Table 2: Digital Health Device Type with Cybersecurity Risks
Reference Device Type Inherent
Critical Network-enabled devices are open to malware or viruses
impeding or changing function. Unauthorized users can
also launch attacks altering data, commands, or
configurations remotely. Loss of personal could also
result via remote data storage capabilities.
High Network-enabled non-implanted devices are open to
malware, viruses, or attacks, many of which would likely
result in device inoperability, which could cause patient
safety hazards. Loss of personal information could also
result remote via data storage capabilities if healthcare
providers store medical record numbers or other
identifying information in the device.
Wearables Medium Network-enabled wearables are open to malware,
viruses, or attacks that could result in device
inoperability. Attacks could alter data reliability, causing
unnecessary concern or treatment. Wearables also pose
significant concern for loss of personal information due
to the connectivity with mobile devices.
Mobile App Medium Network-enabled mobile devices are open to malware,
significant data volumes can be stored on a mobile
Low Web Applications are subject to well-known threats and
vulnerabilities, in particular identity and encryption
concerns, leading primarily to organizational risk (e.g.
site defacing), personal information loss, and potential
malware/virus infection from an organization to a
Medium Administrative software can process and store significant
volumes of personal information for employees and
patients, which can be subject to personal information
loss, data integrity issues (such as deletion, addition, or
change of critical patient information) resulting in
incorrect patient treatment. Ransomware and other data
availability attacks could cause patient data to be
unavailable during critical treatments.