Biomed IG
Biomed Facts

Biomed Facts

Source: FBI Alert I-101717a-PSA

  • The number of internet-connected medical devices is projected to grow from 20 billion in 2018 to 50 billion in 2020.
  • Deficient security capabilities, legacy operating systems, difficulties in patching vulnerabilities and a lack of security awareness are significant risks to both medical devices themselves and the networks to which they connect.
  • Unsecure or poorly secured medical devices can leave networks open to Distributed Denial of Service (DDoS) attacks.
Myth Fact
The FDA is the only federal government agency responsible for the cybersecurity of medical devices. The FDA works closely with other federal government agencies, such as the U.S. Department of Homeland Security (DHS), but also works with members of the private sector, medical device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of critical cyber infrastructure.
Medical device manufacturers can’t update medical devices for cybersecurity. Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review medical device updates implemented solely to strengthen cybersecurity.
The FDA tests medical devices for cybersecurity. The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical product manufacturer.

Myths & Facts


Biomed Business Risks

  • Disruption of patient care
  • Loss of Protected Health Information (PHI) and Personally Identifiable Information (PII)

Biomed Devices

  • Pacemakers
  • Drug Pumps
  • Mobile Medical Systems
  • In-Home Monitors
  • Personal Fitness Devices
  • Medical Ventilators
  • Medical Monitors
  • Medical Imaging Machines
Biomed Devices
Securing Biomed Devices

Securing Biomed Devices

  • Equipment Management
  • Patch Management
  • Staff Security Training
  • Vulnerability Scanning
  • Risk Management
  • RFP Language to Include Security Features
  • Device Integration Test Lab

The ecfirst Biomed and IoT Cybersecurity Report includes an Asset Inventory, which identifies specific biomed device information such as:

  • IP Address
  • Hostname (if resolvable or successfully authenticated)
  • Operating System (if discoverable or successfully authenticated)
  • Open Ports
    • Potentially Active Services
  • Installed Software
Biomed and IoT Cybersecurity Readiness

ecfirst Biomed Cybersecurity Checklist

  • Cybersecurity Framework Determine the cybersecurity framework that will establish the foundation for your security program requirements for medical devices.
  • Policy Develop a cybersecurity policy specific to medical devices. Ensure the policy is reviewed by associated and impacted departments/business units, approved by senior leadership, and communicated to the workforce.
  • Security Risk Assessment Ensure medical devices are within the scope of enterprise cybersecurity risk assessment exercises. Perform a vulnerability assessment to determine medical device security gaps. Examine the security architecture and identify opportunities to possibly segregate medical devices (i.e. determine application of segregation for medical devices).
  • Business Associate Agreements (BAA) Review third-party vendors (business associates) and their security practices to ensure HIPAA, FDA, and other mandates are appropriately addressed.
  • Patch Management Stress the importance of software updates; develop a formal policy and practice for patch management.
  • Configuration Management Ensure each type of medical device is configured consistently, and addresses the appropriate security capabilities to secure PHI and PII.
  • Authenticate Review authentication options to access and configure medical devices.
  • Encryption Examine options to encrypt PHI and PII stored, processed or transmitted by medical devices.
  • Risk Management Based on the findings of the risk assessment, establish a plan for risk management of medical devices. Ensure formal remediation is performed on a regular schedule (e.g. monthly).

Training & Certification

  • Examine and build a practical and applicable cybersecurity program for an organization. Step through core components of an actionable incident response plan.
  • Identify policies that reflect an organization’s priority for security in the areas of risk assessment, mobile devices, cloud computing, encryption, and more.
  • Study incident management and other checklist documents to establish consistency in monitoring enterprise security capabilities.
Training & Certification

Trusted by the industry with proven methodology and results


Years of experience


People trained & certified
by ecfirst


Satisfied Customers

In the News

Controls Required for HITRUST Certification, HITRUST Advisory from Ali Pabrai.


Cyber Immune Defense: HITRUST, Featured Presentation by Ali Pabrai at HIMSS Iowa Chapter 2018 conference, November 8, 2018 | Des Moines.

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CCSFP (HITRUST) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.