All terms
CybersecurityConnected & Cyber-Physical Devices
Medhacking
Umbrella term for hacking activity directed at medical devices, ranging from criminal attack to coordinated security research and patient-led modification.
Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026
Definition
Medhacking is an informal umbrella term for hacking activity directed at medical devices and clinical systems. It covers three overlapping populations: (1) malicious actors attacking devices to harm patients, extort hospitals, or pivot into healthcare networks (overlapping with medjacking); (2) security researchers performing coordinated vulnerability disclosure under programs aligned with the FDA-recognized ISO/IEC 29147 and 30111 standards; and (3) patient and DIY communities modifying their own devices for clinical benefit - most visibly the #WeAreNotWaiting movement that built open-source automated insulin delivery systems (OpenAPS, Loop, AndroidAPS) on top of commercial insulin pumps and CGMs. The term is not a regulatory category; it is a shorthand the press, conference circuit (DEF CON Biohacking Village), and patient communities use to describe the broader phenomenon of technical intervention into medical devices outside the manufacturer's intended pathway. What the regulation says
Regulators do not use 'medhacking' as a formal term, but they address its three branches separately. Malicious activity is handled through FDA safety communications, CISA medical-device advisories, and FBI/HHS cyber notifications. Coordinated security research is encouraged: FDA's 2023 cybersecurity guidance and the HSCC Medical Device and Health IT Joint Security Plan call for manufacturers to operate a coordinated vulnerability disclosure program aligned with ISO/IEC 29147 and 30111, and the DEF CON Biohacking Village Device Lab is run with explicit FDA participation. Patient self-modification (e.g., open-source AID) is unapproved use; FDA's 2019 safety communication on unauthorized AID systems sets the regulator's position.
What this means in practice
For manufacturers, the practical implication is to plan for all three populations: a hardened device, a published coordinated vulnerability disclosure policy and security.txt, an active relationship with the security research community (Biohacking Village, ICS-CERT, MDIC), and clear labeling and human-factors design that anticipate motivated patient modification - especially in chronic-disease devices like insulin pumps and CGMs. Common pitfalls
- •Treating all medhackers as adversaries and lacking a coordinated vulnerability disclosure channel.
- •Threatening security researchers with legal action instead of triaging their findings - a known reputational disaster in MedTech.
- •Ignoring patient-driven modification trends until they become a safety communication.
- •Conflating medhacking, medjacking, and brainjacking in internal risk documentation - regulators expect precise language.
Frequently asked questions
It depends on which branch. Malicious attacks on devices are crimes under the Computer Fraud and Abuse Act and equivalents abroad. Coordinated security research under a published disclosure policy is legal and increasingly safe-harbored. Patients modifying their own devices occupy a gray zone - it is unapproved use under FDA's framework but is not, in itself, criminally prosecuted.
Primary references
6 sourcesLink health: 4 verified 2 bot-blocked· last checked 2026-05-09
FDA·2ISO/IEC·2Biohacking Village·1HSCC·1
- 1
FDA Cybersecurity Guidance (Sept 2023)Bot-blockedFDAfda.gov
- 2
ISO/IEC 29147:2018 Vulnerability DisclosureVerifiedISO/IECiso.org
- 3
ISO/IEC 30111:2019 Vulnerability Handling ProcessesVerifiedISO/IECiso.org
- 4
DEF CON Biohacking Village Device LabVerifiedBiohacking Villagevillageb.io
- 5
FDA Safety Communication on Unauthorized Automated Insulin Dosing Systems (2019)Bot-blockedFDAfda.gov
- 6
HSCC Medical Device and Health IT Joint Security PlanVerifiedHSCChealthsectorcouncil.org
Inline markers like [1] jump to the matching reference above.