12 security questions to ask about medical devices

Published
  • May 03 2017, 4:00am EDT

12 security questions to ask medical device manufacturers about their products

Healthcare providers know medical devices can pose a weak link in their data networks. Most organizations have hundreds of devices, some of which have limited security protection to hacking, which could put protected health information at risk.

A feature story in the May issue of Health Data Management examines how providers are confronting the cybercrime war on medical devices. John Fowler, deputy information security officer at Henry Ford Health System in metro Detroit, offers questions that providers should ask before signing the contract.

1. Security patches

Can anti-virus/malware and security patch updates be applied to the medical device as soon as they become available?

Content Continues Below

2. Logoffs

Does the medical device auto-logoff screen lock the user after a period of inactivity?

3. Audit trails

Can the medical device create an audit trail? If so, can it list the events that are logged, such as logons, transactions, transmissions and file name access?

4. Access control

Can the medical device offer access to unauthorized users through user login requirements or another mechanism? Require a description of the configurations available for access control.

Content Continues Below

5. Communication ports

Are all communication ports that are not required for the intended use of the medical device closed/disabled?

6. Encryption

Is private data encrypted in transmission via a network, or does the medical device encrypt private data at rest? Ask for a detailed explanation about the encryption approach of the device.

7. User ID and passwords

Does the medical device support unique user/operator-specific IDs and password(s) for multiple users?

Content Continues Below

8. Data storage

Does the medical device store sensitive data in a system cache, registers, main memory or secondary storage after a user session is terminated?

9. Account lock outs

Is an account automatically locked out after a set amount of attempts?

10. Identification/authentication

Does the medical device use managed AD/LDAP services for identification and authentication? If not, require a manufacturer to detail user identification and authentication.

Content Continues Below

11. Data communication

Is there documentation on what information is communicated with the medical device, how it is transferred and how the data is secured?

12. Network management

Does the medical device use SNMP? Is it configured to use Version 3.0 with encryption, or is it disabled?