Guidance for health and medical professionals
Health and medical professionals use medical devices to diagnose, prevent, monitor, or treat their patients. Alongside understanding the clinical benefit of the device, health and medical professionals have a responsibility to:
- report any potential cyber security issues with medical devices to the TGA directly by phoning 1800 809 361
- pass on relevant cyber security risk information associated with use of the device to the patient
- communicate benefits and risks of using the medical device to the patient, such that they are suitably informed to provide consent
- upskill themselves on the safe and secure use of the medical device, where the device is a common tool used by the professional for delivery of healthcare
- act on any advice from the TGA, the device manufacturer or sponsor in the event that a cyber security vulnerability or risk is disclosed
Getting the right information
Health and medical professionals need to become familiar with the cyber security risks associated with medical devices they prescribe, implant or use. Information regarding cyber security risks is provided with the medical device by the manufacturer. If more information is required, health professionals are encouraged to ask the manufacturer questions to ensure they understand any associated cyber security risks. Health and medical professionals should understand the following:
- clinical and cyber security risk associated with use of the device
- how security of the device must be maintained
- what they must do in the event of a suspected cyber security breach
- what they must do in the event of a suspected cyber security vulnerability
In a hospital setting, health professionals may be able to ask these questions of their biomedical engineering teams.
Communicating risk to patients
Health professionals are responsible for talking to their patients about risks and benefits of using a medical device. This enables patients to provide informed consent. Patients and consumers of medical devices are encouraged to ask their health professional questions about their medical devices, and health professionals are referred to the guidance for patients and consumers, to see example questions that they may be asked.
Health professionals also need to be prepared to talk to their patients if a security vulnerability is discovered:
- Usually, the TGA or the medical device company will tell clinicians about vulnerabilities that require action from a health professional.
- Sometimes, the public may learn about a cyber security vulnerability in a medical device before clinicians, the TGA, or even the device manufacturer. If this happens patients may come to their health professional for help.
To prepare for questions about cybersecurity from patients, consider:
- proven therapeutic benefit provided by the medical device versus risk of the vulnerability being exploited
- potential consequences, especially clinical implications, if the vulnerability is exploited
- options to mitigate risks and associated timeframes
- risks associated with a medical device software or firmware update
- long-term solutions to eliminate or reduce risks
To help inform patients about medical device cyber security, the TGA has developed information for consumers.