Medical Device Security

This article is part of RWA’s series on the 10 Best Health Industry Cybersecurity Practices.
Learn more at HHS 405(d) HICP website.


Medical devices are essential to diagnostic, therapeutic and treatment practices – but as with all technologies, medical device benefits are accompanied by cybersecurity challenges. Vulnerabilities are sometimes introduced when medical devices connect to the internet and process required updates. Medical devices are a specialized type of Internet of Things (IoT) device, and rather than recreating cybersecurity practices for them, healthcare organizations are encouraged to extend the relevant cybersecurity practices from the rest of the network and implement them appropriately.

Establish Endpoint Protection Controls: As with other endpoints devices, medical devices should follow protocols such as installing local firewalls, routine patching, network segmentation, and changing default passwords.

Implement Identity and Access Management Policies: Just like endpoints, medical devices security should include authentication measures and remote access controls like multifactor authentication.

Institute asset Management procedures: It is important to follow your asset management procedures for medical devices just as you would for endpoints. Keep an updated list of inventory and software updates to ensure your devices are accounted for and are up to date.

Create a Vulnerability Management Program that can consume Medical Device Management disclosures and respond accordingly when received.

Add security terms to Medical Device Management contracts that enable you to hold device manufacturers accountable.


As always, contact RWA to discuss the next steps in your cybersecurity journey!