Medical device inventory is a challenge for most organizations.  Just as with computers and mobile devices, though, you can’t understand your risks and security requirements if you don’t know what you have out there.  A medical device treasure hunt is what it turns out to be when you make a dedicated effort to find them all in your organization.  How do you find them all and how do you worry about protecting them all?

In this episode:

Managing Medical Devices – 4 steps plus a bonus

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Next HIPAA Boot Camp

Live in Tucker, GA

July 19 and 20th

Want to be part of Help Me With HIPAA? Donate to the cause at

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page:


Managing Medical Devices – 4 steps plus a bonus

medical devicesWhen accounting for all medical devices in your office it can be surprising what you find.  Most important is that you make a specific effort to do it.  There are so many types of devices it can be hard to figure it all out.  An article from Security Intelligence pointed out medical devices may contribute to why many healthcare organizations feel vulnerable.

Part of this vulnerability stems from the 190,000 different devices produced by 18,000 firms across 21,000 manufacturing facilities regulated by the FDA.

Step 1 is to find them in your organization.  As we always say: You don’t know what you don’t know.  So, get everyone involved.  Clinicians use them, IT staff support them, and at some point, you paid for them.  Make it a group project to do the inventory.  These projects also help with security awareness.  Don’t worry about security issues when making the list.  Just get a list.  You can always remove things from the list and document how thoroughly your search covered everything.

Step 2 is to expand your list with details.  Inventory what you know about each device.  It is almost like the first foundation of a risk analysis for the device.

  • Vendor details to document include:
    • Purchase date and party
    • Support Agreement
    • Annual inspections
    • Leased or owned
  • Connectivity
    • Is it connected to the network directly via wired or wireless?
    • Does it maintain a connection at all times?
    • Does it plug into another device or workstation that is connected to the network?
    • Does the vendor access it remotely?  How?
  • Software
    • What OS does it run?
    • Does the vendor keep it up to date remotely?
    • When was it last updated?
    • What about firmware?
    • Can it be monitored like workstations?
  • Data
    • What data is stored on it?
    • What has access to it?
    • Are there interfaces to get data to it or from it into other systems?
    • How do you handle end-of-life for the device?
  • Access
    • Does it have passwords?
    • How are passwords managed?
    • What staff members have access to the device and the information?
    • Who manages the device for service and updates?  Who owns it?

Step 3 is to get the details of any plans from the vendors.  The FDA has released updated information explaining how vendors can plan for postmarket cybersecurity management.  That had been a roadblock for some time.  Plus, more on patient safety: Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health.

For device premarket submission for FDA product approval, they ask for information about the medical device cybersecurity. The guidance includes:

  • Hazard analysis, risks, and design considerations connected to the medical devices.
  • Traceability matrix that links the actual cybersecurity controls to the risks that were considered.
  • A summary that mentions which controls are in place to make sure the medical device software will maintain its integrity from the point of origin to the point at which device leaves the control of the manufacturer.
  • Instructions for use of various cybersecurity controls like firewalls or anti-virus software.
  • A summary containing the plan to provide validated software patches and updates through the medical device lifecycle to assure its effectiveness and safety continually.

Step 4 is to build your plan for addressing security issues you may have now or could have in the future with the devices.  In step three you found plenty of areas to worry about, I am sure.  Now you do the assessment of the threats you already worry about and any more you should worry about based on what you have learned.  Include managing these devices in your overall risk management plan.

A good list for working out that plan comes from the FDA and other security experts in this article.

For each device:

  • Authentications must be used to limit the access for medical devices to trusted users. The various authentication methods such as username and password, biometrics, and smart card or multi-layered authentication can be used.
  • Make sure the data is transferred securely to and from the medical device using encryption wherever appropriate.
  • Implement functionalities that allow analysts to detect, recognize, log, time, and act upon any security compromises.
  • Provide end users with the information regarding appropriate actions to be taken when a cybersecurity event is detected.

ECRI Institute studies patient safety issues.  They have worked with the FDA on several things surrounding medical device security.  They published this list.

10 Challenges Facing Medical Device Cybersecurity

  1. Inadequate Medical Device Software Inventory
  2. Impractical Medical Device Patch Installation
  3. Hard-to-Secure Legacy Devices
  4. Unsecured Medical Device Design
  5. Vulnerability Scanning Disrupting Medical Devices
  6. Medical Device Server Management
  7. Remote Server Access Control
  8. Vendor Reluctance to Share Information
  9. IT and Clinical Engineering Collaboration
  10.  Cloud Services for Medical Devices

Bonus step 5 is to work with the powers that be in the organization to update the purchasing workflow to include evaluating how you will manage the cybersecurity requirements of a device.

There are our 4 steps and the bonus that would really help.  Medical devices will be increasingly targeted as we deploy more of them.  Take the time to start tracking them in some way if you can’t do all of these things.  Get started is the first step… just get started.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care. TM

Share This
HIPAA Boot Camp