The Top 9 Criteria Organizations Should Consider When Evaluating Medical Device Security

Issue link:

Contents of this Issue


Page 0 of 3

1 The Top 9 Criteria Organizations Should Consider When Evaluating Medical Device Security Written by Cory Blacketer; Medical Device Security Consultant at CynergisTek Network-connected medical devices are transforming how healthcare organizations are able to deliver patient care. The benefits presented by network connected medical devices are great, however, so too are the potential security risks. Every year an increasing number of medical devices are designed to function on an organization's network but are not often manufactured with security in mind, leaving these assets an easy target for attack. As members of the healthcare industry and regulators, such as the FDA, continue to put pressure on medical equipment manufacturers to incorporate more robust security features into the design of their devices, healthcare delivery organizations must turn their focus to the medical devices already deployed within their environment of care and addressing inherent vulnerabilities associated with the outdated, unsecure software run by most clinical equipment. Near the end of 2018, CHIME released a benchmarking report, "Medical Device Security 2018", 1 with nearly all respondents citing patient safety as their top concern with unsecured medical devices. However, organizations that responded with confidence about their medical device security program cited solid security policies and procedures as the leading reason for the confidence, followed by strong technology. The following are criteria every healthcare delivery organization should consider when evaluating their medical device security program for both effectiveness in mitigating risks to connected medical devices as well as capability for supporting strong technology moving forward: Support Structure Medical devices are managed within a healthcare organization in a number of different ways. Originally, these devices were designed as appliances that simply required basic upkeep and preventative maintenance procedures. The support structure for these processes vary across organizations and are managed either by an in-house clinical engineering team, outsourced third-party contractors, consultants, or the medical device vendors themselves. In some instances, the support structure is a mixture of all of the above. This may create inconsistencies or gaps in policies and procedures as well as a general difficulty in managing the governance of ongoing maintenance processes. Explicitly understanding the roles and responsibilities for each level of support for medical devices will help an organization operate more efficiently in an incident response scenario as well as in providing overall oversight and assurance for consistent and compliant medical device security practices. Acquisition/Procurement Process Most organizations have a well-defined procurement process for clinical equipment and applications. However, medical devices tend to sneak through non-traditional purchase methods, especially those procured at the request of a physician. Organizations should consider all of the methods in place currently for acquiring new medical equipment and determine whether an opportunity exists for standardizing this process across the organization. a. Also, as part of the strategic procurement process for the organization as a whole, risk assessments should be performed on medical devices prior to making purchase decisions. Capital equipment planning should include the review, evaluation, and documentation of all applicable medical device risks and the consideration of additional device security support agreements as required. All of the information received during this process will help to inform each stage of managing the medical equipment consistent with organizational security standards after purchase and deployment. 1 2 1

Articles in this issue

Links on this page

view archives of Checklists - The Top 9 Criteria Organizations Should Consider When Evaluating Medical Device Security