By Jeremy Linden, Sr. Director of Product Management, Asimily


The first step in delivering excellent care for patients and defending their private health information is procuring medical devices that empower your team. New equipment assists your personnel—but it’s difficult to gauge the risks right away. That’s why conducting a thorough security risk assessment is so important. Doing your due diligence before a purchase protects your investment and supports healthy patient outcomes.

The chief information security officer (CISO) has a duty to protect an organization’s data. This can prove particularly difficult in the healthcare industry, with extra privacy regulations on top of all-too-common technical challenges.

Now there’s an effective method to conduct a security risk assessment for medical device procurement. Asimily’s ProSecure offers providers more device information than they’d find anywhere else in order to conduct a detailed, accurate security risk assessment. Asimily collates information from a range of sources and processes the data into an accurate and user-friendly summary to gauge products before buying.

Medical Device Procurement: Challenges in Risk Assessment 

When you’re purchasing equipment, there’s always some risk of the device not adequately serving its purpose. The goal of conducting a security risk assessment is to identify potential problems before they materialize. It’s much better to avoid an issue beforehand than to have to resolve it later. As they say, an ounce of prevention is worth a pound of cure.

Regulations that require security risk analyses before medical device procurement have complicated the situation since governments generally don’t offer clear, regularly updated guidelines on how to assess risks. While some companies have done risk analyses just for compliance, this is questionable at best and doesn’t improve security.

Healthcare provider organizations need more than an arbitrary checklist. They need a useful process to assess risks before procurement.

Why Perform Medical Device Risk Assessments At All? 

Regulatory practices aside, we conduct assessments to stay one step ahead of burgeoning threats to medical devices. Risk measures the likelihood of an adverse event occurring, coupled with the impact that such an event might have on your organization. Regular risk assessment is therefore a core aspect of medical device security.

To help start the process, the US government does offer resources to help organizations adhere to HIPAA standards. These resources tell users how to assess risks and take technical and administrative steps to increase data security. But while the government offers general guidance, they leave it to each organization to determine specific action items for regulatory compliance.

Any institution using devices that handle electronically protected health information has a legal obligation to assess risks and take reasonable precautions. But this would remain a public duty even if not legally mandated since a lack of safeguards exposes sensitive data to criminals and accidents. It’s unsafe for patients to use medical devices with unknown risks.

The results of a security risk assessment can inform smart procurement processes—now and for the future. Risk assessments can also help improve data transmission and encryption processes to inform your authentication system design.

The Complexities of the Medical Device Procurement Process

Since healthcare technology now takes such a central role in medicine, device procurement has become extremely important. Yet the procurement process is complex, fraught with a wide range of challenges, and taking, on average, a full year to complete.

To start, one generally receives information about devices from a range of sources—which aren’t necessarily consistent. You may learn about medical devices from colleagues, vendors, or online references, for example. There are also conflicting priorities, including not only security but also patient care quality and the cost and speed of operations.

The teams making purchase decisions often include doctors, administrators, and directors, among many other groups not particularly well-versed in security. And even those who do know about IT security may not be experts in medical devices. How do you ensure the right people with the right knowledge guide every single procurement?

Shared responsibilities also sometimes mean gaps where responsibility isn’t clearly defined—and these gaps are where security problems happen. Inconsistent procurement processes can also bring high-risk devices onto the network. When a variety of new and old devices are forced to interoperate, it’s important to remember that they each bring along hardware and software from complex supply chains—each with its own risks.

These and many other difficulties make medical devices a unique challenge to secure. However, now there’s a custom-made solution from Asimily to solve this problem.

Asimily ProSecure: Robust Risk Analysis Approach to Medical Device Security

Asimily offers a practical solution for your organization to analyze risks before procurement. ProSecure collects data from multiple systems and combines the information into a usable security risk assessment for medical devices.

The results give you actionable information on device configurations, rating each configuration’s risk and potential impact on your organization. Insights from other networks can further inform your organization’s decisions as to which devices are safe to use.

No other solution has as much information or makes it as straightforward to see. ProSecure helps you understand the risk of each device with data from hundreds of thousands of similar devices already at work within Asimily’s customer base. A simple report tells you all about any device of interest, and you can simulate different configurations to see how they affect total risk.

Detailed manufacturer information rounds out the ProSecure repository. Asimily’s security research combines unparalleled data to tell you in a simple-to-use fashion which device models are the most secure. Even after procurement, you can use these insights to harden devices.

Medical Device Procurement, the Asimily Way

Risk analysis is a critical part of safely procuring medical devices. While governments mandate risk analyses for procurement, they haven’t offered enough useful information for healthcare providers to do so effectively. This makes assessing risks before buying difficult, to say the least.

The solution is to use a tool custom-built to provide security for the internet of medical things (IoMT). Asimily’s ProSecure is the leading system to analyze medical device risks, making procurement safe and easy.

ProSecure crowdsources data from millions of live points around the world. It also incorporates information from manufacturers and customers—plus our own research—to give you unbeatable risk assessments. Medical device procurement has never been so straightforward.

Schedule a demo to see how Asimily can cut your operational inefficiencies and device downtimes today!