Medical Device Security and HIPAA

Managing your organization’s cybersecurity is complex. Many fail to account for medical device security, forgetting that these devices connect to the internet, making them vulnerable. Medical device security standards are essential to consider as part of your overall security strategy.

Medical Device Security Standards

Medical device security is imperative to safeguard protected health information (PHI) adequately. Many medical devices, such as MRI machines and heart-rate monitors, connect to healthcare networks, posing a cybersecurity risk when excluded from your cybersecurity planning.

The Food and Drug Administration (FDA) recognized this when they released guidance for medical device manufacturers to increase cybersecurity. Medical device manufacturers must submit a ‘Cybersecurity Bill of Materials’ during premarket reviews to the FDA for review. Device manufacturers must include a list of areas in which the device may be vulnerable within the document. 

This guidance will likely limit attacks on new devices; however, those on the market before its release may remain vulnerable. Although software patches can address some vulnerabilities, some devices have been recalled. 

HIPAA and Cybersecurity

Not sure where to start for your medical device security? HIPAA compliance can help you address your security needs.

Become HIPAA Compliant

Medical Device Security and HIPAA

When examining medical device security standards, one source of confusion is the fact that at least three federal agencies have regulatory oversight over medical devices and applications. The FDA, the Federal Trade Commission (FTC), and the Department of Health and Human Services, through HIPAA, all have regulations and guidelines that apply to medical device security on these devices and apps.

From a HIPAA perspective, the security of connected medical devices comes down to whether patient PHI is protected in a way that meets the HIPAA Privacy Rule and HIPAA Security Rule standards. 

The HIPAA Privacy Rule primarily limits access to PHI via administrative means and access controls. The HIPAA Security Rule focuses on protecting PHI from a technical standpoint, like encryption, firewalls, and patch management.

Steps to Ensure the Security of Connected Medical Devices

  1. Access Controls. Healthcare providers should limit access to medical devices to only those that need access. Users should have unique login credentials, enabling organizations to attribute actions to specific individuals. This ensures that the individual responsible can be easily identified in the event of an insider breach.
  2. Asset Management. Create a list of all medical devices used within your organization, including what operating systems are used and what protections are in place. Note when systems were last updated, and be vigilant about maintaining the software on these devices. This ensures that medical devices are running on current operating systems, limiting the risk of a healthcare breach.
  3. Patch Management. Healthcare organizations with medical devices using outdated operating systems are at risk. It is important to contact device manufacturers for updates and patches when needed. If no security patches are available or if security updates are no longer supported, it’s probably time to upgrade to equipment with proper security control.

HHS Cybersecurity Best Practices

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies