Information Security Considerations when Decommissioning Medical Devices
What do you do with a medical device when it reaches the end of its useful life?
Tue Oct 25 2022
What do you do with a medical device when it reaches the end of its useful life? If the device was used to store, generate, or communicate protected health information or other sensitive data, you can’t just dispose of the device “as is.” You’ll first need to take steps to minimize security risks.
When a medical device either reaches the end of its useful life or otherwise is no longer needed for use, it is ready to be decommissioned – by disposal, by sale, by refurbishment, by reassignment to another location within the facility, or by other means. Decommissioning needs to be a structured process, however. Many medical devices can’t simply be discarded or given away “as is.”
Health care facilities must take steps to prevent the device from posing a risk to the community – for example, by cleaning and decontaminating it. And they must take steps to prevent the exposure of protected health information (PHI) or other sensitive data that may be on, associated with, or accessible using the device. From an information security perspective, that second point is critical.
Data Security Concerns
The decommissioning process for any medical device that may contain sensitive data needs to account for the proper disposition of that data, regardless of the ultimate destination for the device (i.e., reuse or destruction). Imaging devices, for example, generate data that constitutes PHI; and most have the ability to store or archive that data until it is transmitted to integrated clinical systems. Cardiac device programmers grab data from the patient for analysis. Smartphones that are used in a clinical environment include patient care and other sensitive data from secure communications between clinicians. These are just a few of the many technologies and scenarios that would be of concern if data is not safeguarded before a device leaves the facility’s control.
The need to safeguard PHI and other patient data is an obvious concern. Health care facilities can be subject to fines or other punishment if unsecured PHI is made accessible to unauthorized parties. “But PHI breaches are not the only concern,” cautions Chad Waters, senior cybersecurity engineer in ECRI’s device evaluation group. “Some devices include sensitive IT data that could be used as intelligence in a cyberattack against your organization.” Examples include network configuration settings and user, device, or network credentials, such as a wireless Pre-Shared Key (PSK) or Active Directory accounts.
The most appropriate method for removing sensitive data from a device will depend on the intended destination for the device. If the device is to be destroyed, then the storage media itself (e.g., a computer’s hard drive, an SD card, a USB drive) can be destroyed – that’s the best-case scenario from an information security perspective. But if the device is to be transferred for use in another setting, the storage media must be handled in a way that allows the device to remain functional
Organized from most to least secure, some of the most common data destruction methods are:
Note that the last two options make data retrieval difficult, but not impossible.
Steps to Facilitate Decommissioning
Several steps can be taken in advance to facilitate eventual decommissioning when a device is no longer needed for use at a health care facility.
One key step is to maintain an up-to-date inventory of all devices and systems that store, generate, or communicate PHI or other sensitive data. This information will help you identify devices that require data security measures when decommissioning. ECRI recommends recording data security details for each device in your computerized maintenance management system (CMMS) or similar equipment database for easy retrieval. Facility-owned mobile communication devices should be included in this effort.
For many devices, data security details can be found on the device’s Manufacturer Disclosure Statement for Medical Device Security (MDS2) form. The MDS2 is a standardized form intended to be filled out by medical device manufacturers to communicate information about their devices’ security and privacy characteristics to current device owners and potential buyers. The manufacturer’s answers to the questions in MDS2 forms can be used to conduct a high-level assessment of a product’s security profile.
Additionally, ECRI recommends encrypting data stored on a device whenever possible – and documenting when the data on a device has been encrypted. Encryption protects data and makes it inaccessible to an unauthorized party. Thus, encryption provides protection in the event that the chain of custody of the device is broken. Documenting that process will assist future audits and is useful in the event of a HIPAA-related investigation.
Steps when Decommissioning Medical Devices
ECRI recommends the following steps when decommissioning any medical device that may contain sensitive data:
To Learn More . . .
This article is adapted from ECRI’s “Information Security Considerations When Decommissioning Medical Devices” (Device Evaluation 2022 Jun 22). The complete article is available to members of ECRI’s Capital Guide, Device Evaluation, and associated programs. To learn more about membership, visit https://www.ecri.org/solutions/device-evaluations, or contact ECRI by telephone at (610) 825-6000, ext. 5891, or by e-mail at email@example.com.