Medicare Compliance & Reimbursement

Clip And Save:

Beef Up Your Medical Device Incident Response Plan

Tip: Keep medical devices off the network.

Large-scale attacks like WannaCry and Petya that take down entire hospital systems are rare, but that doesn’t mean you shouldn’t prepare for the worst, especially when it comes to securing devices used to monitor and care for patients.

Putting measures into place now that protect your patients later will not only save you money, but it may save lives, too.

Here is a list of the top 10 things that Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vermont, advises clinicians to consider when planning their medical device management and incident response plans:

1. Inventory all the medical devices thoroughly, including vendor contact information and the ability to patch or update the device’s security.

2. Point out which devices are able to be updated for security and plan for regular checking and application of updates.

3. Determine whether the data on the devices needs to be backed up, or needs to be cleared if the device is returned to the vendor, and plan for these as necessary.

4. Lock down all access to medical devices to the extent practicable and turn off all default passwords.

5. Do not connect devices to networks unless it is necessary for their operation or maintenance, and disconnect them from networks when not in use.

6. Provide a separate logical subnet for medical devices as practicable, to separate the devices from other systems and networks.

7. Stock spare backup units for critical functions, using units of a different maker or type, to be able to maintain services if some units are compromised.

8. Develop mutual-aid plans for borrowing equipment as needed during incidents from nearby entities, including setting up separate secure networks on an emergency basis.

9. Review and update your incident response and contingency planning policies and procedures to ensure the consideration of medical devices and the Internet of Things.

10. Ensure medical devices and the Internet of Things are included in risk analyses and management planning.