Medical device control system cyber incidents have injured and killed people

Cyber incidents involve electronic communication among systems, or between systems and people (when users interact with displays), that can affect the traditional IT triad of confidentiality, integrity or availability. Cyber incidents can be unintentional or malicious. A cyber incident response plan is not initiated if the incident is not identified as being cyber. In the medical industry, like others, the cybersecurity focus is on IT, not control systems. The following are control system cyber incidents, yet none were identified as cyber-related. Cybersecurity and manufacturing organizations are not adequately talking to each other.

FDA cybersecurity requirements

The Federal Drug Administration (FDA) has established medical device cybersecurity requirements in “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance for Industry and Food and Drug Administration Staff,” issued on Sept. 27, 2023. Section 524B(c) of the FD&C Act defines "cyber device" as a:

“device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device, (2) has the ability to connect to the internet, and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.”

The requirements include interoperability considerations:

“Cybersecurity Controls should be used as a means to allow for the safe and effective exchange and use of information.”

While this language acknowledges safety of network communications, it does not explicitly address many control system failure modes that arise from hardware issues, software logic, timing, command queuing, sensor trust or unintended interactions among interconnected components.

IEEE Spectrum December 2025 – “The Data“

A pie chart in the IEEE Spectrum article shows the breakdown of the five biggest problem categories found among the 56,000 entries in the FDA medical recall database since 2002. 15% involved process control, which meant errors in the devices’ manufacturing process. Often these process control incidents are control system cyber incidents. Software issues were broken down into six root causes. Software in the “use environment” includes cybersecurity issues or problems with supporting software such as smartphone apps. This was the only place in the article where cybersecurity was mentioned.

Example medical device control system cyber incidents

Therac-25 was a radiation therapy machine produced by AECL in 1982. It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. Because of concurrent programming errors, the Therac-25 sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in the possibility of death or serious injury. These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics and software engineering. 

Get your subscription to Control's tri-weekly newsletter.

Abbott Diabetes Care stated that certain Abbot glucose sensors provide incorrect low glucose readings. If undetected, incorrect low glucose readings over an extended period can lead to wrong treatment decisions for people living with diabetes, such as excessive carbohydrate intake or skipping or delaying insulin doses. As of Nov. 14, 2025, Abbott has reported 736 serious injuries and seven deaths.

Tandem Diabetes Care recalled insulin pumps with Control-IQ technology due to an issue with the software that could cause the mobile app to crash and be automatically relaunched by the iOS operating system. This cycle intermittently repeats, which leads to excessive Bluetooth communication that could result in pump battery drain, and that could in turn lead to the pump shutting down sooner than typically expected. (The cellphone app was software, but draining the pump was hardware.) Pump shutdown could cause insulin delivery to be suspended, which could lead to an under-delivery of insulin that might result in hyperglycemia or even diabetic ketoacidosis, which can be a life-threatening condition due to high blood sugars and lack of insulin. As of April 2024, there were 224 injuries from the pump shutting down.

Abbott recalled a device that was connected to the left side of the heart to move oxygenated blood from the left ventricle to the rest of the body. There was risk of unexpected pump stop or start. When the device was reconnected to the same or a new controller, depending on the status of the pump at connection, the pump either stopped or started. If the pump was stopped at reconnection, the pump would restart. If the pump were running at reconnection, a pump stop would occur. There were no alarms or indications to warn the user that the “pump stop” command was still in the command queue. Two injuries were reported.

Globus Medical, Inc. recalled a registration fixture due to a calibration error. The platform was designed for precise alignment in spine surgery. This device was recalled because a calibration process error could cause a loss of navigation integrity, which could result in device misplacement and patient harm. The root cause was associated with a calibration algorithm error that may affect the accuracy of implant placement. The calibration error was not detected prior to device distribution. Eight injuries were reported.

Summary

Medical device control system cyber incidents are more prevalent than has been thought. For control system cyber incidents, the FDA’s cybersecurity requirements are not adequate, and appropriate control system cybersecurity training is not available to the manufacturers and end-users. For health and safety, these control system cybersecurity gaps need to be addressed.