K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18 11
increase in governmental interest in establishing solid foundations for all national cybersecurity needs, but it is still very much under development. Table 5 covers a brief synopsis of each department as well as the influence of both the Health Insurance Portability and Accountability Act( HIPAA) and the Health Information Technology for Economic and Clinical Health( HITECH) Act that came before them.
For perfusionists, the DHHS also coordinates the Health and Human Services Cyber Performance Goals, which are a set of two levels of goals: essential and enhanced. These goals include the presence of an Incident Response plan as an“ enhanced goal.” Vulnerability remediation planning, supply chain incident reporting, and vulnerability disclosure are also potentially relevant goals [ 54 ]. As of October 2024, there are also two proposed bills awaiting decision by Congress regarding enhancing the regulation of healthcare cybersecurity [ 55, 56 ].
Table 5 is by no means a comprehensive review of all vested parties with regard to cybersecurity and the healthcare field. There are many other organizational branches within the US government, as well as US nongovernmental organizations and international organizations that have regulations and guidelines. The FDA recognized the guidance from the Association for the Advancement of Medical Instrumentation in 2023 [ 57 ]. The International Standards Organization and the International Electrotechnical Commission are both referenced in many instances [ 8 ].
In a 2024 article, Pourmadadkar, Lezzi, and Ardebili identified that cybersecurity risks are the primary threat to critical healthcare infrastructure [ 58 ]. Their study focused on risk associated with disruptions during a coronary artery bypass graft procedure( CABG) and specifically cited that a lack of legislation and policy on cybersecurity contributes to the severity of the risk that cyberattacks pose to CABG surgery [ 58 ]. While US legislation may be patchy, individual organizations have increasingly taken it upon themselves to empower individual professions. One example of this is the AHA, which has advice and programs that healthcare organizations can use to bolster their cyber defenses [ 39 ]. The interaction between sources of cybersecurity policy and security can be pictured in Figure 1.
Current cybersecurity for perfusionists
Perfusionists already participate in many hospital-wide cybersecurity initiatives. Hospitals implement test phishing emails and yearly training on digital security and physical security with regularity. These are the basics that keep hospitals minimally safe. While it is imperative that competence, if not excellence, be displayed on these fronts, there are additional threats that may be attributed to perfusion or perfusionists from equipment and vendors, even without active knowledge of the hazards they pose.
Perfecting the basics
– Phishing remains a very large threat to hospital systems, for a wide variety of reasons. Stress, burnout, and excessive emails all contribute to lowered ability to accurately detect phishing threats, whereas time, repetition, and personal experience all lead to higher detection rates among professionals [ 8, 10, 33 ]. It has become increasingly common practice over the last decade to have healthcare IT groups send test phishing emails to employees. These emails serve multiple purposes: first, alerting the employee in question as to whether they are being attentive and cautious in their online practices, and second, slowly introducing repetition and practice that employees need to maintain reasonable scrutiny long term. See Table 6 for common indicators of a phishing email.
– Hospitals also frequently have yearly online training programs focused on proper handling and disposal of protected information. They also cover physical security, such as not allowing strangers to tailgate through badgeaccess-only areas, since a cybercriminal could use this method to get to individual devices or secure network jacks. They also tend to reinforce the policy of having secure passwords and never leaving a computer unlocked, which are core components of digital security.
– Cyber hygiene is a set of practices that helps keep networks and data secure by reducing risk factors. This includes practices like good password management, a healthy suspicion of phishing emails, consistently updating software, and using antivirus software. The promotion of good cyber hygiene is a key way to promote digital security culture in the healthcare setting [ 7 ]. Beyond training with hospital practice phishing emails, and the general promotion of cybersecurity awareness, cyber hygiene includes an emphasis on reducing the leakage of information on social media platforms [ 8 ]. Information gathered online and used to target specific individuals for information is known as Spear Phishing, and can be even harder to detect than traditional phishing. Spear phishing emails can look more authentic and generally contain enough personal details to convince an unaware individual that they have a legitimate business or individual behind them. Some of the ways to combat this include limiting online presence, not posting any personal information, and going through the security settings of all social media apps and setting them to the highest privacy levels [ 8 ].
Raising awareness The relatively sheltered and anonymous position that perfusion holds may have inadvertently allowed a lack of investment in digital education over the past decade. Hospital departments that were more vulnerable to cyber threats due to high levels of connectivity or media attention from high-profile security flaws have been under heavier scrutiny and have been the focus of security improvement because of that. Radiology, cardiology, anesthesia, endocrinology, neurology, and mental health all fall under this umbrella and have been the subject of research, education, and IT improvements [ 7, 11 ]. As other hospital departments, including surgery and perfusion, become more and more integrated, it is imperative that the lessons learned by others in the past decade be well utilized.
A major advantage that the perfusion profession has is the legislation that has been pushed through, and the prominent device cybersecurity failures that have motivated improvements