Medical Device Security Best Practices
Posted by Superadmin on September 16 2022 07:16:50

Medical Device Security Best Practices

 PUBLISHED DATE:JANUARY 6, 2019
Medical Device Security Best Practices

Medical devices improve health, quality of life, and even save lives. As such, medical device use must be appropriate for the context and setting in which it is intended. They must be safe for the patient to use and abide by all federal, state, and local regulations.

Medical devices should be secure in their use and when connected to the organization’s internal network, should not introduce any vulnerabilities or weaknesses to the device itself or any other devices that may also be available on the network.

Security Considerations and Best Practices

Here are some medical device security considerations and best practices:

Security functions to consider for the protection of medical devices include, but not limited to:

FDA Cybersecurity Guidance on Medical Devices

Medical device use is primarily governed by federal regulations mandated by the FDA. Only approved medical devices should be authorized for use. Final authority and approval of any medical device is determined by the Chief Medical Officer.

Management

There should be a management process in place for the implementation of the device to include oversight authority, reporting, monitoring, and evaluation of the device.

All medical devices should be assigned a medical device owner. The medical device owner is responsible for the proper use, maintenance, and management of their assigned devices. All medical device should be assigned a unique asset tag. All medical devices should be accounted for and inventoried. Medical devices should be appropriately tracked and follow asset tracking policies.

Any medical device that is not working properly should be reported to the medical device owner. Any misuse of a medical device should be reported to the Chief Medical Officer. Any suspicious security related issues should be reported to the Security Team.

Equipment Maintenance/Upgrades

In most cases, medical device maintenance is restricted to the medical device vendor. The appropriate vendor should be notified by the medical device owner of any maintenance issues related to their medical devices. Medical devices should be maintained in accordance to vendor specifications. If the device is connected to the network, the IT department should be notified prior to the vendor working on the device.

End of Life

Medical devices may be rendered no longer usable by the age of the device, replacement of the device, or other reasons approved by the Chief Medical Officer. Once a device is determined not to be usable, the device should be disposed of in accordance to the manufacturer’s suggested specifications. This could include, but not limited to: wiping any memory of the device, physical destruction of the device, return of the device to the manufacturer in accordance with approved agreement, or other method that renders any information stored on the device (or the device itself) as unusable.

Monitoring

Medical devices will be evaluated and monitored for appropriate usage/effectiveness. Any discrepancies with expected results should be reported to the Chief Medical Officer for additional review.

Training

Workforce members utilizing medical devices should be appropriately trained. Medical device owners or designees should train appropriate workforce members on the use of the medical device to include any issues/concerns related to its use.

Reporting

All appropriate medical device reports for calibration and/or regulatory requirements should be maintained.

Data Protection

In some cases, medical devices may store electronic protected health information. These devices should follow policies and safeguards in place for other mobile/media devices that contain electronic protected health information (ePHI). This could include, but not limited to:

Vendor Responsibility/Assurance

Contracts with manufacturers of devices purchased by the organization will ensure that the vendor will provide additional information, onsite maintenance, and/or other support to ensure that newly discovered security weaknesses are mitigated in a timely manner. Any failure of the vendor to maintain the product after sale and implementation, as applicable, should be considered a breach of contract.

We can help you perform a medical device security assessment or developing a security program for your medical devices. Contact us today!