Modern, and legacy, medical devices improve the health and care of patients, but come with growing security risks as devices are increasingly wireless and connected to the Internet, hospital networks and other devices. Outdated software and lack of awareness has made medical device security a prominent area needing action and attention.
Our Medical Device Assessment and Program Development experts carry out planning, process and procedure development exercises that highlight the steps necessary to assess and secure your connected medical devices through appropriate safeguards.
Our approach to medical device security provides the structure and education to help clients to:
- Convene an interdepartmental governance group (IT, Biomed, Facilities/Physical Security, Nursing, CMO’s office, other Client functional areas as required).
- Form an interdepartmental group responsible for leading the planning, administrative management and implementation of the Client’s medical device security program.
- Review, revise or create policies and procedures to govern medical device security.
- Adapt NIST Cybersecurity or HITRUST CSF to create a Medical Device Security Risk Analysis framework.
- Apply Probability and Impact Rating System (PAIRS) to identify criticality and prioritize current risks.
- Carry out Physical and Technical Testing:
- Perform walkthrough of one or two physical areas to observe medical device utilization and physical security environment.
- Perform vulnerability scan of a small subset (1-5 devices) of medical devices in “safe zone” VLAN. Document findings and remediation recommendations to include Common Vulnerability Scoring System (CVSS) ratings.
- Review medical device security management program incorporating learnings from technical security scan and physical security assessment.
- Provide recommendations for overall program redesign as well as policy and procedure revisions/enhancements to optimize for future expansion.