Part of Guidance on protecting connected medical devices
Step 1. Identify connected medical devices
It's important to identify all the devices within your estate that are within scope, for example all medical devices that can receive/transfer patient data through a connection to a network or via the internet. Medical devices which cannot connect to a network or the internet are not within scope as they have a slightly different risk profile, but the principles of this guidance should still be applied.
A complete picture should be made that details the types of devices that need protecting, along with information such as; what is the operating system in use, what software and version is being used, what are the ports/protocols and application services they need to utilise, and does the device transmit or store patient identifiable data? The medical device manufacturer may be able to supply documentation (such as a Manufacturer Disclosure Statement for Medical Device Security (MDS2) form) to assist in this task.
A complete network topology should be drawn up to show how the devices that are in scope communicate with associated devices and services and how access can be enabled for remote updates to be delivered if this is applicable for the device in question.
Having this information in an accessible format will make the following steps easier and ensure that security gaps are not left in the trust’s networks.
Examples of medical devices, which include both in vitro (laboratory diagnostic) devices and in vivo devices, may include medical imaging systems, such as:
- CT
- MRI and ultrasound scanners
- vital signs monitors
- syringe drivers
- blood oxygen monitors
- blood cell counters
- blood analysers
You may wish to refer to the Medical Devices Regulations 2002 (SI 2002 No 618, as amended) (UK MDR 2002), which lays out the definition of a medical device:
'Medical device' means any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnosis or therapeutic purposes or both and necessary for its proper application, which:
(a) is intended by the manufacturer to be used for human beings for the purpose of:
(i) diagnosis, prevention, monitoring, treatment or alleviation of disease
(ii) diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap
(iii) investigation, replacement or modification of the anatomy or of a physiological process, or
(iv) control of conception; and
(b) does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, even if it is assisted in its function by such means, and includes devices intended to administer a medicinal product or which incorporate as an integral part a substance which, if used separately, would be a medicinal product and which is liable to act upon the body with action ancillary to that of the device.
Last edited: 5 October 2022 5:16 pm