Device Security

Managing Technology: Medical Device Security


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

200,000 Systems Shutdown by Ransomware Attack

In May 2017, a hacking tool was used to access 200,000 Windows systems in hospitals. The hack affected a Bayer Medrad medical device that improves medical imaging for radiology equipment. The device delivers a contrast agent to patients receiving MRI scans, to facilitate the detection of strokes, brain trauma, tumors, etc.

The coordinated attack made the device unusable during a period of time, until Bayer sent out a microsoft patch to remedy the problem. Although the ransomware attack did not directly affect patient health, it delayed care to patients. Poor medical device security can cause serious problems. Devices such as blood glucose monitors, heart monitors, COPD inhalers for medical conditions, or a heart rate variability monitor for stress and other behavioral issues, can all be connected to the internet, making them vulnerable to cyberattacks.

Medical Device Security and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 requires organizations working in healthcare, including behavioral health practices, to have safeguards in place securing protected health information (PHI). To adequately safeguard PHI, medical device security is imperative. Many medical devices connect to healthcare networks, posing a cybersecurity risk.

As such, The Food and Drug Administration (FDA) recently released guidance for medical device manufacturers to increase cybersecurity. The FDA requires medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ during premarket reviews. Within the document, manufacturers must include a list of areas in which the device may be vulnerable.

Although this may limit attacks on new devices, devices released to market before the new guidance continue to be vulnerable. Some of the vulnerabilities can be addressed by software patches, however, it may be necessary to recall some older devices.

This is Part X of the XI-part blog series. You can also read Parts I to IX below:

  • Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the tenth of which is medical device security. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
Introduction to Telehealth Theory & Practice

Enjoy a fast-moving overview of telebehavioral and telemental health. Understand the key points related to telehealth clinical, legal, ethical, technology, reimbursement, social media and other pivotal issues.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x