-- Organizational leadership. Four of the nine interviewees said their organizations have risk management policies and procedures specific to medical device security. Five said they participated in industry consortia to develop security standards.
-- Risk framework. Six device security leaders said they had a framework to provide guidance on their organization's risk management goals.
-- Identification and evaluation. Four respondents said their organizations had a framework to identify emerging risks related to medical devices. But a critical component of that process, inventory management, was a "work in progress" for some organizations.
-- Data flow. Six interviewees said their hospital systems identify and document how protected health information (PHI) is stored, processed and transmitted by networked medical devices. This is a key area for providers because the HIPAA regulations require that PHI be kept private and secure.
-- Vulnerability management. Besides the possibility of quarantining devices, five interviewees said they put physical safeguards in place to reduce the risk of theft or damage to networked medical devices.
-- Vendor agreements. The healthcare organizations were starting to consider how to integrate security requirements into device purchasing agreements. However, the interviewees agreed that "incorporating ongoing security support and maintenance into vendor agreements is not widely done or is in an area where [they] have experienced roadblocks."
-- Manufacturer engagement. Five respondents said their organization "effectively engages with manufacturers" on medical device cybersecurity. Seven interviewees said the device makers need to improve cybersecurity and privacy support and maintenance for networked medical devices.
To date, there have been no documented instances of "intentional threats" to medical devices, the report noted. However, healthcare providers are not required to report security incidents to the FDA's MedWatch or MedSun programs or the device manufacturers, unless a death or serious injury has occurred. Jones noted that these kinds of adverse incidents might be under-reported.