Medical Equipment & Security

Medical equipment On this blog, we often write about data breaches of medical records, computer systems and electronic devices. But, intentional tampering can occur with other kinds of electronics in the health care setting, too –specifically, medical equipment. Tampering with medical equipment can result in medical errors, mistreatment and/or patient injury. This new form of medical liability risk is frightening and is making practices and health care systems of all sizes realize that they are vulnerable.

A two-year study, reported on, found security concerns with the following types of equipment (just to name a few):
-drug infusion pumps (that deliver morphine drips, chemo, antibiotics) that can be remotely manipulated to change the dosage;
-Bluetooth-enabled defibrillators that can be programmed to deliver a random shock or prevent a medically needed shock to a patient’s heart;
-temperature settings on refrigerators (that store blood and drugs) that can be reset, possibly resulting in spoilage.

The study also found lots of additional medical equipment that could easily be turned-off, restarted, reconfigured or restored to factory settings, again potentially wreaking havoc on patients’ care. Preventing these kinds of security problems are particularly tricky to solve, because many pieces of medial equipment don’t have additional and/or sophisticated security options available. And, an added problem is that many of these devices are hooked-up to system networks, allowing them to input information into patients’ electronic medical records, and they rarely have firewalls.

Many of these problems shouldn’t be surprising because, currently, medical devices are only evaluated for reliability, safety and effectiveness by the FDA –not for security.

Now, while we hope that such an attack would be a very rare occurrence, and it is one that we have not yet seen here at, we feel that this is an important topic that should be proactively addressed. Practices of all sizes should evaluate their vulnerabilities and risks and do what they can to prevent or minimize them. More specifically, practices should contact medical device manufacturers to see if security patches are available.

This entry was posted in Risk Management on by .