Internet explorer is no longer supported

We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.

Guidance on protecting connected medical devices

Date Published:: 3 October 2022

Current Chapter

View all

Next Chapter

Step 1. Identify connected medical devices

Page contents

Notes about this guidance
The issues related to connected medical devices

Notes about this guidance

This guidance has been written to cover a very broad remit. Individual trusts and healthcare providers will have to interpret this information and apply security measures in a way that makes sense for them, as the same mitigations will not be appropriate across all healthcare providers in the UK.

The issues related to connected medical devices

Medical devices are highly regulated and controlled due to the risks involved in patient safety. Modifications, including software and hardware, are not permitted, unless authorised by the medical device manufacturer, who will have conducted extensive validation and verification procedures in line with the appropriate regulations.

Therefore, using medical devices on clinical networks has the following issues:

it may be impossible to upgrade the operating systems (such as moving from Windows 7 to Windows 10) due to hardware dependencies or software driver issues. In addition, medical devices may be more vulnerable due to greater software complexity, potentially employing multiple means of connectivity, a greater pressure to keep the device available vs devices in other areas, long device lifetimes (>10 years), and greater restrictions on device updates placed on hospital ICT departments
as a medical device, security updates, patches and potentially virus signatures must be properly assessed by the medical device manufacturer and confirmed as safe before they can be implemented on the medical device. This can take 3 months (or longer) from the time that a security update is released. Some patches will only be implemented as an upgrade to the overall software and not as individual patches, further delaying the remediation process
when security updates are released, they are retro-analysed by attackers, increasing the likelihood that exploitable vulnerabilities will become known
the latest security mitigations not being present, increases the impact of vulnerabilities, making exploitation more likely to succeed, and making detection of any exploitation more difficult
the medical device may no longer be supported by the manufacturer (end of support) but still being used.

In combination, these issues mean that high-impact security incidents become more likely to occur. Security incidents affecting connected medical devices can cause significant disruption to the delivery of healthcare services.

The following steps should apply to any network connected medical device regardless of operating system.

It's not possible to mandate updating a medical device operating system or the installation of any additional software. Therefore, other mitigations will be required.

Last edited: 15 March 2023 10:29 am

Next Chapter

Step 1. Identify connected medical devices

Chapters

Guidance on protecting connected medical devices
Step 1. Identify connected medical devices
Step 2. Create a mitigation plan
Step 3. Apply mitigations to reduce the likelihood of compromise
Step 4. Apply mitigations to reduce the impact of compromise
Step 5. Understand third party connections
Step 6. Periodically review your estate
Step 7. Have a decommissioning/replacement plan