Regulations for Bringing Medical Devices into Secure Areas
Medical devices in high-security areas must be approved and safe, with limited connectivity.
Plain language
This control ensures that medical devices brought into very secure areas are safe and won't accidentally cause security breaches. It is critical because if a device is not secure or has connectivity enabled, it could be used to spy on sensitive operations or leak classified information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Medical devices that are authorised to be brought into SECRET and TOP SECRET areas meet, at a minimum, the following criteria: - are listed on the Australian Register of Therapeutic Goods - have been prescribed by a legally qualified medical practitioner - have been commercially purchased within Australia - do not have inbuilt cellular connectivity - are capable of operating independently of mobile devices - where possible, have Wi-Fi, Bluetooth and other forms of wireless connectivity disabled when operating within SECRET and TOP SECRET areas.
Why it matters
Insecure medical devices in high-security zones can leak classified information through unintended connectivity, posing grave security risks.
Operational notes
Before entry to SECRET/TOP SECRET areas, confirm medical devices are ARTG-listed, prescribed, no cellular, and keep Wi‑Fi/Bluetooth disabled.
Implementation tips
- Managers should develop a strict checklist for medical devices permitted in secure areas. This checklist should verify that devices are listed on the Australian Register of Therapeutic Goods and have no cellular connectivity. Ensure staff are trained on this checklist before bringing devices into secure zones.
- Procurement teams must ensure that medical devices are purchased from authorised Australian suppliers. They should keep records of purchase orders and certificates that verify the device's origin and compliance with security standards.
- Medical professionals need to ensure that prescribed devices for secure areas comply with the control. They should communicate with IT staff to disable any inbuilt wireless connectivity, like Wi-Fi and Bluetooth, before entering the area.
- IT personnel should conduct regular checks to disable non-essential wireless capabilities on medical devices. They can achieve this by accessing the device settings and documenting any modifications made.
- Security officers should conduct regular training sessions to inform staff about the importance of these controls. Training should include examples of potential security risks posed by improperly secured medical devices and how these risks can be mitigated.
Audit / evidence tips
- AskThe checklist used for approving medical devices in secure areas
- AskDocumentation from the IT team showing disabled wireless features in devices. Review whether technical logs or settings confirmation exist. An effective record details dates and personnel responsible for modifications
- AskThe list of authorised devices with corresponding medical practitioner's prescription. Ensure entries correlate to actual devices in use within secure areas. Good compliance is shown when each device has a cross-referenced prescription and approval listed
Cross-framework mappings
How ISM-2008 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.19 | ISM-2008 requires organisations to authorise medical devices before they enter SECRET/TOP SECRET areas using explicit assurance and suppl... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.1 | ISM-2008 sets a topic-specific rule for SECRET/TOP SECRET environments: only authorised medical devices meeting defined provenance and co... | |
| Annex A 5.12 | ISM-2008 applies additional device-handling and connectivity restrictions specifically in SECRET and TOP SECRET areas, effectively treati... | |
| Annex A 5.31 | ISM-2008 mandates compliance conditions for a regulated class of equipment (medical devices) when used in SECRET/TOP SECRET areas, includ... | |
| link Related (1) expand_less | ||
| Annex A 7.6 | Annex A 7.6 requires organisations to implement security measures governing work practices within secure areas | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.