Over the last few decades, digital connectivity has made patient care more efficient, data-driven, and effective. However, the connectivity that delivers many of these benefits may also introduce cybersecurity risks to internet-connected medical imaging devices, which could impact patient safety, data privacy, and device integrity, especially as devices age.

Policymakers, equipment manufacturers, and health care providers all share responsibility to implement successful medical device cybersecurity strategies within integrated medical systems in hospitals, physician offices, and community health centers. 


As part of the Consolidated Appropriations Act of 2022, Congress authorized the Food and Drug Administration (FDA) to establish cybersecurity requirements for new internet-connected medical devices. The Medical Imaging and Technology Alliance (MITA) supports the new FDA authority to strengthen the cybersecurity of America’s healthcare system.


Given the importance of shared responsibility with the healthcare ecosystem, MITA members concur with
the report by the HHS Office of Inspector General that evidences hospitals need additional support and incentives to implement cybersecurity solutions, including funding to train staff. It is important that stakeholders across the care continuum work together to share the responsibility of cybersecurity to ensure patient safety, privacy, and security.


As part of a shared responsibility commitment, MITA supports hospital work to strengthen their resistance to ransomware attacks through the “3-2-1 backup approach” recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It entails saving three copies of critical patient or other health care- related data in a minimum of two different formats and storing one copy offline where it cannot be affected by ransomware or other malicious attempts by hackers.


In healthcare, secure design practices have seen significant improvement since the FDA released its 2014 final guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” Now, best practices are better understood by all participants. This improvement is reflected in devices designed with security in mind across the total product lifecycle.

Today, plans are developed along with devices and implemented to ensure software remains updated. Security controls are also easier to deploy and use and more security-related information is provided to the users. To fully realize these benefits, healthcare providers need resources to transition legacy products from use and replace them with newer devices that were designed and developed to be secure from inception across the expected life of the device.