No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Cybersecurity Compliance in Medical Devices and the Effect on Patient Safety

Ensuring Data Privacy and Patient Safety Amid Growing Cyber Risk

by Vidya Murthy
May 20, 2019
in Data Privacy, Featured
connected medical device

Medical devices have been entering hospitals at light speed, which brings up the question of cybersecurity and how providers can maintain safe treatment. Vidya Murthy explores how regulatory actions have impacted medical device cybersecurity and, in turn, patient safety.

The health care industry is a complex web of payers, providers, medical device manufacturers, third-party vendors and, most importantly, patients. Over the last decade, technology has played a central role in advancing quality of care, creating new delivery mediums and changing access for patients, in large part due to the development of new medical devices. The less discussed shift has been viewing cybersecurity as a HIPAA compliance mitigation instead of a patient safety enabler.

Location of Care Delivery

The average hospital bed has 10 to 15 devices connected to it. The American Hospital Association estimates there are about 900,000 hospital beds in 2019, which means there are at least 9,000,000 devices inside U.S. hospitals.

Shifting care beyond health care delivery organizations (HDOs) has increased the ability to treat remote geographies and populations that otherwise couldn’t access an HDO on an ongoing basis. These changes have been great for patients and providers, enabling ongoing monitoring of patients even when they’re not in the HDO. But it also means that some connected devices operate outside of the secured and monitored HDO network while sending data back to providers within the HDO network. The introduction of these connection points also serves as the introduction of additional threat vectors that need to be managed.

HIPAA Breaches and Patient Safety

Frequently perceived as the regulatory burden for HDOs, device vendors and clinicians, HIPAA has had an indelible impact on our health care system. An average of 35 HIPAA violation complaints are made on a daily basis with estimates that 59 percent of the U.S. population has had its health records breached/exposed. Since the compliance date of April 2003, the challenge of complying with the HIPAA rule has persisted.

Beyond the commonly cited identity theft and financial exploitation as a result of a HIPAA breach, a 0.04 percent increase in mortality rates was observed for patients in facilities with a historic breach, even in scenarios where an HDO restored operations and enhanced security controls after a cyberattack. This is surprisingly equivalent to the 0.04 percent possible increase in positive outcome for patients based on enhanced treatments.

Cybersecurity and Patient Safety

The introduction of connected medical devices not only expands the scope of HIPAA management, but also introduces patient safety considerations. What if a glucose meter is manipulated and the attached insulin pump provides an injection that a patient doesn’t need? What if a critical calculation in radiation therapy is manipulated? Even the television show “Homeland” showed a pacemaker vulnerability exploited in an assassination, but this is not the common scenario HDOs and patients face.

The more probable attack using a medical device focuses on a hacker gaining control of an HDO and distributing ransomware. For example, a hacker may compromise an HDO’s network, inhibiting its ability to update electronic health records and use devices that rely on connectivity for delivering care (such as devices used in radiation oncology and sophisticated surgical robots).

While a possible solution may be to revert to pencil and paper during a ransomware attack and delay any elective procedures, delayed capabilities can also result in a re-routing of patients who have emergent needs. Research shows a 13.3 percent higher mortality rate for patients experiencing a cardiac arrest who received a delay in care of four minutes. When applying this finding to a delay in care due to a network takeover by hackers, one can imagine an increase in mortality rates far greater than 13.3 percent.

Regulatory Requirements – Today and Looking Forward

We have heard the FDA rejects drugs, but what may be less obvious is that the FDA has regulatory oversight of the cybersecurity requirements for medical devices.

Issuing their first guidance document in January 2005, the FDA has actively worked to build a collaborative community – including clinicians, hackers, device manufactures and HDOs. Most recently, the PreMarket and PostMarket Management of Cybersecurity in Medical Device documents have created a clear roadmap and goals for the industry to work toward.

PreMarket Guidance

While this guidance is noted to still be in draft mode since it was released in October 2018, there are a few areas of focus that it will endorse once finalized (expected sometime in 2020):

  • Devices should make extensive use of encryption to keep data private
  • Digital signatures should be used to verify authenticity of devices, data and instructions
  • Devices should be designed in a way that anticipates regular, routine cybersecurity patches
  • User authentication needs to be secure and robust
  • Devices should be able to alert users when a cybersecurity breach occurs

PostMarket Guidance

Released in 2016, this guidance includes a combination of process and procedural requirements for both medical device manufacturers (MDMs) and HDOs – mainly the following:

  • Understanding, assessing and monitoring vulnerabilities and risks
  • Robust software life cycle processes that including having a process for ongoing updates and patches
  • Threat modeling cybersecurity risks around a medical device
  • Participating in a coordinated vulnerability disclosure policy

The FDA has made it clear that MDMs and HDOs must collaborate to successfully build a robust security program. A sample device design process has been diagrammed to better understand the requirements:

Going Forward

As a compliance practitioner, you are likely skeptical of complicated requirements that are met with the response of “we did it ourselves.” Medical device cybersecurity requires technical and procedural actions by multiple parts of the ecosystem. Leveraging tools as part of an overall security strategy will create scalable and sustainable security.

For products under development, the importance of medical devices being designed with cybersecurity requirements is self-evident. Without these requirements being demonstrated, devices will not receive regulatory blessing.

Those devices that are on the market and still supported by device vendors will stand to gain market share by demonstrating a commitment to implementing cybersecurity requirements. Not for the sake of compliance, but for the patient safety implications of having a robust program in place.

Public and private key stakeholders, including HDOs, medical device vendors, federal agencies and health care IT vendors collaborated to create the Joint Security Plan, a product life cycle reference guide to unite the community on best practices.


Tags: Health CareHIPAARansomware
Previous Post

Dun & Bradstreet Partners with encompass to Enable Due Diligence in Uncertain Times

Next Post

5MLD – So, How Well Do You Really Know Your Customers?

Vidya Murthy

Vidya Murthy

Vidya Murthy is Vice President of Operations at MedCrypt, a medical device cybersecurity company that helps medical device vendors ensure their products are compliant with the newly-released premarket FDA cybersecurity guidance.

Related Posts

virginia state flag

Are You Ready for Virginia’s Sweeping Reproductive Health Privacy Law?

by Meghan O’Connor
April 29, 2025

Broadly defined ‘reproductive and sexual health information’ may affect any company doing business in the state

demystifying data de ID collage

Demystifying Data De-Identification for US Privacy Compliance

by L. Hannah Ji-Otto, David Chen and Julie Kilgore
October 30, 2024

De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal...

paper medical records

What HIPAA-Covered Entities & Other Companies Need to Know About Cookies & Tracking Tech

by Steve Britt
October 21, 2024

New state laws seek to regulate collecting of health data

overhead view of stretch of road

New OIG Guidance: Let Compliance Officers Stay in Their Lane

by Mary Shirley
November 14, 2023

HHS publishes nonbinding recommendations for healthcare & life sciences compliance programs

Next Post
hundred dollar bills in washing machine

5MLD – So, How Well Do You Really Know Your Customers?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights