What Healthcare Organizations Need to Know About Medical Device Cybersecurity

Every medical device connected to your network becomes part of your HIPAA Security story. The infusion pump in the ICU. The imaging system in a dentist’s office. The portable ultrasound machine that moves from exam room to exam room. These medical devices are clinical tools that capture data endpoints, including electronic protected health information (ePHI). And when a device can store, access, transmit, or receive ePHI, it becomes a connected device that belongs inside your HIPAA Security strategy.  

This post covers what healthcare organizations need to know about medical device cybersecurity, including:

• Where cybersecurity risks live 
• What the HIPAA Security Rule requires 
• How to safeguard data on medical devices throughout the lifecycle 
• How continuous monitoring can transform your security posture 

Cybersecurity Threats and Unauthorized Remote Access to Medical Devices

A medical device is any tool, machine, software, or material created by a manufacturer to be used on its own or with other products for a medical purpose. The World Health Organization (WHO) has determined that there are more than 2 million types of medical devices.   

Common Medical Devices: 

• Digital X-ray and imaging systems (primary care, dental, orthopedic, urgent care) 
• Ultrasound machines (primary care, OB/GYN, urgent care, community health centers) 
• Intraoral cameras (dental offices) 
• Electronic blood pressure monitors and vital signs stations (primary care, urgent care, community health centers) 
• Infusion and IV pumps (infusion centers, home health, outpatient oncology) 
• Pulse oximeters and patient monitoring devices (primary care, urgent care, surgical centers) 
• Portable EKG/ECG machines (primary care, cardiology, community clinics) 
• Glucometers and continuous glucose monitors (CGMs) (primary care, endocrinology, diabetes care centers) 
• Digital otoscopes and ophthalmoscopes (primary care, pediatrics, ENT) 

 

Newer medical devices use newer technology, meaning they are internet-connected, on your network, and exchanging data across your systems. This also means that there are vulnerabilities throughout the medical device lifecycle that need to be monitored and evaluated. 

Devices found in exam rooms, dental suites, infusion centers, and imaging departments enable remote monitoring and improved data integration, transforming patient care delivery, and they are increasingly networked to an organization’s entire data system. These devices can also have weak security points, making them easy targets for cyberattacks. With increased entry points into a network, an attacker can gain access and uncover patient data systems, such as electronic health records and billing systems.  

Common vulnerabilities that allow bad actors to move laterally into patient data systems include:

• Default or unchanged credentials that were never updated after installation. 
• Forgotten service accounts where out-of-date or orphaned credentials (login names, passwords, account keys, etc.) have expired or are no longer valid. 
• Unpatched firmware that manufacturers have issued fixes for, but devices never received. 
• Unsegmented networks where a compromised device has unrestricted access to connected systems. 
• Weak or absent authentication controls that allow unauthorized users to interact with devices directly or remotely. 
• Legacy devices running outdated operating systems that are no longer supported by security updates.

 

The scale of harm when device and network security are breached is significant to overall healthcare operations and can even result in a HIPAA violation, as experienced by Northeast Radiology, P.C. with imaging centers in New York and Connecticut.  

In March 2020, Northeast Radiology submitted a breach report after it discovered that unauthorized individuals had accessed radiology images stored on the organization’s Picture Archiving and Communication System (PACS) server. The PACS server is a medical device system that stores, retrieves, and manages medical images (X-rays, CT scans, and MRIs). The breach of unsecured ePHI went undetected between April 2019 and March 2020, a gap that a comprehensive security risk analysis (SRA) and security monitoring program may have caught. The Office of Civil Rights (OCR) investigation into the breach revealed that Northeast Radiology failed to perform a comprehensive SRA on the information systems it relied on to collect, store, and access ePHI. Ultimately, 300,000 patients were notified of the breach, which resulted in a $350,000 penalty, a corrective action plan, and two years of OCR monitoring. 

Why Medical Devices Belong in Your Security Risk Assessment 

Medical devices now offer wireless and network connectivity, cloud-based services, and artificial intelligence (AI), all of which assist in the easy transfer of device-related health information. With newer devices and technologies, exchanging data across your systems has never been easier. And it has expanded the number of vulnerabilities. For this reason, integrating a risk management program and committing to annual SRAs are paths to building a security infrastructure that protects data and strengthens business operations. 

The HIPAA Security Rule specifically requires that any electronic system that collects, stores, processes, or transmits ePHI be safeguarded to protect that sensitive data.  

Put simply, adequate security measures must be implemented throughout organizational workflows to protect ePHI from unauthorized access. When HIPAA safeguards are implemented, they take the following forms:

• Administrative Safeguards: workforce training, consistent risk assessments, policies and procedures regarding the lifecycle of the device 
• Physical Safeguards: storing devices in secure locations, a repurposing and disposal policy 
• Technical Safeguards: access controls, maintaining software/device updates, encryption 

 

Oftentimes, the safeguarding of medical devices is absent from compliance conversations. This can be because they are managed by various departments or staff outside the healthcare organization, or by the manufacturer. This means these devices can slip past updates, be overlooked in security assessments, and serve as back-door entry points for bad actors, leading to costly data breaches. Understanding where the exposure lives and what is at stake when it goes unaddressed is a key factor in a strong security strategy. 

