Medical device cyber security information for users
This guidance is intended for groups or individuals who represent users of medical devices including in-vitro diagnostic medical devices (IVDs), such as:
- consumers who use a medical device that does not require medical supervision
- consumers who use a medical device in the ARTG under the guidance of a health or medical professional
- health professionals who use medical devices to diagnose and treat patients
- clinical and biomedical engineers who are responsible for managing medical device assets in a health and medical environment
- healthcare and IT administrators responsible for systems, procedures and processes in a health and medical service environment
Alongside this guidance, the TGA has also produced medical device cyber security guidance for industry.
Connectivity and digitisation increase benefits and risks
Connectivity and digitisation of medical device technologies may help improve or increase device functionality and provide therapeutic benefit. However, the connection of medical devices to networks or the internet exposes them to increased cyber threats that can potentially lead to increased risk of harm to patients. These might include:
- denial of intended service or therapy
- alteration of device function so that it can cause patient harm
- loss of privacy or alteration of personal health data
Cyber security for medical devices must be considered as part of a layered, holistic security ecosystem. The cyber security landscape is constantly evolving.
Software in particular is becoming increasingly important and pervasive in healthcare. As the complexity and interconnectedness of devices increases so does the potential for cyber security risk through hardware and software vulnerabilities and increased exposure to external threats, including via the internet.
Purpose and scope of this guidance
The TGA does not regulate users of medical devices; however, having cyber secure medical devices relies on device users as well as manufacturers and sponsors.
Generally, medical device operating environments are highly variable and cyber security risks are dependent on the knowledge and approach of those who use medical devices. Users of medical devices have a shared responsibility for providing a cyber secure environment for these devices to operate in. While supplying a compliant medical device is the responsibility of the manufacturer and sponsor, a compliant medical device will only be as secure as the most vulnerable aspect of the system it is expected to operate in.
In order to support Australia's medical device cyber security capability, the TGA has produced this guidance to highlight cyber security practices and protocols for the medical device sector. This guidance will assist medical device users in managing cyber security risk, and helps to supports the Australian Government's cyber security strategy.