbott's (formerly St. Jude Medical) implantable cardiac pacemakers. The firmware update continues Abbott's efforts to mitigate confirmed vulnerabilities discovered by an independent research firm in 2016.|
|01/09/2017||Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter||The FDA became aware of cybersecurity vulnerabilities in these devices after an independent research firm released information about these vulnerabilities.|
|05/13/2015||LifeCare PCA3 and PCA5 Infusion Pump Systems by Hospira - Security Vulnerabilities||
The FDA and Hospira became aware of cybersecurity vulnerabilities in these infusion systems after an independent researcher released information about these vulnerabilities.
On July 31 2015, Hospira and an independent researcher confirmed that it is possible to access the Symbiq Infusion System remotely through a hospital's network.
|06/13/2013||Cybersecurity for Medical Devices and Hospital Networks||The FDA recommends that medical device manufacturers and health care facilities take steps to ensure that appropriate safeguards are in place to reduce the risk of device failure due to cyber attack.|
To receive safety communications on medical devices, including cybersecurity-related safety communications, subscribe to our Medical Devices Safety and Recalls emails.
As a part of our surveillance of medical devices on the market, the FDA encourages reports of cybersecurity issues with devices.
- Manufacturers, Importers, and Device User Facilities: See Medical Device Reporting (MDR) for details on mandatory reporting requirements.
- Health care providers: Use the MedWatch voluntary report form for health professionals (Form 3500) to report a cybersecurity issue with a medical device.
- Patients and caregivers: Use the MedWatch voluntary report form for consumers/patients (Form 3500B) to report a cybersecurity issue with a medical device.
|MOU 225-18-028||National Health Information Sharing & Analysis Center, Inc. (NHISAC) and MediSAO (information sharing analysis organization)||The goal of these ISAOs is to provide manufacturers with the opportunity to share information about potential vulnerabilities and emerging threats with the FDA and to help manufactures protect patients by addressing those issues earlier.|
|MOU 225-18-030||Health Information Sharing & Analysis Center, Inc. (H-ISAC), formerly known as the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC), and Sensato Critical Infrastructure ISAO||The goal of these ISAOs is to provide manufacturers with the opportunity to share information about potential vulnerabilities and emerging threats with the FDA and to help manufactures protect patients by addressing those issues earlier.|
|MOA: DHS-FDA Medical Device Cybersecurity Collaboration||Department of Homeland Security (DHS)||The agreement implements a framework for greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. This collaboration between the two agencies is intended to lead to better and more timely responses to potential threats to patient safety.|
|MOU 225-16-024||National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS)||Expands upon the collaboration previously established in MOU 224-14-0019 and enables an operational framework for medical device vulnerability information-sharing, as described in the final guidance for the Postmarket Management of Cybersecurity in Medical Devices (PDF - 1.2MB).|
|MOU 225-14-0019||National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS)||NH-ISAC is a nonprofit health sector-led organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response. MDISS is a nonprofit organization that develops best practices in public health, safety science, and physical cyber system security to address the complex challenges associated with healthcare technology cybersecurity risks.|
The goals of FDA's collaboration and MOUs with NH-ISAC and MDISS are to:
- Establish mechanisms by which information regarding medical device cybersecurity vulnerabilities and threats can be shared with the NH-ISAC, MDISS, and FDA in a trusted space
- Foster the development of a shared risk assessment framework to enable stakeholders to consistently and efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities and take timely and appropriate action to mitigate the risks.
|01/29-30/2019||Public Workshop: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices||Bring together diverse stakeholders to discuss, in-depth, the draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (PDF - 604kb) and the sub-topic of the draft guidance regarding a Cybersecurity Bill of Materials (CBOM), which can be a critical element in identifying assets, threats, and vulnerabilities.|
|05/18-19/2017||Public Workshop: Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis||Examine opportunities for FDA engagement with new and ongoing research; catalyze collaboration among stakeholders to identify regulatory science challenges; discuss innovative strategies to address those challenges; and encourage proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity.|
|01/12/2017||Webinar: Postmarket Management of Cybersecurity in Medical Devices||Learn more about the guidance (PDF - 1.2MB) and ask questions.|
|01/20-21/2016||Public Workshop, Moving Forward: Collaborative Approaches to Medical Device Cybersecurity||Highlight past collaborative efforts and increase awareness of existing maturity models which are used to evaluate cybersecurity status, standards, and tools in development.|
|10/29/2014||Webinar: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices||Learn more about the guidance (PDF - 324kb) and ask questions.|
|10/21-22/2014||Public Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity||Encourage collaboration among stakeholders, identify challenges and discuss strategies and best practices for promoting medical device cybersecurity.|
MITRE Corporation: In October 2018, the FDA supported the development of the MITRE Corporation's Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The playbook describes the types of readiness activities that'll enable health delivery organizations (HDOs) to be better prepared for a cybersecurity incident involving their medical devices and gives product developers more opportunity to address the potential for large scale, multi-patient impacts that may raise patient safety concerns.
- FDA News Release: FDA warns patients and health care providers about potential cybersecurity concerns with certain Medtronic insulin pumps (June 27, 2019)
- FDA In Brief: FDA issues alert on potential premature battery depletion of certain Medtronic implantable pacemakers, approves related enhancements to device (May 7, 2019)
- FDA In Brief: FDA proposes updated cybersecurity recommendations to help ensure device manufacturers are adequately addressing evolving cybersecurity threats (October 17, 2018)
- FDA News Release: FDA and DHS increase coordination of responses to medical device cybersecurity threats under new partnership; a part of the two agencies' broader effort to protect patient safety (October 16, 2018)
- FDA In Brief: FDA warns patients, providers about cybersecurity concerns with certain Medtronic implantable cardiac devices (October 11, 2018)
- FDA Statement: FDA's efforts to strengthen the agency's medical device cybersecurity program as part of its mission to protect patients (October 1, 2018)
- FDA News Release: FDA outlines cybersecurity recommendations for medical device manufacturers (January 15, 2016)