The Risks for Medical Devices

All legally marketed medical devices have benefits and risks. The FDA allows devices to be marketed when there’s reasonable assurance that the benefits to patients outweigh the risks.

Medical devices are increasingly connected to the Internet, hospital networks and other medical devices to provide features that improve healthcare and increase the ability of healthcare providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

How Should These Risks be Handled?

Threats and vulnerabilities cannot be eliminated, so reducing cybersecurity risks is especially challenging. The healthcare environment is complex; manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.

Medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) should take steps to ensure that appropriate safeguards are in place.

• Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
• Healthcare delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
• Both MDMs and HDOs are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.

Medical Devices for Example

Pacemakers, insulin pumps and other medical devices are becoming more advanced. Most contain software and connect to the internet, hospital networks, your mobile phone or other devices to share information. Therefore, it is important to make sure medical devices are cyber secure.

New technologies are being applied to all different types of devices—those that are implantable or wearable, used at home or in healthcare settings. 
These advances can offer care that is safer, timelier and more convenient. For example, patients with an implanted heart device can be monitored remotely and possibly spared a visit to the doctor’s office. 

People with diabetes have new options for managing their blood-sugar levels because some glucose meters and insulin pumps can essentially talk to each other. In addition, hospitals aiming to improve care and efficiency are using more pieces of equipment that are networked together to share data.

Anytime a medical device has software and relies on a wireless or wired connection, vigilance is required. The software behind these products, like all technologies, can become vulnerable to cyber threats, especially if the device is older and was not built with cybersecurity in mind.

The FDA’s Role in Keeping Medical Devices Cyber Secure

The U.S. Food and Drug Administration (FDA) regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. It is a responsibility the agency shares with device manufacturers, hospitals, healthcare providers, patients, security researchers and other government agencies, including the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Department of Commerce.

The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. On behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them.

If a weakness or any other factor that could pose a risk is identified in software or hardware, the FDA may issue what’s called a “safety communication.” These messages contain information about the vulnerability and recommend actions that patients, providers and manufacturers can take. The FDA has issued multiple cyber safety communications; they want to make these messages as helpful as possible without causing unnecessary worry or burden on patients.

Patients Can be Active Participants in Keeping Their Devices Safe

Medical devices are intended to improve health and help people live longer, healthier lives. Patients should feel assured about the safety and security of their medical devices, knowing the FDA is being proactive and working with manufacturers throughout the entire lifecycle of a product. Patients and caregivers can also play a critical role. Consider the following tips:

• Technology evolves over time so software will need to be updated. Recognize the value of applying those updates and talk with your healthcare provider if you have any questions regarding them.
• Register your device with the manufacturer. It is an extra step, but it may help the manufacturer reach you faster to send you important information.
• Be observant and vigilant. If you think your device is not functioning as it should, do not ignore it. Discuss it with your healthcare provider. Notify the device manufacturer and report it to the FDA’s MedWatch.
• Involve your family or caregivers. Educate them about your device or get their help if you’re not tech savvy.
• If there’s a serious event, seek medical attention.

MedDev is also here to Help!