Networked medical devices such as portable monitors and non-medical devices like printers represent significant threats to the security of protected health information. Organizations often fail to carefully track and update this equipment to guard against hacks.

In fact, equipment is often so old that it cannot be patched, experts say. And hospitals and other medical organizations may not even know how many devices they have or where those devices are. To manage security, health care entities need to inventory this equipment and segregate some items on limited networks.

“I have seen estimates that the average hospital has six pieces of biomedical equipment for each licensed bed, more than the number of workstations—laptops and desktops,” says Clyde Hewitt, vice president of security strategy for CynergisTek, Inc.

“It is typical for hospitals to keep medical equipment in service for 15 years or more,” Hewitt tells RPP. “These older devices rely on obsolete operating systems, some with vulnerabilities that cannot be patched. The level of security risk will vary depending on how these systems are integrated into their environment.” He adds that it’s not possible to determine the level of cybersecurity risk without an assessment of each individual device and how it’s used in its environment.

It’s possible to secure these devices so that they’re unlikely to lead to a HIPAA breach. However, doing so first requires awareness of the problem.

“The challenge is that, when HIPAA came out, senior staff was focused on servers and laptops,” Hewitt says. “Since then, biomedical equipment has been storing so much patient data. It’s generally not managed by the IT department,” which means the security-savvy IT staff generally isn’t involved.

“For most people, when a laptop gets to be four years old, it’s ready for the trash heap,” Hewitt says. The same rule doesn’t apply to biomedical equipment. Older equipment is likely running Windows 95 or XP, two versions that aren’t supported any longer, he says.