Skip to main content
  • Guide

What Is a Medical Cyber Device?

How do we define a “medical cyber device,” and how to confirm medical cyber devices are safe, secure and resilient?

A personal analyzing the results of a glucose monitor

What is a cyber device?

Section 524B(c) of the U.S. Food and Drug Administration’s (FDA’s) Food, Drug, and Cosmetic (FD&C) Act defines "cyber device" as a device that:

  • Includes software validated, installed, or authorized by the sponsor as a device or in a device
  • Has the ability to connect to the internet
  • Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats1

Figure 1.

Ubiquity of the IoT image showing various paths
A diagram of internet of things

So, cyber devices are physical systems made of hardware, software and data that connect to the Internet of Things (IoT). Nowadays, just about anything can be a cyber device thanks to the various types of sensors and software available and the ubiquity of the IoT (Figure 1). 

What is a medical device?

According to the World Health Organization (WHO) a medical device can be any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination for a medical purpose.2 

What is a medical cyber device?

When a medical device has software and relies on a wireless or wired connection to the internet and/or networks that facilitate information sharing and treatment delivery at home or in a healthcare setting, it is considered a medical cyber device.

Why cyber?

Just because you can make a device cyber, should you? Many examples of the benefits of doing so exist, so let’s look at one that became critically useful during the COVID-19 pandemic: a ventilator.

A ventilator is a device that helps a person breathe when their body is too weak or infirm to do so on its own. On the mechanical side, the device works like healthy lungs to pull air in and push air out. It also has sensors that measure carbon dioxide levels in the body and the pH level of the blood, as well as proprioceptors that give detailed and continuous information about the position of the limbs and other body parts in space.

The ventilator becomes a medical cyber device when it sends information gathered by these sensors to a central processing center that makes decisions about strength, oxygenation level, etc., and responds with commands that alter the ventilator's operation. The ability to control ventilators remotely was critical during the pandemic because infected patients needed to be kept in strict isolation to stop the spread of the disease. A health practitioner could not have safely entered the room to adjust a traditional ventilator, so cyber ventilators played a crucial role.

Cyber-safe, -secure and -resilient

Medical cyber devices have made impressive contributions to medical care, but they have also introduced new vulnerabilities. If a medical cyber device is hacked by an unscrupulous third party, a patient could die. If a cyber device doesn’t correctly perform its intended function, a patient could worsen or die. If a cyber device stops working, a patient could die. So, maintaining the integrity of both the device and its network to protect from unintended or unauthorized access, change or disruption becomes a matter of life or death.

Figure 2.

Tools for addressing disturbances flowchart

A robust medical cyber device has the ability to:

  • Guard against threats
  • Eliminate threats when they occur
  • Warn health practitioners in case of a threat
  • Reduce patients’ susceptibility to harm from threats

How can this be achieved? Through threat modeling, developers can try to raise a device's sophistication by understanding the device and its connected systems’ susceptibilities to attack and how somebody might try to attack them. Anticipating threats to the physical device, its data and its network, and designing responses to the threats is a crucial step in the development of cyber devices.

If you’re thinking that the gamut of possible threats to any device is daunting, you are not wrong. Fortunately, that is why we have medical cyber device standards in place.

 Figure 3.

Slide - standards can help improve patient safety and security
A diagram of a patient safety

Because products must meet stringent certification standards to gain access to global markets, manufacturers must continuously address those standards starting in the earliest stages of design and development. Standards are developed and updated by groups of experts using the combined input of decades of technical expertise from scientists around the world. They outline the processes in which products are tested to help mitigate risk, injury or danger. Products that have been certified against standards can instill confidence in consumers, manufacturers and retailers that they will operate safely, correctly and effectively.

Testing to medical cyber device security standards

Working with a trusted third party like UL Solutions can help confirm that your cyber medical devices and systems offer reasonable protection against risks from unintended or unauthorized access, change or disruption. We can help you meet the regulatory requirements of the U.S. FDA, European Medicines Agency, Japan Ministry of Health and Welfare, and China FDA (CFDA) by outlining the activities manufacturers should take with their cyber medical devices.

Our Cybersecurity Assurance Program brings transparency to your product and system security, especially as it relates to cyber medical devices and network-connected device cybersecurity. With years of cybersecurity science behind us, we have the expertise to help you understand industry regulations, standards and best practices. Our experience has enabled us to bring those elements together to create a reliable testing and certification program. Once your products and systems are certified, they will be well positioned to thwart attempts to change their functionality, access their data or gain entry through one of their connections, all of which will help increase end users’ confidence in your products and your system security.

To learn more, visit us at


  1. U.S. FDA. Guidance for Industry and Drug and Food Administration Staff. 2023. Accessed May 17, 2024.

  2. World Health Organization. 2024. Medical Devices. Accessed May 17, 2024.


Get connected with our sales team

Thanks for your interest in UL's products and services. Let's collect some information so we can connect you with the right person.

Please wait…