MEDICAL DEVICES: Special Considerations

Posted on April 6, 2025 by Dr. David Edward Marcinko MBA MEd CMP™

By Staff Reporters

***

***

INFORMATION TECHNOLOGY CONSIDERATIONS FOR MEDICAL DEVICES

In 2013, the Food and Drug Administration (FDA) issued its first cybersecurity safety communication, followed in 2014 by final guidance. It struck a reasonable balance between new regulations (almost none) and guidance (in the form of non-binding recommendations).

In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines. The following recommendations come directly from the FTC report.

Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:

  • Conducting a privacy or security risk assessment
  • Minimizing the data they collect and retain
  • Testing their security measures before launching their products
  • Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
  • Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
  • When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
  • Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
  • Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities

According to colleague Shahid N. Shah MS, the FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, engineers tend to think about authentication, authorization, and encryption. Those are the relatively easy topics. For safety-critical devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:

  • Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
  • Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
  • Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
  • Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
  • External Threats: Has the device been designed to lock down the device from external threats?
  • Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
  • Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
  • Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
  • Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
  • Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
  • HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
  • FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
  • Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
  • Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
  • Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
  • Password Management: Are passwords hardcoded into the device or made configurable?
  • Configuration Protection: Are configuration files properly check-summed and protected against malicious changes?

ASSESSMENT

It is vital to perform a security assessment on a healthcare practice to understand the environment, identify risks and perform risk mitigation. A one-time security assessment with risk mitigation is not sufficient in 2025. This is a continuous process that needs to be performed religiously to maintain a secure and compliant practice.

COMMENTS APPRECIATED

Refer, Like and Subscribe

***

***

Filed under: "Ask-an-Advisor", Experts Invited, Funding Basics, Glossary Terms, Health Law & Policy, Information Technology, Insurance Matters, Research & Development | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment »

How Secure Is Your Password – Doctor?

Posted on April 28, 2015 by Dr. David Edward Marcinko MBA MEd CMP™

Join Our Mailing List

Tips on using strong passwords 

[Securing yourself from a world of hackers]

By Shahid N. Shah MS

Shahid N. Shah MS

What is at Risk?

Here are some specific tools, gadgets, cloud servers, EHRs and other reasons you should secure your PWs:

  • Fax Server – a fax server allows you to centrally manage all incoming and outgoing faxes. Since most medical practices live on fax, this is one of the fastest investments you can recoup.
  • Shared drives – start using shared drives either using your existing software or you can purchase inexpensive “network disks” for a few hundred dollars to share business forms, online directories, reports, scanned charts, and many other files.
  • Online backups and Internet PACS storage – there are online tools like JungleDisk.com that allow you to store gigabytes of encrypted data into the Internet “cloud” for just a few dollars a month.
  • E-mail (beware of HIPAA, though) – internal office messaging and email is a great place to start. If you haven’t started your office automation journey here you should. If you’re going to use it for patient communications you’ll need to make sure you have patient approvals and appropriate encryption. If you’re on Gmail today and you want to have customers immediately be able to communicate with you on Gmail, that’s generally HIPAA compliant because communications between two Gmail accounts stays within the Google data center and is not sent unencrypted over the Internet.
  • E-Prescribing – e-prescribing is a great place to start your automation journey because it’s a fast way to realize how much slower the digital process is in capturing clinical data. If e-prescribing alone makes you slower in your job, EMRs will likely affect you even more. If you’re productive with e-prescribing then EMRs in general will make you more productive too.
  • Office Online and Google Apps (scheduling, document sharing) – Google and Microsoft® have some very nice online tools for managing contacts (your patients are contacts), scheduling (appointments), dirt simple document management, and getting everyone in the office “on the same page”. Before you jump into full-fledged EMRs see if these basic free tools can do the job for you.
  • Modular clinical groupware – this is a new category of software that allows you to collaborate with colleagues on your most time-consuming or most-needy patients and leave the remainder of them as-is. By automating what’s taking the most of your time you don’t worry about the majority of patients who aren’t.
  • Patient registry and CCR bulletin boards – if you’re just looking for basic patient population management and not detailed office automation then patient registries and CCR databases are a great start. These don’t help with workflow but they do manage patient summaries.
  • Document imaging – scanning and storing your paper documents is something that affects everyone; all scanners come with some basic imaging software that you can use for free. Once you’re good at scanning and paper digitization you can move to “medical grade” document managements that can improve productivity even more.

eHRs

  • Clinical content repository (CMS) – open source systems like DrupalModules.com and Joomla.org do a great job of content management and they can be adapted to do clinical content management.
  • Electronic lab reporting – if labs are taking up most of your time, you can automate that pretty easily with web-based lab reporting systems.
  • Electronic transcription – if clinical note taking is taking most of your time, you can automate that by using electronic transcribing.
  • Speech recognition – another “point solution” to helping with capturing clinical notes; you can get a system up and running for under $250.
  • Instant Messaging (IM) – IM gives you the ability to connect directly with multiple rooms within your office using free software; if you want, you can also connect with patients and other physicians during work hours.

How to avoid the most common and dangerous passwords?

***

password

***

More:

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct DetailsProduct Details

Filed under: Information Technology | Tagged: , , , , , , , | 3 Comments »