Managing cybersecurity risks in medical devices

Healthcare managers may be aware of the information governance risks stemming from their digitised medical records or information technology (IT) system, but they may not realise the increasing risk and vulnerability of the medical devices in their facilities both in acute hospitals and in the community sector. After all, computerised medical records have been around since the seventies. The aim of this paper is to explain the background to medical devices, vulnerability in simple terms and across the full range of devices. It describes methods to understand the scale of the risk, quantify it, make an action plan and finds ways to reduce the risk as much as possible with the available resources. It concerns devices/computers in radiotherapy, diagnostic imaging (computed tomography/magnetic resonance imaging/ultrasound, picture archiving and communication system), intensive care units, wards, clinics, pathology, care homes, general practitioner surgeries, etc. These may be connected devices or stand-alone devices that have accessible computer ports (USB). Increasingly, devices may communicate through WiFi or Bluetooth, or simply be an app on a mobile device. The paper cites useful government body resources that will support your efforts to reduce the risk and enable your technical staff in IT and clinical engineering to get involved in this challenging environment. There should be sufficient information to brief the board about the circumstance and what can be done. This will help if an incident arises so that you are aware and prepared and not considered negligent by regulatory bodies.