Sample Capstone project on Cybersecurity for Medical Devices and Hospital Networks:

Cyber security for Medical Devices and Hospital Networks

Project summary

Electronic medical equipment faces threats from unscrupulous persons who intend to get patients’ private information for personal gains (US Food and Drug Administration, 2013). This security breach is detrimental as the hacking of both portable and non-portable medical devices risks the life of patients. Fu, & Blum (2013) argue that dangers posed by security infiltration by hackers outweigh the major steps made in patient treatment and protection through the use of various electronic equipment.

The capstone project focuses on appropriate measures that should be taken to protect patients’ and hospital’s sensitive data that is accessible through a given network. The advance in technologies simplifies treatment methods for patients given that their records can be collected and analyzed online for the purposes of efficient medical services (Rushanan, Rubin, Kune, & Swanson, 2014). The hospital electronic devices can gather and transfer information via the hospital’s network for analysis by doctors. Therefore, weak protection of these systems exposes sensitive hospital information that can be siphoned off by cyber attackers. These vulnerabilities can the outcome of poor network encryption and strategy of protecting vital online data (Fu, & Blum, 2013).

The project’s scope provides ways of averting the chances of cyber intrusions through secured and unsecured hospital networks by hackers (Rushanan, Rubin, Kune, & Swanson, 2014). The main goals and objectives for this project are the implementation of various professional codes of conduct that encompass the maintenance of high integrity, reliance, and confidentiality, as a way of protecting patients’ and hospital information (Rushanan, Rubin, Kune, & Swanson, 2014). However, the objective for manufactures is to prevent unauthorized access, improve bio-data use, and provide methods for recovery, alongside enforcing measures for appropriate authentication (Fu, & Blum, 2013). Consequently, manufacturers are charged with the use of design approaches that maintain a device’s critical functionality when security is at “fail-safe mode” (US Food and Drug Administration, 2013).

The project’s outcome and deliverables guarantee the security of patients using hospitals’ electronic devices accessible on the hospital’s network besides putting the hospital at a competitive edge in patients’ healthcare and safety. The project also makes it possible to repulse any security breach, hence preventing losses that the hospital can incur through court cases filed by the affected patients (Rushanan, Rubin, Kune, & Swanson, 2014). The project will then have a working schedule of three months after approval.

The project will be implemented in three stages, where the standards, procedures and guidelines will be made a priority (Rushanan, Rubin, Kune, & Swanson, 2014). Here, specific technologies will apply as a prevention technique; staff will be trained on how to implement the security measures on network and devices and finally guiding the staff on the best practices that are essential for a company to prosper (Rushanan, Rubin, Kune, & Swanson, 2014). Evaluation of the security apparatus will then be effected, which comprises testing and evaluating Security Architecture and looking into the appropriate responses after testing. In the testing stage, network scanning is done, which is a procedure for identifying active hosts on a network for the purpose of attacking them (Fu, & Blum, 2013). Vulnerability scanning then follows, where a procedure designed to assess computers, computer systems, networks or applications for weaknesses (US Food and Drug Administration, 2013).

Password cracking and penetration testing are then used to discover computer passwords followed by testing the computer system to find their vulnerabilities and seal the loopholes that can be exploited by thieves (Rushanan, Rubin, Kune, & Swanson, 2014). Furthermore, staff will be taught not to share information to unauthorized personnel as a way of preventing social engineering through trickery.

Finally, on the project evaluation, responses to different tests are conducted to Aiding in the recovery of business operations and attempting to preserve evidence (US Food and Drug Administration, 2013). All the equipment used are photographed before disconnection and then a documentation is done so as to keep in memory how to prevent occurrence of similar events in the future.

Comparison of case studies

Case 1:

Connexion healthcare:  Cyber Security and Mobile Medical Devices for Protecting and Securing Patient Medical Information

In this case summary, the analysis was established on ways of preventing patient information theft that are kept on vital technological medical devices (Rushanan, Rubin, Kune, & Swanson, 2014). The researcher proposed several alternative software and hardware that can be used in keeping the hospital network hack-proof hence saving the patients’ lives. The project developers recognized the fact that without proper protection, patients can be highly disadvantaged, especially when the network system is compromised (US Food and Drug Administration, 2013). The difference that is seen in this scenario is that the medical department did not consider the vulnerability of various hospital networks that can be a target for cybercrime, but rather focused on the needs of patients.

