Medical Device Security

Techumen by the numbers.

1032

Healthcare Organizations Served

2087

Audits Completed

100%

Pass Rate from HHS/CMS Audits

Network and Security Assessment

Biomedical devices in contemporary hospitals and other care delivery environments are necessarily ubiquitous. They are instrumental for delivering excellent health care. 

We conducted a security risk assessment at a 400 bed hospital, and found the following: 

  • over 5000 biomedical devices, many of which required network connectivity to report results to a downstream piece of software, 
  • we also found a staggering variety of device types ranging from cytometers, infusion pumps, to heart rate monitors and resuscitators.

Struggling with IT Security?

Book a Free 30 Minute Consultation and Lets Make a Plan Together

For IT security practitioners, such biomedical devices are often a bane. 

For various reasons, including unclear regulatory direction, many biomedical devices use outdated operating systems that run applications built with inadequate software security. As a result:

  • devices are ripe for attack by viruses, worms and other forms of malware.
  • most of these connected devices in hospitals hang off the core IT network.

In most hospitals we assess, devices are rarely segregated into “Virtual LANS” that provide an added measure of safety. Instead in most hospitals, a virus infiltrating, say an old infusion pump running an unpatched version of Windows 2000 can propagate like wildfire, bringing the main hospital network to a crawl or even fully disabling it. Another example of a security hole is the use of an “unsecured” or poorly secured wireless connection that is easily exploitable by an attacker with rudimentary wireless hacking equipment.

HIPAA Compliance Audit
Network and Security Assessment

Obviously the ramifications for a hospital are tremendous. Information is the lifeblood of modern hospitals – from admitting, to billing, to labs, and diagnostic machines to electronic medical record repositories, a modern hospital cannot function without reliable information.

For medical device companies we conduct a thorough data-flow based risk analysis of your device. This can include risks:

  • From not updating to more recent operating systems, or inappropriate or incomplete patching
  • Secure software development considerations during device development. This can include development lifecycle reviews and source code analysis for embedded code, and application programming interfaces with downstream systems.
  • Network based risks emanating from improper configurations in provider settings such as hospitals and clinics

Techumen’s approach, and accompanying risk assessment report, follows the recommended FDA method for gauging risk and address the following elements:

  • Identification of assets, threats, and vulnerabilities;
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
  • Assessment of the likelihood of a threat and of a vulnerability being exploited;
  • Determination of risk levels and suitable mitigation strategies;
  • Assessment of residual risk and risk acceptance criteria.

Medical device manufacturers must adhere to strict guidance from the FDA. A risk assessment is now a requirement for any medical device that is to be connected within a provider network. Techumen’s analysis provides an expert independent assessment of your risks and how they should be mitigated.