National Cybersecurity and Communications Integration Center Highlights Vulnerabilities in Healthcare Technology


In a recent bulletin, the National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Department of Homeland Security described the vulnerabilities associated with medical devices in the healthcare environment where wireless technology and networking are increasingly used.  As many devices may be accessed through and connected to medical information technology networks, there are now concerns regarding theft of medical information and intrusion into networks through the devices.  The NCCIC highlighted four factors that complicate security within a medical organization: (1) the current use of legacy devices placed in the market prior to the enactment of the Medical Device Law in 1976 when there was minimal testing on equipment; (2) failure to implement safety features on newer devices because of complexity of the technology; (3) budget constraints; and (4) failure to upgrade existing devices because they contain private information.

With technology rapidly changing, the healthcare arena is constantly challenged to keep up with the technology, especially because many medical devices now utilize wireless technology, may be linked to healthcare facility networks, and may be implantable within the body or otherwise portable.  Furthermore, many healthcare professionals now utilize portable devices to monitor patients remotely.  The NCCIC suggests a layered security approach to oversee this technology, with the following “best practices” noted, among others: 

  • Purchasing only those networkable medical devices which have well documented security features available, and which network engineers can configure safely on networks; 
  • Establishing strict policies for the connection of any networked devices, particularly wireless devices, to networks such that no access to networked resources is provided to unsecured and/or unrecognized devices;
  • Using the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network; and
  • Securing communications channels, especially wireless ones, by the use of encryption and authentication at both ends of a communication channel.

The bulletin, which may be accessed here, should be passed along to a healthcare organization’s IT network and technology specialists for review and discussion with organization executives.  

Reporter, Christina A. Gonzalez, Houston, +1 713 276 7340,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.