8 K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18
Table 2. Technical definitions.
A medical device is defined in the Federal Food, Drug, and Cosmetic Act( FFDCA) of 1938 as an: [ 3 ]
According to the FDA, a device is considered a cyber-device if it meets all three of the following: [ 35 ]
“ Connected to the Internet” can be defined as having any of the following, regardless of whether the connection is disabled: [ 36 ]
Three types of software related to medical devices are: [ 37 ]. – Any of these types that are“ necessary for safe and effective use of a device” are termed“ critical software.” [ 38 ]
Instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or similarly related article. Includes any component, part, or accessory intended for use in the diagnosis of disease or other condition, or in the cure, mitigation, or prevention of disease. In man or animals.
Includes software validated, installed, or authorized by the
[ manufacturer ] as a device or in a device. Has the ability to connect to the Internet. Has any such technological characteristics validated, installed, or authorized by the [ manufacturer ] that could be vulnerable to cybersecurity threats.
Wi-fi or Cellular. Network, server, or cloud service provider connections. Bluetooth or Bluetooth low energy. Radiofrequency communications. Inductive communications. Hardware connectors capable of connecting to the Internet
( USB, Ethernet, serial port, etc.).
Software which is its own medical device and is defined as“ software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device”. Software related to and integral to a medical device. Software used in the manufacture or maintenance of a medical device.
Table 3. Targeted data and goals.
PII and PHI targets |
Name, date of birth, address, phone, social security number |
Sale on the dark web |
|
Bank account information |
Identity theft |
|
Insurance information |
Insurance fraud |
|
Health history |
Blackmail |
Non-PHI targets |
Intellectual property( IP) Research |
IP theft |
can be catastrophic, and it is the job of all healthcare workers to do their best to protect their patients’ data.
Getting to know the players Government
Government legislation is a powerful motivator for cybersecurity improvements, as avoiding regulatory, financial, and legal trouble through compliance can help motivate institutions to keep up with current cybersecurity trends [ 1 ]. While it is the government’ s role to enforce legislation, it is also responsible for investigating, stopping, and prosecuting cybercriminals, across borders if necessary [ 10 ], as well as for setting criteria and defining boundaries within which the law applies. This is particularly critical with the complexity of medical devices and new artificial intelligence( AI) software applications in the medical field. Table 2 lists several relevant definitions for medical devices. With the increasing dependence of all industries on technology and the associated risks of cyberattacks or cyberterrorism, proactive public policies are a necessity [ 17 ].
Third-party vendors
Third-party vendors such as business associates, supply chain vendors, and medical device manufacturers( MDMs) are a major source of cybersecurity risk for healthcare institutions. Hospitals use many suppliers and often exchange information with them over years of working together [ 2 ]. Thirdparty vendors may or may not have access to protected health information( PHI) or personally identifiable information( PII), but because of their relationship with healthcare employees, any data breach on their end could result in malicious code being sent along legitimate channels to affect a hospital. They also may not have stringent cybersecurity, as the legislation surrounding their business practice does not necessarily fall within the same regulatory pool as healthcare facilities, making them a potential liability to their partner healthcare systems.
According to the American Hospital Association( AHA), third-party breaches can be some of the most disruptive, because a vendor can be a common link between many hospitals or hospital systems, and can affect each of those partners simultaneously [ 39 ]. This type of strategy, when performed specifically to access a secondary target or targets, is called a