Procedure - Biomedical Device Policy Procedures


The university has adopted this Biomedical Device Policy to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and regulations.

University colleges, schools, and departments should follow these procedures to comply with the Biomedical Device Policy, Policy Number POL-UIS4502.


  • Biomedical devices will be inventoried on a regular basis within each department, school or college. Biomedical devices must be inventoried and authorized prior to connecting to Pacific University networks or be used in the creation, modification, maintenance, or destruction of PHI.
  • Each college, school or department will notify UIS when biomedical devices are added or removed from the inventory.
  • Departments must track movements of biomedical devices so that a device‚Äôs location is known.
  • PHI must be removed before devices can be re-used.
  • Biomedical devices, as well as any software which interfaces or communicates with biomedical devices, will be configured to operate securely, in accordance with industry best practices.
  • Appropriate malware protections will be established in order to protect biomedical devices from malicious software attacks. Since malware protection on biomedical devices is often unavailable, this protection may reside on systems which connect to the device in order to provide a barrier for entry into or out of the device.
  • Biomedical devices will be screened at regular intervals, as established by the Pacific University Chief Information Security Officer or a designee, for any potential network access controls and, when applicable, secured using industry best practices.
  • Controlled use of administrative access to biomedical devices will be based on the need to know and authorized by the Pacific University Chief Information Security Officer or a designee.
  • Destruction of PHI stored on the biomedical device will comply with University data destruction procedures. Contact the University Information Services helpdesk for current instructions at the time of disposal.
  • Areas of Pacific University may work in conjunction with the Information Security Officer to ensure area specific procedures comply with University Policy.


Article ID: 148230
Mon 11/27/23 7:31 AM