Medical devices are easy-targets and used as entry-points into networks
Network-connected misconfigured medical devices that are infected by
malware can disable a device from properly performing its clinical
function. This, in turn, could lead to a patient safety concern..
Because we can
Cybersecurity triad – Confidentiality – Integrity – Availability
Need to understand the impact of each of these as applied to medical device security and patient safety
A framework or methodology is necessary to identify and address vulnerabilities and ensure the secure
operation of medical devices
Threat modeling for medical devices will help in developing a security strategy
Incident response plans need to address medical device breaches.
Multi-disciplinary team approach recommended – physician / practitioner, Biomed, IT, cybersecurity
Evaluate your environment
Do you know where your medical devices are? What are the vulnerabilities?
What compensating controls are applied?
Do you know who makes decisions when a medical device is compromised? Is a
multidisciplinary team involved in risk decisions regarding medical devices that
are hacked/malware infected?
Are medical devices addressed in your Incident Response Plan?
Solid methodology or framework needed to secure medical devices
Governance to ensure risk decisions are being made at the appropriate
level and by the appropriate party in the organization - include
Malware infected medical diagnostic device –
Could impact Confidentiality, Integrity and / or Availability
ANY of these COULD impact patient safety
Used in diagnosis and treatment decisions by physician
Neurology Department uses embedded medical application (running on
Windows OS) to monitor patients seizure activity
Data integrity could be an issue
Safety of patient diagnosis/ treatment decisions
Decision – leave it up or shut it down?
Risk assessment – patient safety paramount
Patient Safety Considerations:
Confidentiality – breach of patient information,
HIPAA regulatory and liability (civil and
Integrity - data used to make treatment
decisions – patient safety
Availability – outage creates critical gap in
patient monitoring or treatment patient safety