This project, compared to the second scenario presented in this discussion, considers hospital as an important entity that must be protected as a way of guaranteeing patients’ and staff security (US Food and Drug Administration, 2013). In addition, the health department in this case discussed other institutions like blood banks and federal organizations as being susceptible to cyber-attacks given their connection to the healthcare sectors. However, these institutions are not discussed in this project as being vulnerable (US Food and Drug Administration, 2013), but rather placed in the sector of an integrated approach of counteracting the menace of cyber terrorism.

The case in the medical report discusses the hardware used by the terrorists to penetrate their target network (US Food and Drug Administration, 2013). For example, the use of botnet, phishing, spam, and malware are highly noted by the researcher as the major software being used by criminals. Conversely, the summarized project has not dwelt on the types of software used for hacking (US Food and Drug Administration, 2013). The solution the researcher gives in this case is the installation of spyware that can monitor suspicious activities on the hospital networks. This solution is also indicated on the project report in which active antivirus are put in place to stop information theft by use of the different types of malware and spam.

The hospital case study found that hardware like flash disk, floppy disk and compact disk are the main components used by cyber terrorists (Fu, & Blum, 2013). However, in the project, only software are used for hacking and disabling of the hospital network system. Subsequently, the case discusses other methods used for initializing threats to portable devices (US Food and Drug Administration, 2013). The examples given in this case include browser exploits, which is the exploitation of weak software. Clicking on a given link at this stage installs viruses that enable hacktivists to get access to every secured network system (US Food and Drug Administration, 2013). This idea is, however, not discussed in the project and it is recommended that this opinion be acted upon by project developers. Other areas for network penetration through vulnerability of software and hardware discussed in the case include network exploit, spoofing and a denial of service (DoS) attack. These areas are also not discussed in the project even though they are considered the best alternatives to controlling cyber-attacks.

Case 2:

Santa Clara Technology Law Journal: Cyberattacks on Medical Devices and Hospital

Networks: Legal Gaps and Regulatory Solutions

This articles discuses the loopholes in the legal structure presented in the fight against cybercrime. Besides, the article proposes ways in curbing the rise in cyber terrorism through making of adequate policies. In addition, the journal gives details on the Food, Drugs, and Cosmetic Act where the focus is pegged on the workability of the protection and the vulnerability of electronic devices in the hospital (Fu, & Blum, 2013). Nevertheless, the project on the cybercrime project proposes the same solutions discussed in this journal as a way of fighting cyberterrorism and patients’ protection.

In its discussion, the article states that hospital devices are run using obsolete software, thereby making it easy for hacktivists to gain access to the various hospital networks. In this study, the researcher gave an example of Beth Israel Deaconess Medical Centre in Boston whose computers were infiltrated through malware (US Food and Drug Administration, 2013). Updating of this software is given as a solution to this problem as a way of improving security just as it was proposed in the project (Fu, & Blum, 2013).

The article proposes a strong password to be used on computer hardware systems, and the password should not be given remotely to unknown individuals. This solution is also given in the project in addition to securing the use of software that manages the portable electronic devices.

Conclusion and Recommendation

Cyber-crime is a pure business venture in which malicious people steal sensitive information for economic gain (US Food and Drug Administration, 2013). This crime is still in its earliest stages of development, but could soon become catastrophic if strict actions are not put in place. All healthcare organizations should, therefore, invest heavily in the security of the network system as a precaution against crucial information, as well as protecting the lives of patients who use various medical electronic devices (Fu, & Blum, 2013).

The government should also enforce strict policies concerning cyber-crime, and any persons found culpable in misusing other peoples’ identities must face the law. Guidelines on the use of electronic medical devices should also be put in place to control their number, thereby protecting patients’ lives (Rushanan, Rubin, Kune, & Swanson, 2014). Network safety will, therefore, be a fundamental factor in this digitizing economy. Major steps will be made if the recommendations of Cybersecurity for Medical Devices and Hospital Networks projects are put into practice. The security of the hospital networks will be properly monitored, and the lives of patients protected by the mentioned advancements, in which case vulnerable security systems will be salvaged (US Food and Drug Administration, 2013). This means that even though cybercrime is a growing problem for most health organizations, strict operational policies, proper system controls, and instant interventions through team decisions can help to provide a secure environment for service growth.



Fu, K., & Blum, J. (2013). Controlling for cybersecurity risks of medical device software. Communications of the ACM, 56(10), 35-37.

Rushanan, M., Rubin, A. D., Kune, D. F., & Swanson, C. M. (2014, May). SoK: Security and privacy in implantable medical devices and body area networks. In Security and Privacy (SP), 2014 IEEE Symposium on (pp. 524-539). IEEE.

US Food and Drug Administration. (2013). Cybersecurity for medical devices and hospital networks: FDA safety communication. June, 13, 207-210.