Biomedical devices are essential to patient care.
A risk analysis of your biomedical devices that store ePHI is critical for compliance with the HIPAA Security Rule. Risk analysis is commonly misunderstood and that is why the federal government has published so many white papers and guides on the topic.
If biomedical devices are operated or serviced by a manufacturer, vendor, third party service provider, or some other entity, the medical device vendors may be considered a business associate.
From our experience, we know that there are at least 20 different types/classes of biomedical devices that we have found that put an organization at risk because they either process, store or transmit ePHI, or are connected to the internal network.
A biomedical risk analysis is a cooperative effort between the clinical engineering/Biomed, IT, pharmacy, and nursing departments. The initiative can be a significant undertaking for an organization. tw-Security has a straightforward, sustainable methodology to assist any size organization with this endeavor.
Key areas of concern with biomedical devices:
- Patient safety – the patient could be at risk of harm if the device lacks appropriate safeguards and controls
- Vulnerable to breaches resulting in recalls (e.g. Johnson & Johnson recalled insulin pumps)
- Quality of the software
- Lack of vendor security support
- Lack of encryption
- Use of default passcodes known to hackers
- Proprietary software = non-standard and can become infected and infect the network
- Integration of these devices into the hospital network increases risks
- Older legacy devices that might run an unsupported (and unpatched) operating system (e.g. old XP-based devices)
- Security guidelines from the FDA are not regulations
Biomedical Risk Analysis Workshop
The primary objective of the workshop is to educate and train staff on how to conduct a biomedical device risk analysis and equip them with the knowledge and tools needed for conducting their own Biomed risk analysis. We tailor our templates, policies, procedures, and plans for your organization.
At the end of the workshop, attendees will be able to:
- Identify the ‘types’ of biomedical devices and inventory considerations
- Conduct a biomedical device risk analysis based upon the nine basic steps of risk analysis
- Work through a series of checklist questions to determine security controls and vulnerabilities
- Use sample biomedical risk profiles to document a biomedical device risk analysis
- Identify the top cybersecurity threats and the controls needed to reduce cyber-attack risks that impact biomedical devices
- Explain the regulatory requirements for conducting a risk analysis and specifics with biomedical devices
- Discuss the HIPAA Audit Program Protocol’s audit test procedures for risk analysis
- Find resources for additional information