There continues to be plenty of finger-pointing over who should fix the broken process for patching Windows-based patient-care systems, but some users and vendors are at least trying to deal with the problem directly.
As outlined in a Network World story earlier this month, hospital IT and network professionals say their hands are tied when it comes to patching patient-care systems that increasingly are based on Microsoft software and that are often networked to simplify information sharing. IT professionals say device makers don't want customers fussing with their systems out of fear that the products will not conform to rules laid out by the federal Food and Drug Administration, which says the device makers are exaggerating the extent of FDA rules. While device makers are largely mum on this topic, those that do talk acknowledge they could do more to smooth the process but also say healthcare IT shops need to re-evaluate how they set up their networks.
Steve Wexler, chief biomedical engineer at the Department of Veterans Affairs' Health Administration Division, says the veterans' organization is addressing the problem head-on by crafting a plan to tighten security on the networks of about 150 VA hospitals and that the organization hopes to have it in effect by fall.
"You just can't modify a regulated device," says Wexler, who worked with about a dozen network and security managers at the VA to devise the Department of Veterans Affairs Medical Device Isolation Architecture Guide.
The plan calls for VA hospitals to beef up security on LANs by adding internal firewalls, virtual LANs and remote-access control lists to cordon off Windows-based GE Medical imaging systems and other gear.
The guide acknowledges that routine patching is often "not available in most cases" to medical devices with commercial operating systems such as Windows. Therefore, networked patient-care equipment could be exposed to attacks "that have the potential to destabilize an entire network, shut down hospital operations, corrupt data and jeopardize patient safety."
Wexler says users of networked medical devices should put pressure on manufacturers to do a better job of addressing security concerns.
"This problem is solvable," he says. "The intent is to minimize the exposure and the risk. The vendors understand there needs to be a culture change. It's on their radar scope."
Wexler says changes could include the shipping of equipment with network ports closed, or better access-control or vendor Web sites announcing vulnerabilities and a status for patching. That way, he notes, hospitals won't have to give up the benefits of networked medical equipment.
Philips Medical Systems last week explained why patching is so hard with medical equipment - and also acknowledged its sales and support personnel might be sowing confusion about the matter.
Nick Mankovich, director of product IT security, says Philips makes about 300 patient-care medical devices that are regulated by the FDA and that about 60% of them run on Windows.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment