Blog
← Back to Blog
March 28, 2017 medical

Your Medical Devices Are on Your Network. Are They Secure?

Medical imaging equipment in clinical setting

Walk through your dental or medical practice and count the devices connected to your network. Not just computers. Everything. Digital X-ray sensors. Intraoral cameras. CBCT machines. Caries detection devices. Digital impression scanners. Sterilization monitors. Maybe even a networked autoclave.

Now ask yourself: when was the last time any of those devices received a security update?

If the answer is "never" (and for most practices, it is), you have a problem.

The Medical Device Security Gap

Medical and dental devices are increasingly networked. They need to communicate with your PMS, send images to your server, and sometimes connect to cloud services for software updates or support. This connectivity makes them useful. It also makes them attack vectors.

The problem is that most medical device manufacturers prioritize functionality and regulatory approval (FDA) over cybersecurity. Devices ship with:

  • Default passwords that are never changed (and sometimes can't be changed)
  • Outdated operating systems (some still run Windows XP Embedded)
  • No encryption for data in transit
  • No ability to install security software
  • Firmware that's rarely or never updated

Remember the Mirai botnet that took down half the internet last October? Same concept, different devices. Anything on your network with weak security is a potential entry point for attackers.

The Risks

Network Entry Point

An unsecured medical device on your network can be compromised and used as a stepping stone to reach your server, your PMS database, and your patient records. The attacker doesn't need to hack your well-secured workstation if they can get in through your X-ray sensor's unpatched operating system.

Data Interception

If medical devices transmit patient data (images, scan results, patient identifiers) over the network without encryption, that data can be intercepted. This is both a security risk and a HIPAA compliance issue.

Ransomware Impact

Ransomware that spreads across your network doesn't distinguish between a workstation and a CBCT machine. Encrypted medical devices may require expensive vendor intervention to restore, and the downtime can significantly impact patient care.

What You Can Do

1. Segment Your Network

Put medical devices on their own network segment (VLAN). This isolates them from your computers and server so that a compromised device can't directly reach your patient database. The devices can still communicate with the systems they need to, but the attack surface is dramatically reduced.

2. Inventory and Assess

List every networked device in your practice. For each one, document: the operating system, the firmware version, whether it can be updated, what data it handles, and what network access it requires. This inventory is also useful for HIPAA compliance.

3. Change Default Credentials

If a device has a web interface or admin panel, change the default password. If the device won't let you change the password (some don't), document this as a risk and compensate with network segmentation.

4. Work with Your Vendors

Ask your device manufacturers about their security practices. Do they release firmware updates? How do they handle vulnerabilities? Will they provide information about what operating system the device runs? Vendors that can't answer these questions are vendors whose devices need extra network isolation.

5. Monitor Network Traffic

Watch for unusual network activity from medical devices. A CBCT machine shouldn't be making outbound connections to servers in Eastern Europe. Network monitoring can catch compromised devices before they're used to attack the rest of your infrastructure.

Your medical devices are essential to patient care. They're also potential security vulnerabilities. Managing that risk doesn't mean disconnecting them. It means putting the right controls around them.