Skip to main content
All playbooks
Playbook

A connected medical device was flagged in a CISA or FDA alert

The device may be vulnerable, exploitable, or already compromised. This is a clinical safety event before it is a security event — and the manufacturer's FDA-cleared status constrains what you can do.

Last reviewed: May 2026

The first hour

  1. 1Confirm the advisory applies to your device. Match CISA / FDA bulletins against your asset list by manufacturer, model, firmware version, and serial number range.
  2. 2If the device is actively delivering care (infusion pump, vitals monitor, imaging during a procedure), do not take it offline without the prescriber's involvement. The clinical safety call belongs to the clinician.
  3. 3Isolate the device on a segregated VLAN if it does not need broad network access. Your MSP or IT contractor can do this — call them.
  4. 4Contact the manufacturer for written guidance on the specific advisory: is a patch available, is downtime required, does it need an on-site service visit, what is recommended if a patch is not yet available.
  5. 5Decide whether the device is vulnerable or actively compromised — they are different. Vulnerable = remediation event. Compromised = incident with PHI implications and likely network-wide concern.
  6. 6If compromise is suspected: pull the device offline, preserve logs and locally stored data, engage a forensic firm (your cyber insurer's panel first), and treat the rest of the network as potentially affected.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • Asset-inventory entry: manufacturer, model, serial, firmware, network address, EHR integration status.
  • The original CISA / FDA / vendor advisory text and version applicability.
  • Manufacturer's written guidance and patch/mitigation plan.
  • Device-side logs and any locally stored data, exported before remediation.
  • Documentation of compensating controls (segmentation, monitoring, access restrictions) if a patch is not yet available.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Can we just install the patch ourselves?+

Often no. Applying an unauthorized patch to an FDA-cleared device can void clearance. The manufacturer's guidance is not optional — many patches require a service technician visit, and the patch process is part of the device's cleared configuration.

Vulnerable vs compromised — how do we tell?+

Compromise signals include outbound network connections to addresses the device does not normally talk to, unexpected auth events on the management interface, configuration changes nobody made, abnormal CPU/memory on the diagnostic display, and (for imaging) unexpected delays between acquisition and PACS posting. The manufacturer's remote-service connection often sees these and will share if asked directly.

Is our MSP supposed to patch the device?+

Usually no. Most MSPs are not authorized to patch medical devices — the line is the manufacturer's clearance scope. Note in your asset inventory which devices are MSP-managed vs manufacturer-managed, and which are end-of-life and need replacement at the next budget cycle.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.