Adding an assessment of medical device cybersecurity controls to your annual SRA helps ensure these devices are appropriately evaluated and supports a more comprehensive approach to HIPAA compliance. Risk management of medical devices includes analyzing, evaluating, and monitoring where ePHI lives and how it moves through your workflow. Every connected medical device in your organization should be assessed, and you will want to review:

1. What data is stored or transmitted on this device? 
2. Who can access that data? 
3. Does it have authentication controls? 
4. Is the firmware current? 
5. What happens if the data on this device is compromised? 
6. Is there a risk management plan for the medical device? 
7. Has the workforce that uses the device been trained on security policies?  

Proper Disposal of Medical Devices Containing ePHI 

Part of lifecycle management for medical devices incorporates thinking about how information from the device will be handled when that piece of equipment is powered down for the last time. The retirement and disposal of medical devices is an equally important compliance responsibility as ensuring credential access settings are in place.   

The data carried on a medical device does not automatically leave when the device is retired or disposed of.   

Imaging systems hold patient scan files, infusion pumps can store treatment records, and glucometers can retain patient identifiers. Medical devices that have stored, transmitted, or processed ePHI must have an exit plan to prevent exposure of that sensitive health information. Without a deliberate, well-thought-out disposal policy in place when a medical device leaves your facility, its information could be exposed.  

Proper disposal is mandated by the Security Rule under 45 CFR 164.310(d), which requires covered entities to implement policies and procedures for the disposal of ePHI and the hardware on which it resides.  

What Secure Disposal Looks Like 

While there is no single method that can fit every device, there are clear standards for the secure destruction and disposal of ePHI and devices. Notable methods include:

• Data wiping as outlined by NIST: The National Institute of Standards and Technology (NIST) [insert link https://www.nist.gov/] has been a globally recognized leader in developing cybersecurity frameworks, guidelines, and standards. NIST recommends that devices be fully wiped based on their standards.
• Degaussing: is a method of data elimination that exposes magnetic storage media to a strong magnetic field, permanently erasing the data, making it unreadable and unrecoverable. Degaussing works well on hard disk drives, magnetic tapes, and legacy imaging system storage, but it’s not effective for flash-based or solid-state drives (SSDs), which require a different approach.  
• Physical Destruction: For devices where wiping isn’t technically feasible, rendering a device and its storage media permanently inoperable by shredding, crushing, or disintegration is a good disposal method. It is the most definitive method available and the right choice for devices at the end of their lifecycle, damaged, or containing storage that cannot be wiped by other means.  
• Certified Destruction Vendors: specialize in the secure, documented disposal of devices and storage media that contain sensitive data. They offer on-site or off-site destruction services, chain-of-custody tracking from pickup to destruction, and a certificate of completion. Many vendors also offer serialized asset tracking, ensuring that every device is accounted for and destroyed, which is beneficial when there is a lot of retired equipment to dispose of. When physical destruction is performed by a certified vendor, it comes with documentation for your compliance records. 

Learn more about HIPAA medical documentation destruction in our last article! 

Documentation Is Part of the Requirement 

Not only does HIPAA require your organization to have a policy and procedure documenting the process for disposal of medical equipment, but disposal records can become part of your compliance records. If your organization ever faces an investigation, this type of documentation demonstrates your compliance program and your efforts to maintain it.  

Any device that is retired should have asset tracking information logged, such as: 

• What type of device  
• The location from which it was removed 
• When it was decommissioned 
• What method was used to sanitize the data  
• Or if it was destroyed, who carried out the destruction process 

Failure to erase ePHI from equipment before disposal can constitute a HIPAA breach, result in the impermissible disclosure of ePHI, and lead to a financial penalty for noncompliance.  

In fact, documentation of data destruction helped the clinic Spectrum Health (Grand Rapids, MI) in 2017 when a decommissioned fax machine was resold. When the resold fax machine was used by the new owner, they discovered documents stored in the machine’s memory as it began printing ePHI, including names, addresses, dates of birth, and insurance data. The incident was reported, and the machine was traced back to Spectrum Health. Their Chief Privacy Officer was able to confirm that they had a business associate agreement in place with a certified destruction vendor and was given a certification record stating that the data on the fax machine had been destroyed.  This auditable trail of responsible stewardship helped them demonstrate their compliance efforts. Eventually, this case was viewed as an anomaly, but without that documentation, it could have easily become a financial penalty.  

Final Thoughts 

Medical devices are more than lifesaving equipment for patients; they are also clinical assets with compliance responsibilities. The path forward is to know your devices, assess them often, and retire them responsibly. Organizations that govern them well and perform consistent SRAs that include these devices not only avoid risk but also build a durable security infrastructure.