Medical Device Cybersecurity: What You Need to Know

Collage of six photos of patients with caregivers at home, at the doctor's office, and in the hospital with various medical devices.

Pacemakers, insulin pumps and other medical devices are becoming more advanced. Most contain software and connect to the internet, hospital networks, your mobile phone, or other devices to share information. So, it is important to make sure medical devices are cyber secure.

New technologies are being applied to all different types of devices—those that are implantable or wearable, or used at home or in health care settings. The advances can offer care that is safer, timelier and more convenient. For example, patients with an implanted heart device can be monitored remotely and possibly spared a visit to the doctor’s office. People with diabetes have new options for managing their blood-sugar levels because some glucose meters and insulin pumps can essentially talk to each other. And hospitals aiming to improve care and efficiency are using more pieces of equipment that are networked together to share data.

Anytime a medical device has software and relies on a wireless or wired connection, vigilance is required. The software behind these products, like all technologies, can become vulnerable to cyber threats, especially if the device is older and was not built with cybersecurity in mind.

FDA’s Role in Keeping Medical Devices Cyber Secure

The U.S. Food and Administration (FDA) regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. It is a responsibility the Agency shares with device makers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security and U.S. Department of Commerce.

The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them.

If a weakness in software that could pose a risk is identified, the FDA may issue what is called a “safety communication.” These messages contain information about the vulnerability and recommended actions patients, providers and manufacturers can take. Nine cyber safety communications have been issued since 2013. The FDA wants to make these messages as helpful as possible without causing unnecessary worry or burden on patients.

Patients Can be Active Participants in Keeping Their Devices Safe

Medical devices are intended to improve health and help people live longer, healthier lives. Patients should feel assured about the safety and security of their medical devices, knowing the FDA is being proactive and working with manufacturers throughout the entire lifecycle of a product. Patients and caregivers can also play a critical role. Consider the following tips:

Technology evolves over time, so software will need to be updated. Recognize the value of applying those updates and talk with your health care provider if you have any questions about them.
Register your device with the manufacturer. It is an extra step, but it may help the manufacturer reach you more quickly to send you important information.
Be observant and vigilant. If you think your device is not functioning as it should, do not ignore it. Discuss it with your health care provider. Notify the device manufacturer and report it to the FDA's MedWatch.
Involve your family or caregivers. Educate them about your device or enlist their help if you are not tech savvy.
If there is a serious event, seek medical attention.

For more resources about medical device cybersecurity visit FDA.gov. Or contact the Division of Industry and Consumer Education or CyberMed@fda.hhs.gov.