Best practices for protecting medical devices against ransomware attacks

Article 45 Best practices for protecting medical devices from ransomware

In this day and age, no government, business, or organization is safe from ransomware, not even our frontliners in the healthcare industry. It is no exaggeration to say that ransomware not only puts your business’ bottom-line and reputation at stake but also human lives. Knowing how to protect medical devices against ransomware attacks and other cyber threats is becoming increasingly critical to running a secure and compliant medical operation.

Ransomware gangs have once again proven their endless opportunism. In fact, ransomware attacks surged in the wake of the COVID-19 pandemic. Recent high-profile incidents involving LabCorp and the New York Metro’s InfraGard show the pressure the industry is under.

The best way to build up resiliency is to maintain solid best practices when securing medical devices.

Ensure That You Are HIPAA Compliant

First and foremost, you should protect yourself as well as your sensitive data by adhering to HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance regulations. These Federally-mandated guidelines exist to protect the confidentiality, traceability, and integrity of patients’ PHI (personal health information).

HIPAA is as much about transparency and education as it is about the actual protection of private data. HIPAA regulations describe in detail how to protect this information by implementing:

  • Technical safeguards
  • Physical safeguards
  • Administrative safeguard

If data is on your medical devices are compromised and you’re found to not be HIPAA compliant, it can lead to steep fines. In 2019 alone, 10 HIPAA penalties by the OCR were issued amounting to $12,274,000 (on average $1,227,400 each).


LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates.


Data Backup Protocols

Data loss can cause just as much damage to a medical practice and harm to patients as data theft. So, to avoid this disruptive outcome, you need to ensure business continuity and data access to your data, even in the event of a successful ransomware attack or total loss.

Knowing how to secure backups against ransomware attacks will become increasingly important as medical data grows.

While it might not be feasible for all practices, following the principles of the 3-2-1 rule can help provide redundancy. Basically, the rule is that you should have at least 3 copies of your data of which 2 are backup copies. At least one backup copy should be stored off-site or in a different medium, like cloud storage or a remote server.

Conduct Regular Risk Assessments

You can’t effectively implement security without knowing where your vulnerabilities lie or where/what threats you face. In the medical field, completing a thorough cybersecurity readiness audit can be even more challenging.

Medical devices may require more specialized security solutions that are typically available. You may also have to take additional preventative measures with a layered security solution to cover your entire threat surface. Not to mention the difficulties of aligning your security policies and procedures with the complex regulatory landscape.

As the COVID-19 pandemic proved, the level and types of threats you face will change over time. This means you’ll have to continuously reassess your needs and shift your security posture appropriately.

Provide Cybersecurity Education and Training

Human error is still a leading factor in most successful cybersecurity incidents. Human actions still play a crucial role before, during, and after a cyber-attack. For example, unknowingly downloading malicious files from a phishing email, missing the signs of a possible infection, and not knowing which procedures to follow when an attack is detected.

In the medical field, there are also unique situations in which human error can lead to ransomware attacks or hamper their remediation. HIPAA regulations, for example, also provide guidelines on secure employee behavior and practices. For example, physically limiting access to certain devices.


Medical device manufacturers are already upheld to a high standard when it comes to security and standards. However, in practice, many of the threats and vulnerabilities facing these machines have roots elsewhere. Following best practices that holistically address security across your organization is the best way forward when protecting medical devices against ransomware attacks.