Written by: Richard Sheinis, Esq.

In a precursor of things to come, earlier this month the CERT Division of the Software Engineering institute based at Carnegie Melon University has warned that the Epiphany Cardio Server is vulnerable to hacking. The Cardio Server gathers medical data and diagnostic test results from different medical devices, and makes the data available to care providers through a web browser. The vulnerabilities allow an attacker to potentially log into the system as an administrator to access and modify patient data.

Epiphany healthcare has issued patches for Cardio Server versions 3.3, 4.0 and 4.1. Users should apply the patches ASAP, and should consider updating to the latest version of Cardio Server.

Unfortunately, we can expect more reports of medical devices being vulnerable, or being hacked. These devices must be maintained and patched like any internet connected device, server or software. If you are a provider using these devices, risk management requires a written process for security due diligence before you start using a medical device, as well as ongoing security management. Medical devices that process, store or transmit protected health information must be considered as part of a HIPAA required risk analysis and risk management program.