The Food and Drug Administration (FDA) recently issued new requirements mandating that medical devices be secured against cyberattacks. This move comes after a long-standing concern about the potential for these devices to be hacked and used to harm patients.  This new requirement is a significant step towards securing medical devices, which have been increasingly more connected and vulnerable to cyberattacks. Medical devices such as insulin pumps, pacemakers, and other implantable devices can be hacked to cause significant harm to patients. 

Connectivity Is a Double-Edged Sword

The ability to connect wirelessly to implanted medical devices makes them significantly easier to monitor and control. Unfortunately—as with every technology—if it makes life easier for you, it also makes it easier for attackers and exposes you to risk.  A group of researchers led by Barnaby Jack demonstrated more than a decade ago that they could remotely control an insulin pump, causing it to deliver fatal doses of insulin. Using software and a special antenna, Barnaby could locate and hijack control of insulin pump devices within a 300-foot radius. This demonstration underscored the seriousness of the problem and the potential harm that can be caused.

Securing Medical Devices

Securing medical devices against cyberattacks is essential. These devices impact human lives. Any vulnerability in a medical device can have serious consequences for patients. For example, a hacker could potentially deliver a fatal dose from an insulin pump as described above, or change the settings on a pacemaker causing it to malfunction and harm the patient. This underscores the importance of ensuring that these devices are secure and free from vulnerabilities that could be exploited.

Of course being connected means that medical devices are more vulnerable to cyberattacks. In the past, medical devices were standalone devices that were not connected to any network. However, with the rise of the internet of things (IoT), medical devices are now connected to the internet or other networks. This makes them more vulnerable to cyberattacks.   The trust of patients and consumers is also essential and requires that medical devices be protected against cyberattacks. Patients must have confidence that the medical devices they use are secure and free from vulnerabilities that could be exploited by attackers. Any vulnerability in a medical device can erode patient trust and lead to negative outcomes. 

FDA Guidance

The FDA’s new requirement emphasizes the importance of AppSec in medical devices. This means that manufacturers must take steps to ensure that the software used in their devices is secure and free from vulnerabilities that could be exploited by attackers. This is an important step towards ensuring that medical devices are safe for patients to use.

The new requirements apply to medical devices that have software that is connected to the internet or other networks—including devices that have wireless connectivity, such as Bluetooth or Wi-Fi. Moving  forward, medical device manufacturers must submit documentation that shows a software bill of materials (SBOM) and how they have implemented cybersecurity measures in their devices. The FDA will review this documentation and ensure that the devices meet the required standards.

AppSec Is Crucial

The FDA’s new requirements are a significant step towards securing medical devices against cyberattacks. They underscore the importance of AppSec in the development of medical devices and highlight the potential harm that can be caused by a cyberattack on a medical device. Manufacturers must now take steps to ensure that their devices are secure and free from vulnerabilities that could be exploited by attackers—which is essential for patient safety, trust, and confidence in the medical devices they use.  

With any IoT device patching vulnerabilities can be a painstaking process, this becomes even more problematic with medical devices that are often implanted in a human being.  This is why it is even more important to have a strong AppSec program that finds vulnerabilities in code before they are even released to market.  An ounce of prevention is worth a pound of cure. 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit:


See for yourself – run a scan on your code right now