The article argues that medical device “cyber” problems aren’t limited to hackers and malware—they also include any electronic/logic/communication failure that harms confidentiality, integrity, or availability, whether accidental or malicious. The author says many serious incidents in medical devices are effectively control-system cyber incidents, but they often aren’t labeled that way, so organizations don’t trigger the right incident response. He criticizes current FDA cybersecurity guidance (issued September 27, 2023) as being oriented toward classic IT-style cybersecurity and interoperability, while not explicitly addressing control-system failure modes like timing issues, command queuing, sensor trust, and unsafe interactions between interconnected components.

To show the real-world impact, the post points to recall data (citing an IEEE Spectrum breakdown) where a significant portion of recalls relate to “process control” errors—often rooted in how devices are manufactured or controlled. It then lists concrete examples where software/control issues translated into patient harm: the Therac-25 radiation overdoses; Abbott glucose sensors reporting incorrect low readings (with hundreds of serious injuries and multiple deaths reported); insulin pump software/app behavior leading to battery drain and potential insulin under-delivery; a heart pump/controller scenario where queued commands could stop/start the pump without adequate warning; and a surgical navigation registration fixture with a calibration algorithm error that could cause misplacement and injury. The author’s bottom line is that FDA requirements and industry training don’t yet match the control-system reality, and closing that gap is necessary to prevent injuries and deaths.

Source: https://www.controlglobal.com/blogs/unfettered/blog/55342771/how-to-avoid-injuries-caused-by-medical-device-control-system-cyber-incidents