Medical devices improve health, quality of life, and even save lives. As such, medical device use must be appropriate for the context and setting in which it is intended. They must be safe for the patient to use and abide by all federal, state, and local regulations.
Medical devices should be secure in their use and when connected to the organization’s internal network, should not introduce any vulnerabilities or weaknesses to the device itself or any other devices that may also be available on the network.
Security Considerations and Best Practices
Here are some medical device security considerations and best practices:
- All vendor supplied default settings such as credentials should be changed, if possible
- All transmission protocols should be secured, if possible
- All medical devices should utilize secure configurations to include disabling/blocking unnecessary ports and disabling unnecessary services
- Any data stored on a medical device should be encrypted, if possible
- Any data transmitted by the device should utilize approved secure transmission protocols, if possible
- All medical devices should authenticate with approved credentials on the network, where applicable
- Medical devices should only connect to other approved devices or monitoring stations
- Medical devices should be segmented or isolated from other network resources, if possible
- For any security standard that is not able to be implemented, an exception should be documented and approved by the senior management.
Security functions to consider for the protection of medical devices include, but not limited to:
- Limit access to devices and require authentication of users (i.e. user ID/passwords)
- Implement a predefined inactivity session time-out, where appropriate
- Employ a layered authorization model based on roles of users or device
- Use appropriate authentication method (i.e. multi-factor authentication)
- Avoid hard-coded passwords or common words for passwords; limit public access to passwords used for privileged device access
- Provide physical locks on devices and communication ports
- Require authentication before permitting software/firmware updates
- Restrict software/firmware updates to authenticated code (i.e. code signature verification)
- Use approved procedure for authorized users to download version identifiable software/firmware from manufacturer
- Ensure secure data transfer capabilities to and from device are in place; use encryption where applicable
- Ensure security compromises can be detected, recognized, logged, timed, and acted upon during normal use
- Ensure end users are provided information concerning appropriate actions to take upon detection of a cyber security event; also, notify Security Official appropriately
- Ensure critical functionality is implemented even during a device compromise
- Ensure retention and recovery methods of device configurations can be implemented by an authenticated privileged user
FDA Cybersecurity Guidance on Medical Devices
Medical device use is primarily governed by federal regulations mandated by the FDA. Only approved medical devices should be authorized for use. Final authority and approval of any medical device is determined by the Chief Medical Officer.
There should be a management process in place for the implementation of the device to include oversight authority, reporting, monitoring, and evaluation of the device.
All medical devices should be assigned a medical device owner. The medical device owner is responsible for the proper use, maintenance, and management of their assigned devices. All medical device should be assigned a unique asset tag. All medical devices should be accounted for and inventoried. Medical devices should be appropriately tracked and follow asset tracking policies.
Any medical device that is not working properly should be reported to the medical device owner. Any misuse of a medical device should be reported to the Chief Medical Officer. Any suspicious security related issues should be reported to the Security Team.
In most cases, medical device maintenance is restricted to the medical device vendor. The appropriate vendor should be notified by the medical device owner of any maintenance issues related to their medical devices. Medical devices should be maintained in accordance to vendor specifications. If the device is connected to the network, the IT department should be notified prior to the vendor working on the device.
End of Life
Medical devices may be rendered no longer usable by the age of the device, replacement of the device, or other reasons approved by the Chief Medical Officer. Once a device is determined not to be usable, the device should be disposed of in accordance to the manufacturer’s suggested specifications. This could include, but not limited to: wiping any memory of the device, physical destruction of the device, return of the device to the manufacturer in accordance with approved agreement, or other method that renders any information stored on the device (or the device itself) as unusable.
Medical devices will be evaluated and monitored for appropriate usage/effectiveness. Any discrepancies with expected results should be reported to the Chief Medical Officer for additional review.
Workforce members utilizing medical devices should be appropriately trained. Medical device owners or designees should train appropriate workforce members on the use of the medical device to include any issues/concerns related to its use.
All appropriate medical device reports for calibration and/or regulatory requirements should be maintained.
In some cases, medical devices may store electronic protected health information. These devices should follow policies and safeguards in place for other mobile/media devices that contain electronic protected health information (ePHI). This could include, but not limited to:
- Encrypting data-at-rest on the device, if possible.
- Sanitizing media that stores ePHI on the device prior to being taken off-site for repair or replacement.
- Disposing of media that stores ePHI on the medical device when no longer needed or if the device becomes obsolete.
- Contact the Security Official if there is any questions/concerns on proper handling of the medical device.
Contracts with manufacturers of devices purchased by the organization will ensure that the vendor will provide additional information, onsite maintenance, and/or other support to ensure that newly discovered security weaknesses are mitigated in a timely manner. Any failure of the vendor to maintain the product after sale and implementation, as applicable, should be considered a breach of contract.
We can help you perform a medical device security assessment or developing a security program for your medical devices. Contact us today!