11 best practices for protecting connected medical devices

By Joseph Goedert

11 best practices for protecting connected medical devices

The Department of Health and Human Services, working with more than 150 healthcare and cybersecurity experts, has released a report, “Health Industry Cybersecurity Practices,” to aid stakeholders in managing threats and protecting patients. The 36-page report, available here, includes a section on attacks against connected medical devices that may affect patient safety. In distilling the guidance of the experts, HHS recommends the following 11 best practices to safeguard this sensitive equipment.

Communication

Referral-Client-meeting

Establish and maintain communication with medical device manufacturers’ product security teams to ensure devices have the latest protection in the forms of patches and to ensure dialogue about threats.

Patching

March Safety AdobeStock_2054778 D.jpeg

Install security and updated system patches on devices after the coded patches have been validated, distributed by the medical device manufacturer and properly tested.

Security controls

Jan Medical C.jpg

Assess current security controls on networked medical devices to ensure they are working effectively and are not easily hackable.

Inventory

8. Tech Hazards AdobeStock_145931808.jpeg

Assess inventory traits, such as IT components, that may include the Media Access Control address, Internet Protocol address, network segments, operating systems, applications and other elements relevant to managing information security risks.

Procurement

Jan Medical E.jpg

Implement pre-procurement security requirements for vendors, to ensure they’re meeting your organization’s minimum requirements for device and network security.

Security assurance

Jan Medical F.jpg

Implement information security assurance practices, such as security risk assessments of new devices and validation of vendor practices on networks or facilities.

Security staff engagement

Jan Medical G.jpg

Engage information security as a stakeholder in all clinical procurements that could involve linkages to clinical networks.

Contract language

Jan Medical H.jpg

Use a template for contract language with medical devices manufacturers and others to ensure it provides sufficient requirements to protect the organization.

Access controls

Jan Medical I.jpg

Implement access controls for clinical and vendor support staff, including remote access, monitoring of vendor access and minimum necessary or least privilege.

Security operations

Jan Medical J.jpg

Implement security operations practices for devices, including hardening, patching, monitoring and threat detection capabilities.

Device network

Jan Medical K.jpg

Develop and implement network security applications and practices for device networks.

Tags

Employee communications Data security Medical devices

Joseph Goedert

MORE FROM HEALTH DATA MANAGEMENT

Artificial intelligence

Researchers call on regulators to reduce risks of AI in medicine

By Greg Slabodkin

9h ago
Readmissions

Geisinger-AI vendor aim to reduce adverse events, avoid readmissions

By Greg Slabodkin

9h ago
Augmented reality

AR and VR technology may eclipse use of 3D-printed models

By Fred Bazzoli

10h ago
Payers

BCBSLA’s tech competition aims to prevent social isolation in seniors

By Diana Manos

December 6
Radiology

CT scan read errors a leading cause of patient injury

By Fred Bazzoli

December 6
Deep learning

Deep learning identifies colorectal cancer tumors with 100 percent accuracy

By Greg Slabodkin

December 5