A connected medical device was flagged in a CISA or FDA alert
The device may be vulnerable, exploitable, or already compromised. This is a clinical safety event before it is a security event — and the manufacturer's FDA-cleared status constrains what you can do.
The first hour
- 1Confirm the advisory applies to your device. Match CISA / FDA bulletins against your asset list by manufacturer, model, firmware version, and serial number range.
- 2If the device is actively delivering care (infusion pump, vitals monitor, imaging during a procedure), do not take it offline without the prescriber's involvement. The clinical safety call belongs to the clinician.
- 3Isolate the device on a segregated VLAN if it does not need broad network access. Your MSP or IT contractor can do this — call them.
- 4Contact the manufacturer for written guidance on the specific advisory: is a patch available, is downtime required, does it need an on-site service visit, what is recommended if a patch is not yet available.
- 5Decide whether the device is vulnerable or actively compromised — they are different. Vulnerable = remediation event. Compromised = incident with PHI implications and likely network-wide concern.
- 6If compromise is suspected: pull the device offline, preserve logs and locally stored data, engage a forensic firm (your cyber insurer's panel first), and treat the rest of the network as potentially affected.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Asset-inventory entry: manufacturer, model, serial, firmware, network address, EHR integration status.
- The original CISA / FDA / vendor advisory text and version applicability.
- Manufacturer's written guidance and patch/mitigation plan.
- Device-side logs and any locally stored data, exported before remediation.
- Documentation of compensating controls (segmentation, monitoring, access restrictions) if a patch is not yet available.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- CISA — Report a cyber incident
- FDA MedWatch (patient harm / risk of harm)
- HHS OCR Breach Portal (if PHI was exposed via the device)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Can we just install the patch ourselves?+
Often no. Applying an unauthorized patch to an FDA-cleared device can void clearance. The manufacturer's guidance is not optional — many patches require a service technician visit, and the patch process is part of the device's cleared configuration.
Vulnerable vs compromised — how do we tell?+
Compromise signals include outbound network connections to addresses the device does not normally talk to, unexpected auth events on the management interface, configuration changes nobody made, abnormal CPU/memory on the diagnostic display, and (for imaging) unexpected delays between acquisition and PACS posting. The manufacturer's remote-service connection often sees these and will share if asked directly.
Is our MSP supposed to patch the device?+
Usually no. Most MSPs are not authorized to patch medical devices — the line is the manufacturer's clearance scope. Note in your asset inventory which devices are MSP-managed vs manufacturer-managed, and which are end-of-life and need replacement at the next budget cycle.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.