Frequently Asked Questions
What are the tiers for cybersecurity risk?
Tier 1 “Higher Cybersecurity Risk”
A device is a Tier 1 device if the following criteria are met:
- The device is capable of connecting (wired or wirelessly) to another medical or non-medical product, or to a network, or to the Internet; AND
- A cybersecurity incident affecting the device could directly result in patient harm to multiple patients
Examples include:
- Implantable cardioverter defibrillators (ICDs)
- Pacemakers
- Left ventricular assist devices (LVADs)
- Brain stimulators and neurostimulators
- Dialysis devices
- Infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers.
Tier 2 “Standard Cybersecurity Risk”
A medical device for which the criteria for a Tier 1 device are not met.
This cybersecurity risk tiering may not track to FDA’s existing statutory device classifications. For example, based on the manufacturer’s assessment and device design, a class II device such as an infusion pump may meet the criteria for Tier 1 higher cybersecurity risk, while a class III device such as a coronary atherectomy device with no connectivity may meet the criteria for Tier 2 standard cybersecurity risk. The principles and approaches described are broadly applicable to all medical devices and are intended to be consistent with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity-related risks by focusing on core functions of identify, protect, detect, respond, and recover.