How to Cut Medical Device Security Risks

One area within health care that continues to be a challenge for the industry is securing medical devices. As more of these devices connect to the Internet and hospital networks, the more the security risk to the organization increases. Medical devices, just like any network-connected device, are susceptible to security breaches, which can affect patient safety and the devices’ effectiveness within the health care network.

While security risks cannot be completely mitigated, there are steps organizations can take to lower their inherent risks, including:

  1. Working to understand what, if any, security safeguards are currently enabled on the medical device.
  2. Having pre-procurement security requirements in place that are provided to the medical device manufacturer (MDM) to help make sure that the MDM is meeting the organization’s existing security requirements and implementing the required safeguards in their devices.
  3. Assessing their network for security risks and vulnerabilities as well as having a remediation strategy to reduce those risks to their environment.

Leverage Technology

In October 2018, the Food and Drug Administration (FDA) released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, developed in conjunction with The MITRE Corporation, to assist health care organizations in securing medical devices. While this playbook is a great supplement to an organization’s existing incident response plan and preparedness, organizations should also look at leveraging technologies, such as network access control, to segment these devices on their networks and block potential rogue devices or bad actors from gaining access to these devices.

It is also essential that security awareness training is in place and occurs at least annually, and that clinical staff are included in this training.

Partner with MDMs

As more medical Internet of things (IoT) devices become Internet and network connected, health care organizations need to continue partnering with MDMs to create a strong medical device security program utilizing access control technologies such as network access control. These technologies can provide organizations with threat protection and identification, help lock down medical devices, and provide the ability to audit these devices to reduce the risks not only to the organization but also, and more importantly, to the patient’s safety.

If you are looking to address medical device security risks, Sikich is here to help.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author