Printer Friendly, PDF & Email

Compliance-driven risk reduction strategies for medical devices

Clyde Hewitt ( is Executive Advisor and Cory Blacketer ( is Medical Device Security Consultant at CynergisTek, headquartered in Austin, TX.

Three simple steps will focus light on why medical devices are a compliance problem:

  • Step 1: Obtain a copy of the “Could Not Locate” (CNL) list from the director of your clinical engineering department. The CNL list identifies all medical equipment that missed prior preventive maintenance actions, and is required by the Joint Commission, Standard 6.20.[1]

  • Step 2: Do research to determine which medical device(s) identified in the CNL list can potentially create, store, or access protected health information (PHI). It is not necessary that the device be currently connected to the provider’s network.

  • Step 3: Ask if your organization has evaluated all missing devices in the filtered list from Step 2 to see how many patients may have had their data compromised. Remember that under the HIPAA Omnibus Rule, organizations must start with a presumption of breach. If no breach has been reported, a “low probability of compromise” analysis should be documented in your files.

This document is only available to members. Please log in or become a member.