ECRI Releases Guidance on Protecting Device Systems Against Ransomware

By MedTech Intelligence Staff
No Comments

The free resource recommends how hospitals can identify and safeguard medical device systems against an attack.

Ransomware attacks are making headlines with increased frequency. The latest malware to affect medical devices, WannaCry, wreaked havoc on hospitals in the U.K. and hit at least two hospital systems in the United States. As facilities continue to grapple with the reality that the rate of cyberattacks is only going to grow, hospitals’ IT departments are tasked with implementing more protective measures that focus specifically on medical device systems versus general hospital systems.

ECRI recently released a new guidance, “Ransomware Attacks: How to Protect Your Medical Device Systems”, which offers “do’s and don’ts” on how hospitals can identify and protect against ransomware infection. The recommendations are directed at a facility’s medical device security lead and include the following:

  • Identify all medical devices, servers and workstations that operate on a Windows operating system (the WannaCry ransomware targeted Windows-based OS)
  • Have the connected medical devices and servers received the Microsoft Windows OS MS17-010 security patch?
  • Run a vulnerability scan to identify affected medical devices
  • Manage third-party vendors that haven’t implemented the security patch
  • Disconnect any devices identified or suspected to have a malware infection, and if unencrypted patient data is involved, risk management should handle the hospital’s response to the data breach (per HIPAA)
  • Address most life-critical devices first, followed by therapeutics products, patient monitoring devices, alarm notification systems and diagnostic imaging systems

Read the “don’ts” in the guidance.

Related Articles

  • FDA

    The document clarifies the MDR regulation and reporting requirements for medical device companies.

  • Device History Record

    When your friends from the agency stop by for that friendly cup of coffee and an inspection, they will ask to see DMRs and, eventually, review DHRs to verify finished medical devices are being properly manufactured.

  • Device Master Record

    You must have a Device Master Record, so just go ahead and create one; once the DMR has been assembled, do not forget to update it.

  • Dr. Christopher Joseph Devine, President, Devine Guidance International

    In this edition of Devine Guidance (DG), Dr. D will provide guidance for 21 CFR, Part 820, Subpart – M (Records), specifically 820.184 (Device History Record). The Device History Record (DHR) is a collection of activities such as production routers,…

Leave a Reply

Your email address will not be published. Required fields are marked *