As cyberattacks on healthcare persist, can the FDA’s new device regs hold up?

Medical device cybersecurity was an afterthought for the industry and regulators for years, even as hackers continually targeted the healthcare sector.

That changed last year when Congress codified stricter medical device cybersecurity requirements and the Food and Drug Administration finalized souped-up guidance for manufacturers. The new actions prioritized security at a time when cyberattacks and incidents were not just compromising data but crippling hospitals’ operations and threatening patient safety.

“I view last year as the beginning of time … a new world. Because the community has spent, I would say, a good 15 years thoughtfully working together and debating, ‘What does it even mean to have secure healthcare delivery or cybersecurity in a medical device?’” said Kevin Fu, the FDA’s former acting director of medical device cybersecurity.

Several steps were implemented in 2023 to increase oversight of cybersecurity risks in medical devices. First, new FDA regulations that Congress passed in December 2022 as part of an omnibus spending bill took effect in March of last year. The legislation, which added a new section to the Federal Food, Drug and Cosmetic Act, defined what a “cyber device” is and implemented stricter cybersecurity requirements for device makers to adhere to when submitting premarket applications, such as a plan to monitor for and identify potential vulnerabilities.

Second, the FDA’s Center for Devices and Radiological Health issued a final premarket guidance for device manufacturers in September. At over 50 pages, the document was a significant step up from the previous guidance, which was only a handful of pages long.

Fu, who is now a professor of electrical and computer engineering at Northeastern University, said the device community has some “really good consensus on where we need to be, and what are some of the better ways to get there.”

While multiple experts see last year as a high-water mark for device cybersecurity oversight, there are still challenges to overcome. For example, plenty of devices go to market with operating systems that may soon be outdated, and hospitals are filled with an unknown amount of unsupported older devices, known as legacy devices, that are vulnerable to attacks.

Furthermore, attackers will not likely stop targeting the healthcare sector any time soon, and threats have evolved. Fu said threats have shifted from a “bored kid in their basement to nation-state actors” who are trying to cause harm to hospitals.

“This is no longer child’s play. This is no longer just fun and games,” he added. “These are economically motivated adversaries who will cause harm if a medical device leaves any door open, either in its manufacture or in its use.”

How are devices at risk?

While medical devices themselves are vulnerable to cyber threats, an attacker’s goal is rarely to hack into a singular device like a pacemaker or an insulin pump and take control. However, a device can be used as an entry point to get onto a larger target, such as a hospital’s network.

Axel Wirth, chief security strategist for the cybersecurity firm Medcrypt, explained that some attackers may not even know at first that they are targeting a medical device or even the healthcare system.

“It’s more the incidental event, where a device gets compromised not because the device itself is targeted, but because the device fits the profile of the attack,” Wirth said. “The attacker is looking for an unpatched old Windows XP computer. While that happens to be a piece of medical equipment, rather than a desktop computer, the attacker may not even know.”

Medical devices may not typically be the target of attacks, but they can still be affected. Chad Waters, a senior cybersecurity engineer with the safety watchdog ECRI, said devices can be in the “blast radius” of a cyberattack on a hospital network, such as an MRI machine being shut down. Patient care is then delayed, even though the machine was not the direct target.


“This is no longer child’s play. This is no longer just fun and games. These are economically motivated adversaries who will cause harm if a medical device leaves any door open, either in its manufacture or in its use.”

Kevin Fu

FDA’s former acting director of medical device cybersecurity


Part of understanding how devices are at risk is also understanding what the full impact of an attack may be. Fu and Wirth both stressed that attackers are not merely looking to steal patient data — hospital and health facility operations and patient safety are at risk, as seen recently with the Change Healthcare attack and others over the past few years.

The interconnectedness of the health system with online devices, hospital networks and electronic health records can compound vulnerabilities and effects of cyber incidents.