HDOs face many challenges when it comes to medical device security such as lack of visibility to whether a device is vulnerable or has been hacked, inability to patch and upgrade aging devices and associated operating systems and software, and basic knowledge of inventory and device classification. Due to the high cost of replacing legacy devices, vulnerable devices can stay in circulation for a long time.

While the Food and Drug Administration (FDA) has published guidance for both pre-market and post-market cybersecurity management of medical devices, it’s important to note that many medical devices must adhere to the HIPAA Security Rule requirements since they may create, receive, maintain, or transmit ePHI. It’s crucial to identify which devices fall under the purview of HIPAA and not just the FDA.

Our approach

Coalfire helps clinical stakeholders and information security teams comprehensively assess risks associated with medical devices and develop a risk management program. Services include:

• Security Policy & Procedure Review and Development
• Vulnerability Scanning & Penetration Testing
• HIPAA Security Risk Analysis
• Medical Device Security Risk Assessment
• Medical Device Incident Response Plan

Deliverables

• Risk assessment report with prioritized findings and recommendations
• Remediation roadmap

Medical device security risk assessment: scope and methodology

• Customized medical device security framework based on NIST 800-30; leverages NIST 800-53, ISO 80001, MITRE Playbook, and FDA post-market guidance
• Device inventory and dataflow analysis
• Security policy and procedure review
• Risk management, threat and vulnerability management, and patch management processes
• Medical device vendor risk management process
• Security of clinical network/devices
• Patient safety impact analysis
• ePHI data security
• Incident response process