Contact Manufacturer When Medical Device Is Compromised
The response plan for a compromised medical device should include contacting the device manufacturer, advises Richard Sheinis, JD, partner with Hall Booth Smith in Charlotte, NC.
Check if any security updates or patches were missed, and know what type of patient data are collected, stored, or transmitted by each device, he says. Review any logs maintained by the device to determine if it was accessed by an unknown IP address.
Follow the connectivity of the device to other components of the computer network to find out if other components were accessed through the device. Take the device offline and disconnect from the patient if safe to do so.
Maintain the device for a subsequent forensic review. Check other devices to determine if they have been compromised as well.
“Consider taking all such devices offline until they can be assessed for security vulnerabilities. This might not be possible for all devices, such as implanted devices,” Sheinis says. “Have an inventory of medical devices and know the clinical impacts of security incidents that affect the different devices. Have substitute or backup devices available to replace the compromised device and any other devices taken offline.”
Before acting, always know the effect on patient safety for each of these actions.
The security of medical devices should be addressed from the time the medical provider contracts to purchase the device, Sheinis says. Obtain information from the manufacturer regarding the security of the device, such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2). The contract should address which party is responsible for maintaining and updating the device’s security.
“If a security patch is issued, which party is responsible for applying the patch in a timely manner? Does the manufacturer have cybersecurity practices in place to prevent unauthorized access to the device?” Sheinis asks. “Does the manufacturer update the security of the device, including software changes?”
A medical device is an endpoint of the computer system, similar to a laptop computer as an endpoint, Sheinis notes. Endpoint monitoring should include medical devices (when possible), and medical devices should be included when the medical provider conducts vulnerability testing. Cybersecurity vulnerabilities have been found in wireless telemetry, insulin pumps, imaging devices, implantable cardiac devices, and infusion systems, he says.
SOURCE
- Richard Sheinis, JD, Partner, Hall Booth Smith, Charlotte, NC. Phone: (980) 859-0381. Email: [email protected].
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.