Connected Medical Devices (9.3.8 - 9.3.9)

With medical devices becoming more connected and, in many respects, subject to the same level of vulnerabilities (if not more) than a desktop, tablet or laptop device. These vulnerabilities are particularly marked with the 1st generations of connected medical devices some of which may have a decades long life span.

So just as it is important to know your user base and their devices, it is important to have a register of connected medical devices.

This register should include vendor, maintenance arrangements, any network segmentation in place and whether network access is given to supplier/maintainer. It is expected it would contain (or is linked) the items found in an IT asset register network name, IP address (if static), Mac address and software and versions (where appropriate).

At the time of writing there is not a prescribed register or set methodology of implementation. Consequently, there are 3 broad implementation choices.

There are three routes to implementing:

• existing medical devices register
• existing IT asset register
• new connected medical devices register

You can expand the existing medical devices register or your IT asset or create new connected medical devices register.

Whichever route you choose they should ideally be linked or synchronised with themselves and other products such as asset discovery tools. It is important to avoid duplication and any subsequent version control issues.

With this option you would need to add the specific item’s vendor, maintenance arrangements, any network segmentation in place and whether network access is given to supplier/maintainer and then linked to IT asset register/discovery tool showing network name, IP address (if static), Mac address and software and versions.

With this option you would need to add the specific item’s vendor, maintenance arrangements, any network segmentation in place and whether network access is given to supplier or maintainer. You wouldn’t need a link to a discovery tool (as this is hopefully inbuilt) but the device would still need to exist as an entry in any medical device register so ideally should be linked.

In some ways, the most challenging option as well as the items mentioned in the other two options for registers. It would ideally require linkage to both the IT asset register and medical devices register.

This should be a policy or process documenting the full explanation of how the organisation assures data security during the full life cycle of the medical device.

At the time of writing there is not a set format for the policy or procedure however it should treat a medical device in the same way of any IT device that may contain patient information. So that covers inception with security awareness before purchase, ongoing support both manufacturer/supplier teams and patching/updating. It should also cover the retirement/disposal of devices with the presumption there will be sensitive/patient information stored on them.

The policy/procedure itself can be incorporated into an existing policy (medical devices or IT policy) or standalone. However, much like the register, it is important it does not duplicate or is contrary to policies covering the same ground.