Trusted. Reliable. Simple.

Discovered a way for us to help? We look forward to working with you.

Medical Device Cyber Security

Medical device cyber security should be on the top of the list for healthcare managers who want to protect patient privacy and ensure patient safety. As more and more medical devices are connected to the internet, the risk of security breaches or hacks that could impact the safety and effectiveness of vital equipment continues to rise.

CE-Tech is here to help you reduce the cyber threat on medical devices in this complex and challenging healthcare environment. We can help you get started in implementing a plan or provide à la carte services based on your specific needs. If you need feet on the ground or just a review of your program, we can do that too. Our team is well versed in medical device cyber security and has worked from the ground up in developing one of the most robust security plans in the industry.

Our background working with IT, legal, compliance, privacy, risk management and others is invaluable. We also collaborate directly with OEM’s and other vendors to ensure the safety of the patients, equipment, the facilities reputation, and financial status. We follow strict guidelines and standards specific to the medical device industry. Below are just a few areas of expertise we offer relative to medical device security.

Destroying electronic protected health information (ePHI) once no longer needed is essential for a security program. We can help hospitals follow federal guidelines for media sanitation and meet NIST SP800-88 Standards.

We can validate the documentation and destruction of ePHI on medical devices whether it is a hard drive, thumb drive or embedded in the memory.

HIPAA compliance requires that hospitals report lost or stolen ePHI, however many facilities do not know when medical devices enter and exit the building, nor do they know which contain ePHI.

As in medical equipment management, the first step in a quality security program is having extensive knowledge of your inventory. Do you know what devices store, receive or transmit ePHI and have documentation of the critical data elements (MAC, IP, OS, etc.) associated with each device?

We can provide oversight or onsite technicians to perform inventory, collect IT data and perform risk assessments based on our MDIT risk scoring criteria.

In most cases, information security is not securing medical devices, but instead, is securing the perimeter around the medical devices. Our team can help you avoid any confusion between the two and assist in developing strategies to monitor this activity.

Security of networked devices requires knowledge of network information such as MAC address, IP address, and other software information such as operating system or software revision.

Gathering this data and documenting it in a format that can be used is laborious, at best. It takes skilled individuals with a specific skillset and knowledge to do it right the first time. Our team has countless hours performing this very task.

They know what they are looking for and how to document it effectively. Medical devices are not computers, but most have computer-like characteristics. Our Clinical Engineering team identifies a complete inventory to determine the unique properties of medical devices, which is ultimately used to secure the devices.

HIPAA compliance requires a medical device security risk analysis. Conducting a risk analysis can significantly reduce fines in the event of a breach. These analyses help identify vulnerabilities in medical systems which can be remediated or controlled. A complete risk assessment gives you a clear picture of the probability and severity of a security breach in each device on your high-risk list.

Through our Medical Device Cyber Security Program, each medical device has its own patch management plan.

We identify vulnerabilities, prioritize patches, and then execute the patching program.

Our Clinical Engineering IT team works with manufacturers to identify software security patches that can fix vulnerabilities well before they become problems.

It’s important to know what to put into your Policies & Procedures. We stay up to date on the requirements and regulations and can help facilities meet them.

Don’t start from scratch – this is a time and resource consuming job. We have templates for adoption and recommendations relative to P&P development.