By Phil Englert
Medical device owners are increasingly frustrated by the limited information medical device manufacturers share about known but undisclosed vulnerabilities in medical technologies and the speed at which they patch known vulnerabilities. Leveraging the Food and Drug Administration’s MAUDE may be a way to drive expediency.
The FDA’s MAUDE database – short for Manufacturer and User Facility Device Experience – is a public repository of adverse event reports involving medical devices and is part of the FDA’s postmarket surveillance strategy. Its primary purpose is to help the FDA monitor device performance, detect potential safety issues, and support benefit-risk assessments after devices are on the market. Mandatory reporters (like manufacturers, importers, and healthcare facilities) must submit reports when a device may have caused or contributed to a death, serious injury, or malfunction. Voluntary reporters (such as healthcare professionals, patients, or caregivers) can also submit reports if they observe or experience a device-related issue.
MAUDE is a passive surveillance system that collects adverse event reports involving medical devices, such as malfunctions, serious injuries, or deaths, from manufacturers, importers, user facilities, and even voluntary reporters like healthcare professionals and patients. The MAUDE database helps regulators and the public identify patterns, like recurring malfunctions or emerging risks, that might not have been evident during premarket testing. It’s a passive surveillance system with limitations: reports may be incomplete or unverified, and it doesn’t provide incidence rates or confirm causality. Still, it’s a powerful tool for spotting red flags and prompting further investigation.
The FDA’s MAUDE database can include cybersecurity-related reports, but it’s not explicitly categorized that way. If a cybersecurity issue, like a ransomware attack that disables a device or a vulnerability that leads to unauthorized access, results in a malfunction or safety concern, it can be reported through MAUDE. However, the database does not have a dedicated “cybersecurity” tag or filter. Reports involving cyber incidents are typically described in the narrative fields, which means identifying them requires keyword searches or manual review.
The FDA has been increasingly focused on cybersecurity in recent years. Since 2023, it has had explicit authority to request detailed cybersecurity documentation during device submissions, and it encourages manufacturers to report vulnerabilities and incidents that could impact patient safety, even if no harm has occurred.
Here’s how to use the FDA’s MAUDE reporting system to document cybersecurity-related concerns with medical devices in your hospital or healthcare facility. While MAUDE isn’t cyber-specific, it accepts any adverse event or device malfunction that could impact patient safety, including cyber issues. Here’s an example of how a MAUDE report scenario might look when documenting a known vulnerability in a medical device, even if no patient harm has occurred yet. This is formatted as a narrative entry you’d typically find in the database.
Example of a cyber-related MAUDE Report Narrative
Device Name: Infusion Pump
Manufacturer: Acme MedTech
Model Number: IPX-3000
Event Date: 2025-05-14
Report Date: 2025-05-17
Event Type: Malfunction
Reporter: User Facility (Hospital Biomedical Engineering Department)
Narrative:
During a routine vulnerability assessment conducted by hospital IT and Biomedical Engineering, we identified that the Acme IPX-3000 infusion pump model utilizes an outdated communication protocol (Telnet) for remote access by vendor service technicians. This protocol lacks encryption and authentication controls.
The vulnerability is well-documented in manufacturer security bulletins and independent cybersecurity audits. An exploit could allow unauthorized actors on the hospital network to intercept or alter pump programming commands.
Although no adverse patient events have occurred, the lack of vendor-provided firmware updates or configuration options to disable insecure protocols represents a persistent security risk. We have taken interim steps to isolate affected devices on a VLAN and restrict access until a patch or mitigation guidance is released.
This report is submitted to raise awareness of systemic cybersecurity design issues and potential future patient safety implications. The manufacturer has been notified.
Other vulnerability issues that can also be submitted through MAUDE include: a cyber vulnerability that leads to a device malfunction or unavailability (e.g. ransomware disables a ventilator); unauthorized access is gained to a network-connected medical device (e.g. successful remote tampering of infusion pump settings); an attempted breach exposes patient data or risks device configuration; patch failures or delayed firmware updates result in system instability or raise concerns about device safety, device availability, or data privacy; or a device exhibits unusual behavior suspected to be malware-related.
End Narrative
To submit a report, go to FDA’s MedWatch voluntary reporting page (http://tinyurl.com/47yv22f8) or submit manually using the Mandatory MedWatch Form 3500A. Include thorough narrative descriptions, even if “cybersecurity” isn’t a checklist item, and consider appending logs or communication summaries as attachments to support your narrative. Be sure to include descriptor words like “cybersecurity,” “vulnerability,” “software weakness,” or “security misconfigurations” in the narrative as appropriate.
To protect patients’ safety and help drive meaningful changes, medical device owners must move beyond frustration and toward action. By proactively reporting cybersecurity-related vulnerabilities, whether or not harm has occurred, through the FDA’s MAUDE database, hospitals and biomedical teams can spotlight systemic design flaws, pressure manufacturers to expedite patches, and contribute to a growing body of evidence that shapes smarter regulation.
In an era where connected care is critical and cyber threats are rising, leveraging MAUDE is not just compliance – it’s advocacy. Every report is a signal that cybersecurity is patient safety, and silence is no longer an option. Start by documenting vulnerabilities, collaborating with IT, and making your voice heard – because the pulse of future-ready healthcare depends on it.
