Medical Device Cybersecurity: The Right Approach

It seems every week we hear news of a new cybersecurity breach. Whether it’s a credit card, bank account, or even a car, the unfortunate fact of life is that everything connected to the internet is vulnerable. Medical devices are no exception. But despite sensationalized accounts in TV shows and news articles that anyone with a keyboard can easily hack into a medical device, the reality is that while the risks are real, the threat remains quite remote. Even still, significant efforts have been and continue to be made to reduce the likelihood of a breach.

Medical technologies provide immense benefits to patients, and these benefits must be weighed when considering the potential implications of a cybersecurity threat. As health care consumers, we are already familiar with making these risk-benefit decisions. For example, you may take an ibuprofen to relieve a headache or muscle pain (benefit) in light of the potential side effects (risk) that include nausea, vomiting, dizziness, and nervousness

Patient safety is the No. 1 priority for the medical technology industry, and manufacturers vigorously manage all product risks, whether real or perceived, minor or significant. The U.S. Food and Drug Administration has in place comprehensive regulations prescribing these risk management programs and manufacturers are well aware of the severe penalties for running afoul of these rules.

But the industry’s commitment to cybersecurity goes beyond an individual company’s simply meeting regulatory requirements. Our strategy is to work in collaboration with all stakeholders – regulatory agencies, industry partners, health care providers and others – to close security loopholes to raise the bar for security for all players.

In this regard, FDA should be commended for its proactive leadership role over medical device cybersecurity. Over the past several years, the Agency has worked collaboratively with the medical technology industry and broader health care community to ensure medical device cybersecurity is considered and addressed throughout all stages of product design and use. The Agency has issued detailed guidance for manufacturers laying out its current requirements for cybersecurity before and after a product comes to market. In addition, FDA has effectively worked to engage other federal agencies with responsibilities for medical device cybersecurity – including DOJ, FBI, DHS and NIST – and establish open lines of communication.

Outside of the federal government, the medical technology industry has worked closely with public-private organizations to establish a medical device information sharing and analysis organization. This program – encouraged by FDA – provides a streamlined mechanism for companies to submit and share information concerning cybersecurity-related issues. Similar information sharing systems are successfully used by other sectors, such as energy and finance.

The medical technology industry recognizes that it must constantly evolve to address the changing nature of cybersecurity threats. That is why we collectively have developed our own set of medical device cybersecurity principles. These principles help all device manufacturers build a cybersecurity program based on the best available information, such as FDA guidance, NIST publications, and consensus-based standards.

Despite manufacturer’s best efforts, many cybersecurity threats remain outside their control. The majority of connected devices are connected to third-party networks, such as a hospital’s IT system or a patient’s home-based Wi-Fi network. Just as a chain is only as strong as its weakest link, so too are the medical devices that are connected to these networks. It is, then, imperative that medical device cybersecurity be viewed as a shared responsibility, a position shared by FDA. While device manufacturers play an important role, all stakeholders within the system must work to ensure its integrity.

The next waves of innovation depend on reliable, secure protections. The medical technology industry is committed to the safety of our patients while transforming health care through earlier disease detection, less invasive procedures, and more effective treatment. We will continue to work with FDA, health care providers, the academic community, security experts and other stakeholders to ensure the continued security, safety and effectiveness of medical devices.


Scott Whitaker is the president and CEO of the Advanced Medical Technology Association.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult