Part of Guidance on protecting connected medical devices
Step 5. Understand third party connections
If third party organisations use their own devices within or to connect into your environment (for example, suppliers that manage services within your enterprise environment), it's important to understand whether they are running vulnerable software which could pose a risk to your systems - and to act to address such risks. Any remote connections should only be initiated for specific tasks rather than allowing an ‘always enabled’ access policy.
In all cases, you should ensure multi-factor authentication (MFA) is used by any supplier remotely connecting to your network.
When procuring contracts, you should consider support and security and use the appropriate NHS procurement framework (such as Digital Technology Assessment Framework - DTAC).
For example, in the event of a security incident, how quickly should you have support engineers on site to apply mitigations? Similarly, once a patch has been released and tested, how quickly should it be applied to any medical device it concerns? Getting these statements into contracts will make it easier to stay on top of your own security requirements.
Last edited: 4 October 2022 8:18 am