BLOG

by Jonathan Elmer

Medical devices are essential to patient care, from lifesaving implantable devices, to advanced diagnostic tools and clinical applications. However, IT and cybersecurity events including disasters such as hurricanes, floods, and power outages can severely impact the functionality and availability of these devices, putting patient safety and healthcare operations at risk.

In its recently published guidance, Emergency Situations (Medical Devices), published on 09/04/2024, the FDA emphasizes the importance of preparing for such emergencies. The guidance urges healthcare providers, manufacturers, and distributors to ensure medical devices remain safe, functional, and available in times of crisis. This includes understanding how devices may be affected by environmental factors, power loss, and potential supply chain disruptions and encouraging proactive steps to maintain continuity of care.

During Hurricane Maria in 2017, the power outages in Puerto Rico led to a significant shortage of medical supplies, including IV bags, which disrupted hospital care across the U.S. and compromised patient treatment. Furthermore, serious shortages of medical devices during the COVID-19 pandemic due to supply chain disruptions delayed the availability of ventilators and other critical devices, impacting patient outcomes.

Several high-profile incidents have shown the dangers of medical devices becoming unavailable due to cyberattacks. A 2020 ransomware attack on a hospital in Düsseldorf, Germany, led to the death of a patient who was diverted after the emergency department shut down. Similarly, a lawsuit in Alabama claimed a delayed pre-birth test due to a cyberattack resulted in a newborn’s death. These events highlight the life-threatening risks when medical devices are compromised during emergencies.

At Meditology Services, we help healthcare providers align with these FDA recommendations and industry best practices to ensure that their medical device environments are resilient in the face of disasters. Our services include:

• Comprehensive Medical Device Risk Assessments: Our all-encompassing, cybersecurity-driven risk assessments cover every critical aspect of your medical device environment. From asset management and vulnerability tracking to third-party and supply chain risk, network security, and governance, we leave no stone unturned to safeguard your devices and ensure operational resilience.
• Device Vulnerability and Cybersecurity Assessments: We go beyond physical threats by assessing how medical devices may be impacted not only by power loss, moisture, or contamination during emergencies but also by cybersecurity vulnerabilities. Our in-depth evaluations identify potential weaknesses in your devices' security posture, including risks from outdated software, unpatched vulnerabilities, and network exposure.
• Supply Chain Risk Mitigation: We assess potential disruptions in your medical device supply chain and develop strategies to ensure continued availability during emergencies, following the FDA’s latest recommendations.
• BC/DR Preparedness Enhancements: We conduct thorough business continuity and disaster recovery (BC/DR) assessments aligned with the FDA guidance to help you implement robust plans that maintain medical device functionality during adverse conditions.

In addition to these services, healthcare providers can take general steps to enhance their medical device resiliency, such as:

• Regularly testing backup power systems to ensure medical devices remain operational during power outages.
• Creating a comprehensive inventory of critical devices to quickly identify priority equipment in emergency situations.
• Training staff on emergency protocols for storing and using devices safely during environmental challenges like moisture or contamination.
• Collaborating with suppliers to establish contingency plans that address potential supply chain disruptions.

Following the FDA’s new guidance and these general tips is key to ensuring the resilience of your medical device ecosystem. Partner with Meditology Services to prepare your clinical setting for unexpected events and ensure your devices remain operational when needed most.

Helpful FDA Links:

Emergency Preparedness and Medical Devices: Supply Chain Recommendations for Health Care Providers, Device Manufacturers, and Distributors

Emergency Preparedness and Response

FDA Offers Tips about Medical Devices and Natural Disasters

About the Author

Jonathan Elmer, CISSP - Sr. Manager IT Risk Management and Technical Lead  

Jonathan Elmer is a seasoned cybersecurity professional and IT risk management consultant with over a decade of experience. Adept at delivering impactful information security solutions aligned with business objectives, with a proven track record in leading regulatory and compliance focused initiatives and spearheading the implementation of technical security programs. Notable roles include Chief Information Security Officer, Technical Services Lead, Medical Device Security Architect and Sr. Manager of IT Risk Management Consulting at Meditology Services, demonstrating leadership and expertise in project delivery, strategic direction, and client engagement.