K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18 13
Figure 1. Simplified flow of cybersecurity policy to enhance hospital and patient safety.
Table
6. Possible indicators of a phishing email [ 59 ].
Suspicious senders The sender of an email should be legitimate, have the correct spelling and domain name for the topic, and should not be a spoof email. A spoof email sender will have a different email address when the cursor is hovered over the sender’ s name.
Unnecessary or unwarranted urgency Emails that seem particularly urgent play on stress to avoid scrutiny. Urgent emails out of the blue should be viewed with suspicion, particularly if they ask for account access to anything.
Too good to be true messages If a message seems too good to be true, there is a high likelihood that it is. Caution when clicking on any links or attachments in these emails is warranted. Verification of legitimacy from an outside source is recommended.
Embedded or spoofed hyperlinks The website associated with a hyperlink can be verified by hovering the cursor over the link. Ensure that the website you expect is the actual hyperlinked website before clicking on the link. Unexpected or gibberish links should not be trusted. Grammar or spelling mistakes Emails with spelling, grammar, or layout mistakes are likely not from large corporations’ marketing departments, but instead are knockoffs with malicious intentions.
required. Cybersecurity updates are legally required over the lifetime of the device, both on a schedule and when major vulnerabilities are found. A Software Bill of Materials( SBoM) is to be provided by the manufacturer to the hospital upon purchase of a product. This SBoM is a list of all software components, particularly those from subcontractors or outside parties, such as the Windows operating system. This allows the hospital IT department to track if updates or patches are necessary in the future.
Discussing options
It is also in the best interest of perfusionists and healthcare centers everywhere to ask MDMs for cybersecurity patches or updates for legacy devices and older models of devices that do not have any cybersecurity but are still within the expected lifetime of the product. MDMs may be able to support the request, but even if they are not, it provides increased awareness among MDMs that these features are wanted and expected in products and could move the needle on what they focus on for the future. Perfusionists often are able to choose which products they need and which company they purchase from. As the primary customer interface for some very niche and expensive products, perfusionists have the power to drive the market in this way. The IT department of a hospital may be brought into a conversation about future product cybersecurity if a line of communication is established between the two departments.
For perfusion teams that use external perfusion record companies, there should be a similar inquiry regarding the digital security of the company that supports them. Like many other third-party healthcare vendors, if a cyberattack were to hit one of these companies, it could potentially wipe out the records of multiple healthcare centers, having an outsized effect on patient care. This could be particularly critical if the company also has the ability to remotely access equipment for software upgrades. If a remotely accessible pump or ECMO machine were interfered with during a third-party breach, there could be a direct and immediate effect on a patient’ slife.