• Join
  • Contact
  • 0Shopping Cart
Medical Affairs Professional Society
  • Home
  • About
    • Mission, Vision & Value
    • Leadership
    • Career Resources
    • Our Team
    • Policies
    • Bylaws
  • Knowledge Center
    • Standards & Guidance
  • eCADEMY
  • MAPS Community
    • Focus Area Working Groups
    • Awards
    • Chapters
    • Get Involved
    • Mentorship Program
  • Events
    • MAPA-MAPS Sydney Summit 2025
    • Upcoming Webinars
    • Chapter Events
  • MasterClass
  • Partners
    • Industry Partnership Program
    • Partner Circle Solutions
    • Media Planner
  • Job Postings
  • Membership
    • Join MAPS
    • Renew Your Membership
    • Access Your Profile
    • Membership FAQ
  • Menu Menu
  • LinkedIn
  • X
  • Instagram
Cybersecurity Risks MedTEch

This short article is meant to establish a background for the discussion of safety and regulatory concerns of internet-connected medical devices. In the future, the MAPS MedTech Focus Area Working Group (FAWG) will offer additional resources and guidance. (Please see recent MedTech resources listed at the bottom of this post.)

Authors:

John Giantsidis, JD, MEng, President of CyberActa, Inc.

Ajit Patwardhan, MD, MS, MBA, Medical Safety Officer at Olympus Surgical Technologies of America

Disclaimer: 

The article represents independent views / opinions of the authors and does not necessarily reflect the opinions of their employers

Article:

Connectivity and digitization of medical device technologies can improve device functionality and benefit. However, the connection of medical devices to networks or the internet exposes them to increased cyber threats that can potentially lead to an increased risk of harm to patients. Threats might include:

  • denial of intended service or therapy
  • alteration of device function to directly cause patient harm
  • alteration of personal health data
  • loss of privacy

Additionally, there are fundamental security interdependencies between medical devices and the networks they connect to. Cybersecurity for medical devices must be considered as part of a layered, holistic security ecosystem. The cybersecurity landscape is constantly evolving. Assessment and management of cybersecurity risks that could compromise the health and safety of a patient, user, or any other person, as with other risks for medical devices, is the responsibility of the manufacturer. Users, consumers, and patients using connected medical devices are to be fully informed about the potential cybersecurity risks these devices may expose them to take proactive action to protect their devices and networks, and act responsibly online. Alongside receiving information on the device, consumers are encouraged to ask their health professional questions to help build their understanding of using the device safely and securely.  The FDA is slowly transitioning from a voluntary to the mandatory regulatory framework and in October 2020 issued another request for information. Now, medical device cybersecurity is the norm in Europe (EU MDR), so any company selling in Europe must consider these regulations as part of their overall safety schema. Manufacturers are required to address cybersecurity risks during the design and development process, including:

  • general considerations, such as the development approach; administration protocols; application of standards; risk management strategies; infrastructure, manufacturing and supply chain management; and provision of information for users;
  • technical considerations, such as cybersecurity penetration testing; design architecture; operating platform security; emerging software; and Trusted access and content provision
  • environmental considerations for the device’s intended use, such as connecting to networks, and uploading or downloading data
  • physical considerations, such as mechanical locks on devices and interfaces, physically securing networks, waste management (preventing the capture of sensitive paper-based information)
  • social considerations, such as designing out or minimizing social-engineering threats (e.g., phishing, impersonation, baiting, tailgating)

Manufacturers and sponsors are required to continually assess and act on medical device cybersecurity risk. The cybersecurity threat landscape changes in short periods, therefore a compliant risk management strategy will demonstrate how medical device cybersecurity risk is reviewed and updated. Cybersecurity events that do not appear to immediately impact a medical device are still part of the cybersecurity threat landscape and will need to be considered as part of a compliant medical device cybersecurity risk management strategy.

The expected approach of medical device cybersecurity is that, similar to other risks, failure to effectively minimize or manage cybersecurity risk can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.

Recent Resources from the MAPS MedTech FAWG

MAPS LinkedIn

Elevate Podcast Channel

Popular
  • Murali Gopal Featured
    Why Good Science is Good Business: A Conversation with Murali...October 15, 2020 - 12:05 PM
  • may16
    Harnessing Data Analytics to Advance Medical Affairs Ex...May 23, 2025 - 3:18 PM
  • 58
    Value Based Contracting & Innovative Payor Engagement...April 20, 2018 - 10:44 AM
  • 59
    Best Practices for Managing the Life Cycle of an Investigator-Initiated...May 4, 2018 - 10:44 AM
  • 8
    Now More Than Ever, HEOR Plays a Central Role in Forging...June 24, 2018 - 10:51 AM
  • 47
    Navigating Career Transitions: How to Maximize Your Impact...June 29, 2018 - 10:41 AM

Connect with Us

602 Park Point Drive, Suite 225, Golden, CO 80401 – +1 303.495.2073

© 2025 Medical Affairs Professional Society (MAPS). All Rights Reserved Worldwide.

Follow Us
  • Link to X
  • Link to LinkedIn
  • Link to Instagram
Subscribe to MAPS Newsletter
MAPS Program Support Services
Policies and Positions
The Current State and Future Directions of Insights-Related Activities Within...Evidence Generation Medical Affairs Podcast 3Impact of the 21st Century Cures Act
Scroll to top
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}