There continues to be plenty of finger-pointing over who should fix the broken process for patching Windows-based patient-care systems, but some users and vendors are at least trying to deal with the problem directly.

As outlined in a Network World story earlier this month, hospital IT and network professionals say their hands are tied when it comes to patching patient-care systems that increasingly are based on Microsoft software and that are often networked to simplify information sharing. IT professionals say device makers don't want customers fussing with their systems out of fear that the products will not conform to rules laid out by the federal Food and Drug Administration, which says the device makers are exaggerating the extent of FDA rules. While device makers are largely mum on this topic, those that do talk acknowledge they could do more to smooth the process but also say healthcare IT shops need to re-evaluate how they set up their networks.

Steve Wexler, chief biomedical engineer at the Department of Veterans Affairs' Health Administration Division, says the veterans' organization is addressing the problem head-on by crafting a plan to tighten security on the networks of about 150 VA hospitals and that the organization hopes to have it in effect by fall.

"You just can't modify a regulated device," says Wexler, who worked with about a dozen network and security managers at the VA to devise the Department of Veterans Affairs Medical Device Isolation Architecture Guide.

The plan calls for VA hospitals to beef up security on LANs by adding internal firewalls, virtual LANs and remote-access control lists to cordon off Windows-based GE Medical imaging systems and other gear.

The guide acknowledges that routine patching is often "not available in most cases" to medical devices with commercial operating systems such as Windows. Therefore, networked patient-care equipment could be exposed to attacks "that have the potential to destabilize an entire network, shut down hospital operations, corrupt data and jeopardize patient safety."

Wexler says users of networked medical devices should put pressure on manufacturers to do a better job of addressing security concerns.