The FDA issued a warning about vulnerabilities of medical devices to cybersecurity threats in a press release on Oct. 1, 2018 and is taking steps to help organizations improve cybersecurity of their medical devices.

While the agency said it has received no reports of incidents of unauthorized exploitation of medical device vulnerabilities, it is taking action to increase awareness among health IT executives and has launched a cybersecurity “playbook” in collaboration with MITRE for organizations focusing on cybersecurity readiness.

The FDA previously issued premarket guidance that identifies issues manufacturers should consider in the design and development of their medical devices to ensure their product adequately addresses cybersecurity vulnerabilities. FDA Commissioner Dr. Scott Gottlieb said the agency would update its 2014 premarket guidance for devices in the coming weeks.

Its postmarket guidance issued in 2016 outlines a risk-based framework manufacturers should use to ensure they can quickly and adequately respond to new cybersecurity threats once a device is in use. 

In a related report, KLAS research in collaboration with the College of Healthcare Information Management Executives (CHIME) released results of a benchmark survey of 148 chief information officers, chief security information officers (CISOs), chief technology officers (CTOs) and other healthcare information professionals about medical device security programs.

The survey revealed that 18 percent of provider organizations had medical devices affected by malware or ransomware in the past 18 months, and only 39 percent of respondents felt very confident or confident that their current strategy protects patient safety and prevents disruptions in care.

The survey results suggested that organizations are making progress in developing and hardening their overall security programs, but that progress has been slow.

“Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” Adam Gale, president of KLAS told Health Data Management, an online trade publication.

That view echoes the FDA’s, which emphasized the shared responsibility for cybersecurity, stating that, “Securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder—manufacturers, hospitals, health care providers, cybersecurity researchers and government entities – all have a unique role to play in addressing these modern challenges.”

Despite the, “we’re all in this together” view, the KLAS survey revealed some serious cracks in the collaborative approach to security. Overall, 96 percent of the executives identified manufacturers-related factors as a root cause of medical device security issues. At the same time 76 percent of them said they didn’t have the internal resources to adequately secure medical devices.

As medical devices become more interconnected the risk to patient safety increases exponentially. While cooperation between manufacturers, provider organizations and regulatory agencies is generally recognized as necessary to adequately address the issue of medical device cybersecurity, it appears that such a concerted effort on the part of all stakeholders is still in the early stages.

Kapstone Medical has the experience and expertise to assist you through all phases of the medical device development and regulatory compliance. For more information contact us today at (704) 843-7852 – or by email at

Sources: FDA press release, Health Data Management and KLAS research


Interested in starting a project with Kapstone Medical? Get in touch today!

Get in Touch

Related Resources: