Healthcare data

How Medical Device Cybersecurity Complements Physical Access Control

3 min read

It’s only reasonable that access to sensitive medical devices should be restricted to those who require it. Physical access guidelines are designed to ensure that only professionals with the proper knowledge and need can utilize medical equipment to the greatest extent possible.

However, solely focusing on monitoring and controlling physical access leaves a massive hole in a healthcare organization’s defenses. Medical devices are increasingly network connected and can be just as easily exploited digitally as they can physically. In fact, devices are more commonly attacked digitally by a wider range of bad actors than devices that are illegitimately accessed physically.

Only by combining physical access control mechanisms with digital access rules and oversight can you ensure the connected devices on your network remain safe and reliable.

Physical Access Control Requirements and Challenges

Restricting physical access to medical devices is a key concern in healthcare organizations. Not only are these devices sensitive and expensive, they often contain patient health information that organizations are expected to protect. In a publicly accessible hospital, strong access control is often easier said than done; which is why smart administrators may look to bolster their efforts with digital means. All too often, though, digital access control is neglected, and when it is embraced it’s usually treated as separate and distinct from physical access control. 

The Health Insurance Portability and Accountability Act (HIPAA) spells out specific security requirements for the protection of patient privacy and well-being. For many of these requirements, a cybersecurity solution has clear applications. For example, Section 164:308 of HIPAA specifies that hospitals must "implement policies and procedures to prevent, detect, contain, and correct security violations." It includes specifications for digital risk analysis, risk management, and record-keeping. Good cybersecurity solutions are developed with these requirements in mind and facilitate compliance as a natural consequence – automating much of the heavy lifting involved.

The role of a cybersecurity solution, however, in meeting physical access control requirements is less clear. Under Section 164:310 of HIPAA, hospitals are also required to "implement policies and procedures to limit physical access to… electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed." This requirement generally means that healthcare organizations not only have to keep sensitive facilities under lock and key, but also establish policies and procedures governing the "transfer, removal, disposal, and re-use of electronic media to ensure appropriate protection of electronic protected health information."

Of course, compliance isn't the only consideration when it comes to physical access control. Quality of care and patient privacy are also at risk when device and data security are compromised. If healthcare records are easily accessible because medical devices are left unsecured, for example, it represents a serious violation of patient trust. Unauthorized access to other devices, such as drug infusion pumps, can have grave consequences for patient health and well-being.

When anyone could come in off the street and find himself or herself within reach of dozens of medical devices, monitoring and restricting physical access becomes a Sisyphean task. Naturally, with such high stakes, healthcare organizations take physical access control very seriously despite the difficulty of the task. And yet, physical access control policies are seldom developed in tandem with digital access control and cybersecurity policies.

Combining Digital and Physical Access Control Efforts

Digital and physical access control should not be considered separate processes. They are two halves of the same objective and should be treated as such under a comprehensive cybersecurity plan. Oftentimes, physical access can be better monitored and controlled through digital means. If you can do that leveraging the same cybersecurity solution you use to monitor and control digital access, it’s a win-win.


For example, as  2013’s Omnibus Final Rule explains,  “[Even with regards to devices not generally relied upon for data storage,] covered entities and business associates should be aware of the capabilities of these devices to store protected health information and must ensure any protected health information stored on such devices is appropriately protected and secured from inappropriate access, such as by monitoring or restricting physical access to a photocopier or a fax machine that is used for copying or sending protected health information.”

You can’t simply put a turnstile in front of the fax machine and call it a day; you need something more sophisticated. Even if you retrofit the device so that it can only be used with a magnetic access card, if the card is stolen or otherwise misappropriated, you’ll never notice. Indeed, HIPAA’s 45 CFR § 164.310 not only requires that access be controlled but also that it be validated. For this, more often than not, it’s the digital way or the highway.

A cybersecurity solution could monitor physical access to the machine, sending out real-time alerts when unauthorized access is detected. This makes access control more manageable, even in a crowded and publicly-accessible environment. And while there is no such thing as a truly 100% infallible security enforcer – and digital systems can be beat just like their physical counterparts – the difference is that even when you manage to outsmart digital defenses you inevitably leave some sort of a trail. That trail, or the lack thereof, would satisfy your obligation to validate physical access in a way that would not otherwise be possible.

Seamless Access Control via Cybersecurity Management

Physical access control is an obvious necessity when it comes to sensitive medical devices. Not only do healthcare organizations want to protect their investment and ensure that key medical devices work properly, they are also responsible protecting patient health information that could be stored within the device. At the same time, it’s incredibly short-sighted, outdated, and out-of-touch with the modern medical device landscape to limit that responsibility only to the physical realm.

physical-access-control-mobile-medical-devicesWhile many healthcare organizations maintain secure offices and facilities, medical devices (subject to the regulatory implication of being “data storers”) necessarily move around and enter high-traffic, publicly accessible spaces where they cannot always be physically locked away. If you’re investing in smart cybersecurity tooling anyways, you might want to also think about how you could put it to use in complement to your other physical access control measures.

Digital monitoring tools can be especially useful for access validation and review purposes as well as in building real-time response capabilities – alerting administrators whenever unauthorized access occurs. Indeed, a new generation of solutions has emerged to serve this sort of functionality. These solutions run across and streamline biomedical operations, network management, information security, and compliance workflows to consistently deliver the best possible patient outcomes.

Only by combining physical and digital access control mechanisms can you ensure that your medical devices remain safe and reliable – enabling your healthcare organization to run a tight ship and dependably deliver a high level of care.