HIPAA Compliance for Medical Devices: IoT and Connected Health Security

Connected medical devices — infusion pumps, patient monitors, imaging systems, smart beds, and a growing fleet of Internet of Things (IoT) sensors — have quietly become one of the hardest HIPAA problems in healthcare. Many of them create, store, or transmit electronic protected health information (ePHI), yet they often run outdated operating systems that can’t be patched, sit on the same flat network as everything else, and were never designed with security in mind. They are exactly the assets organizations forget to include in their compliance program.

Why connected devices are uniquely risky

A typical hospital or large practice runs thousands of networked devices, and a meaningful share of them touch ePHI. The problem is that medical devices have long lifecycles — a monitor or imaging system may stay in service for a decade or more — while their embedded operating systems reach end-of-life far sooner. The result is fleets of devices running unsupported software that can’t accept security patches, sometimes because patching requires the manufacturer’s approval or would jeopardize FDA clearance. Attackers know this, and an unpatched device on a flat network can become both a data-exposure point and a foothold into the rest of your environment.

Two practices make the biggest difference. First, network segmentation: isolating medical devices on their own VLANs so that a compromised device cannot reach the EHR or spread laterally. Second, a real device inventory — you cannot protect what you don’t know exists, and unknown devices are how ePHI quietly leaks.

Who is responsible — you or the manufacturer?

Responsibility is shared. As the covered entity, you are accountable for protecting ePHI on devices in your environment. Manufacturers have their own obligations: federal law now requires medical-device makers to address cybersecurity in their FDA premarket submissions, and many provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2) describing a device’s security capabilities. Ask for the MDS2 before you buy, and put a Business Associate Agreement in place with any vendor that maintains or remotely services devices holding ePHI.

Devices belong in your Security Risk Analysis

The HIPAA Security Rule requires a Security Risk Analysis (SRA) — “an accurate and thorough assessment of the potential risks and vulnerabilities” to ePHI, at 45 CFR § 164.308(a)(1)(ii)(A). Connected medical devices are routinely the biggest blind spot in that analysis. A complete SRA inventories every device that creates or transmits ePHI, records its operating system and patch status, documents whether it is segmented, and captures the risk posed by devices that can’t be updated, along with the compensating controls you’ve put around them.

The proposed 2026 Security Rule update

In December 2024, the Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) that would strengthen the Security Rule. Notably for device-heavy organizations, it would require a maintained technology asset inventory and a network map, and would make controls like encryption and multi-factor authentication effectively mandatory rather than “addressable.” The rule is not final; if adopted as proposed, organizations would have roughly a 240-day compliance window after publication. Given that a device inventory is both proposed and already best practice, building one now is time well spent.

How Medcurity helps

Medcurity helps you bring connected devices into a structured, audit-ready Security Risk Analysis — inventorying which devices touch ePHI, capturing patch and segmentation status, and tracking remediation alongside the rest of your environment. Pricing starts at $499/year (about $42/month) for a single organization; hospitals and multi-site health systems with large device fleets can request a quote. From here, see our guides to HIPAA Security Rule requirements and access control best practices.

Frequently asked questions

Does HIPAA cover medical devices?

HIPAA applies to the electronic protected health information a device creates, stores, or transmits, not to the hardware itself. If a connected device handles ePHI, it must be protected under the Security Rule and included in your risk analysis.

What do we do about devices that can’t be patched?

Use compensating controls. Segment unpatchable devices onto isolated network segments, restrict and monitor their access, and document the residual risk and your mitigations in the SRA. The Security Rule expects reasonable safeguards when a device can’t be updated, not that you ignore the gap.

Do medical device vendors need a Business Associate Agreement?

If a vendor maintains, services, or remotely accesses devices that hold ePHI on your behalf, they are a business associate and need a signed BAA. Manufacturers that never access your ePHI generally do not, but remote-monitoring and managed-device vendors usually do.

What is an MDS2 and why does it matter?

The Manufacturer Disclosure Statement for Medical Device Security (MDS2) is a standardized form describing a device’s security capabilities. Requesting it during procurement helps you understand a device’s risks before purchase and feeds directly into your risk analysis.