14 K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18
Beyond encouraging MDMs to consider supporting the software patching of older or legacy devices, another thing that perfusionists can ask for is the disabling of network ports on devices upon their retirement from support. Items that do not need to connect to the hospital network should not maintain that capacity if they are vulnerable. If this is not reasonable for patient care reasons, then working with IT to ensure that the device is properly isolated on the network is imperative.
Next steps for perfusionists
What can individuals actually do to help with cybersecurity? There are plenty of recommendations available for IT experts, healthcare administrators, or researchers. Many of those recommendations even include the suggestion that every healthcare staff member be educated on cybersecurity, but there are few articles written for end-users of medical devices [ 3, 4 ], and end users are the ones who are most likely to be caught unawares with an IoMT device that is misbehaving, a phishing email or the clinical consequences of not being prepared for a system wide lockout. Healthcare employees are certainly not being asked to become experts in cybersecurity, but recognizing where there are modifiable risks regarding cybersecurity is of valuetoeveryone [ 13 ]. Essentially, what can we do to better ourselves?
Education
The first and most important step is to coordinate with all relevant departments. As perfusionists, we work with anesthesia, nursing, and surgery, all of whom are at varying levels of vulnerability, but could suffer the same consequences of being unprepared if anything were to happen to the hospital network as a whole. Ask questions and share information concerning the risks of intra- and interdepartmental devices. Coordinating questions and answers from the hospital IT team and supporting each other in learning is a great way to raise the bar across all departments. As much as 95 % of data breaches within the healthcare field are from human error [ 2, 10, 13 ]. Every department within the hospital can stand to brush up on its knowledge of common threats and ways to prevent vulnerability.
It is also critical to know what personnel resources are available to the team and how to contact them [ 3 ]. If someone from perfusion notices a suspicious email, do they know how to report it to their IT team? If an anesthesia monitor does not seem to be properly reporting infusion rates or drugs to the patient’ s chart, who gets called and by whom? If a legacy device is about to be connected to an EMR, and a team member has concerns about the risks of that, is there someone in charge of that who can be contacted? Are there MDM cybersecurity experts available to answer questions regarding medical devices? Outside of the hospital, who is the state’ s local Cybersecurity & Infrastructure Security Agency( CISA) representative? CISA representatives are available for public outreach and education when requested, and there are educational resources and training courses available on their website. Should someone have serious concerns with the state of healthcare cybersecurity as a whole, are they aware that many FDA proposed guidance documents have a period of public comment online?
It is not taught, but equally important to know where individual system failure points could be, and what to do if those systems go down. If an external perfusion record company is taken out by a cyberattack that does not impact the hospital network, is the department prepared to go without it? Does the hospital have the ability to roll back an update on a pump if a new vulnerability is noticed, or to shut down remote access if there is a risk of malware unintentionally brought in from that third-party vendor? If the hospital is hit with a DDoS attack and devices fail to connect and emails do not go through, how will the relevant departments coordinate?
Recommendations that may be implemented by perfusionists or perfusion departments include: Practice simulations of cyberattacks or severe downtime incidents [ 3, 11 ].
Store policies offline, particularly a cyber-incident response plan, should be stored offline and in hardcopy [ 3 ].
Regularly back up department data and relevant software and store it offline [ 2, 3 ].
Do not connect to public Wi-Fi [ 11 ].
Do not leave devices that can access PHI unattended [ 11 ].
Use multifactor authentication whenever possible [ 59 ].
Educate all employees so that workarounds are not used to avoid cybersecurity [ 2 ].
Do not access the web from critical devices such as downtime computers [ 3 ].
Educate and re-educate employees to recognize phishing attempts and ensure they understand the potential severity of the consequences of not recognizing one [ 3 ].
Reduce the risk of spear phishing attempts by utilizing the security settings on social media platforms and avoiding posting personal or job-related information [ 8 ].
Put access controls on individual devices and ensure their time out [ 11 ].
Revoke email distribution list access to individuals who no longer belong on it.
Revoke client or user access from individual devices when it is no longer warranted [ 3, 59 ].
Know what a reportable cyber incident is and who to report to [ 3 ].
Open communication channels between IT personnel and individual departments to ease feedback and allow IT to address workflow issues if necessary [ 5, 11 ].
Provide additional security training to individuals with access to privileged accounts [ 3 ].
When involved in purchasing new devices, ask third-party vendors about their cybersecurity policies, how much cybersecurity support there is for their device, how long it lasts, and if they support legacy devices. Also inquire as to the security of their subcontractors or suppliers.
When involved in purchasing, a Manufacturer Disclosure Statement for Medical Device Security( MDS 2) should be required and provided to IT [ 4, 59 ].