K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18 15
When involved in purchasing, ensure that a Software Bill of Materials is included and provided to IT [ 59 ].
Password-related advice includes:
Do not reuse passwords.
Do not share passwords.
Change passwords frequently [ 11, 59 ].
Do not use passwords that are one number or letter off from previous passwords [ 7 ].
Use a 15-character minimum for passwords [ 59 ].
Change any default passwords on devices before connecting the device to a network [ 59 ].
There is a running motto within cybersecurity fields that goes:“ if you can’ t secure the device, secure the network, if you can’ t secure the network, secure the data.” Currently, much of IoMT device security is provided by MDMs, and unless the device went through the FDA approval process after March 29, 2023, there is no guarantee of any cybersecurity on it, so we must rely on hospital cybersecurity to protect the network and data instead. As older and legacy devices are replaced, however, this will change. For individuals who have the ability to choose which product to purchase, emphasizing the need for cyber-secure devices to MDMs will help drive the field forward. CISA has a series of recommendations for what to look for in devices. They highly recommend that manufacturers build with a“ Secure by Design” standard, meaning that cybersecurity is built into all aspects of the software, not patched on after the fact. This will be visible in a few ways [ 59 ]:
No default passwords
Single sign-on option available
Security audit logs available
Defaults to high security settings
Most importantly, none of these should be add-ons that cost extra. They should be a part of the default package [ 59 ]. An add-on indicates that cybersecurity was not a part of the software and product design from the onset, and instead is a patch or afterthought, which makes it more vulnerable.
Finally, for education, a direct supervisor has more of an impact on employee buy-in and compliance than any top-down leadership directive [ 12 ]. Supervisors or team leaders can encourage individuals to take an interest in cybersecurity, develop a team member into an IT coordinator role, and educate them when capital purchases are available to interrogate. To make actionable changes in a workforce and mitigate 70 % of inadvertent data breaches that are caused by employee accidents, there needs to be a cultural shift, employee engagement, and encouragement by individual department leaders [ 12 ]. The recommendations made here can certainly be implemented by individuals, but managers have the additional option of endorsing policy changes that have a broader impact and are less likely to be ignored than warnings or actions of a single person. Similarly, endorsement of increased cybersecurity by governing bodies such as AmSECT would increase the reach and significance of the message and embolden professional growth. An example of a possible Standard and Guideline might be:
Standard: The organization shall ensure cybersecurity for all new perfusion hardware devices to the best of its ability, and review cybersecurity risks annually.
Guideline: Clinical personnel should have a procedure to operate in network downtime and be able to coordinate with relevant departments to ensure patient safety in the absence of an electronic record.
Asset lists and risk management
One step that a perfusion department can take to immediately improve its understanding of cybersecurity risk is to generate an asset list. This is a summary of devices, their software version, update history, associated components, and method of network connection. This is useful for vulnerability management and patch management [ 3 ]. For perfusionists, the hospital IT team should already have completed an asset list that includes their devices, but it does not hurt to double-check. There can be instances where devices fall through the cracks, particularly smaller device purchases that may not meet capital equipment status. The IT adage“ you can’ t secure what you can’ t see” rings true here.
A second common IT assessment that is done behind the scenes is a Risk Assessment. A risk assessment is one of the first things an IT team does when assessing cybersecurity. This involves establishing how each device is connected to others, how much of a threat each one poses to the overarching system, and if there is anything that can be done to mitigate or isolate those risks [ 2, 9 ]. A discussion between perfusionists and their hospital’ s IT team to ensure that the severity level of each device’ s risk is understood could be beneficial if the IT team has time and resources to do so.
These IT techniques are not solely applicable to cybersecurity. Creating a departmental asset list and having knowledge of unprotected legacy devices readily available may also help to drive device turnover. It could also be used to isolate which device manufacturers need to be contacted regarding any available security patches. Keeping up with updates can be one of the biggest challenges of medical devices, and oftentimes, a hospital can employ an individual who tracks updates posted to MDMs’ websites [ 37 ], but especially with niche devices as are often found in perfusion, this may be a tall order.
A department-specific risk assessment would also be of use. Identifying which device functions are most critical, what alternatives are available, and which need to be prioritized for isolation and repair removes some stress during an actual crisis. Together, these two techniques essentially form preemptive technological triage, limiting delays during an incident.
Emergency preparedness
Whether it be organized specifically as a business continuity plan in case of a cyberattack, or simply covered under“ downtime policies,” perfusionists should have a plan for operating without critical information systems or connectivity between systems. These plans should be available as a hard copy or at least be available from an offline source. There should be some agreed-upon method for paper charting, not only for perfusion but for nursing and anesthesia as well. Drills or shadow charting