Information Security Considerations when Decommissioning Medical Devices

What do you do with a medical device when it reaches the end of its useful life?

Tue Oct 25 2022By ECRI

What do you do with a medical device when it reaches the end of its useful life? If the device was used to store, generate, or communicate protected health information or other sensitive data, you can’t just dispose of the device “as is.” You’ll first need to take steps to minimize security risks.

When a medical device either reaches the end of its useful life or otherwise is no longer needed for use, it is ready to be decommissioned – by disposal, by sale, by refurbishment, by reassignment to another location within the facility, or by other means. Decommissioning needs to be a structured process, however. Many medical devices can’t simply be discarded or given away “as is.”

Health care facilities must take steps to prevent the device from posing a risk to the community – for example, by cleaning and decontaminating it. And they must take steps to prevent the exposure of protected health information (PHI) or other sensitive data that may be on, associated with, or accessible using the device. From an information security perspective, that second point is critical.

Data Security Concerns

The decommissioning process for any medical device that may contain sensitive data needs to account for the proper disposition of that data, regardless of the ultimate destination for the device (i.e., reuse or destruction). Imaging devices, for example, generate data that constitutes PHI; and most have the ability to store or archive that data until it is transmitted to integrated clinical systems. Cardiac device programmers grab data from the patient for analysis. Smartphones that are used in a clinical environment include patient care and other sensitive data from secure communications between clinicians. These are just a few of the many technologies and scenarios that would be of concern if data is not safeguarded before a device leaves the facility’s control.

The need to safeguard PHI and other patient data is an obvious concern. Health care facilities can be subject to fines or other punishment if unsecured PHI is made accessible to unauthorized parties. “But PHI breaches are not the only concern,” cautions Chad Waters, senior cybersecurity engineer in ECRI’s device evaluation group. “Some devices include sensitive IT data that could be used as intelligence in a cyberattack against your organization.” Examples include network configuration settings and user, device, or network credentials, such as a wireless Pre-Shared Key (PSK) or Active Directory accounts.

The most appropriate method for removing sensitive data from a device will depend on the intended destination for the device. If the device is to be destroyed, then the storage media itself (e.g., a computer’s hard drive, an SD card, a USB drive) can be destroyed – that’s the best-case scenario from an information security perspective. But if the device is to be transferred for use in another setting, the storage media must be handled in a way that allows the device to remain functional

Organized from most to least secure, some of the most common data destruction methods are:

  • Removing and physically destroying the storage media
  • Sanitization of the storage media, by erasing or wiping the data using software tools.
  • Performing a factory reset
  • Using device-provided methods to delete data (e.g., delete diagnostic studies). This may be performed within the device user interface, or by deleting data at the operating system (OS) level. With such methods, the data itself may not be deleted; rather, the pointers to that data are deleted.

Note that the last two options make data retrieval difficult, but not impossible.

Steps to Facilitate Decommissioning

Several steps can be taken in advance to facilitate eventual decommissioning when a device is no longer needed for use at a health care facility.

One key step is to maintain an up-to-date inventory of all devices and systems that store, generate, or communicate PHI or other sensitive data. This information will help you identify devices that require data security measures when decommissioning. ECRI recommends recording data security details for each device in your computerized maintenance management system (CMMS) or similar equipment database for easy retrieval. Facility-owned mobile communication devices should be included in this effort.

For many devices, data security details can be found on the device’s Manufacturer Disclosure Statement for Medical Device Security (MDS2) form. The MDS2 is a standardized form intended to be filled out by medical device manufacturers to communicate information about their devices’ security and privacy characteristics to current device owners and potential buyers. The manufacturer’s answers to the questions in MDS2 forms can be used to conduct a high-level assessment of a product’s security profile. 

Additionally, ECRI recommends encrypting data stored on a device whenever possible – and documenting when the data on a device has been encrypted. Encryption protects data and makes it inaccessible to an unauthorized party. Thus, encryption provides protection in the event that the chain of custody of the device is broken. Documenting that process will assist future audits and is useful in the event of a HIPAA-related investigation.

Steps when Decommissioning Medical Devices

ECRI recommends the following steps when decommissioning any medical device that may contain sensitive data:

  1. Request guidance from the device manufacturer about all the locations where data is stored on the device and about recommended methods for removing sensitive data during decommissioning. Ask if there are software utilities available to wipe sensitive data. The device’s instructions for use may offer some guidance, but facilities may need to contact the manufacturer directly for this information.
  2. Destroy or remove the data on the device using the most secure method practical, given the intended destination for the device (i.e., reuse or destruction). As noted above, options include (from most to least secure): removing and physically destroying the storage media, erasing or wiping the data, performing a factory reset, or using device-provided methods to delete data.
  3. Disassociate the device from any management server or cloud service. A remote patient monitoring system, for example, may be associated with a cloud service during use. If care isn’t taken to disassociate the device from the cloud service when decommissioning it, the potential exists that the device could later rejoin the cloud management system if reactivated, providing an unaffiliated user with access to data from the original facility. Disassociation may be performed at the device, at the server/cloud interface, or both. Refer to documentation for specific instructions. 
  4. Remove all IT and interoperability configurations. This can include, but is not limited to, IP addresses, wireless settings, Active Directory accounts, and DICOM configurations.
  5. If using a salvage company or other third party to dispose of the device or its storage media, wipe data prior to transfer and obtain documentation confirming that the storage media will be destroyed. It is advisable to get a business associate agreement (BAA) with that service provider to ensure compliance.
  6. Document in your CMMS and/or configuration management database (CMDB) that the device has been decommissioned, including serial numbers and details about the method used to destroy or secure the data. 

To Learn More . . .
This article is adapted from ECRI’s “Information Security Considerations When Decommissioning Medical Devices” (Device Evaluation 2022 Jun 22). The complete article is available to members of ECRI’s Capital Guide, Device Evaluation, and associated programs. To learn more about membership, visit, or contact ECRI by telephone at (610) 825-6000, ext. 5891, or by e-mail at

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Please review our Privacy Policy for more details.
I Agree