Hospitals' patch fears on the wane

In the year or so since conflict between hospitals and manufacturers over the security of networked medical devices went public, much has changed for the better.

Following a Network World series last year about the potentially dangerous situation posed by unpatched patient-care equipment on hospital networks, the U.S. government issued new guidelines to manufacturers that clarified their responsibilities and many vendors changed their approach to securing products, a difference some customers say has been significant.

"The threats have abated," says Dave McClain, information security manager at Community Health Network, an organization in Indianapolis that operates five hospitals. "A year ago the vendors were saying they wouldn't support the contracts if we went ahead with patching."

Our 2004 series on hospital patching:
Rx for patching mired in red tape
Users, vendors treating healthcare patching ills
When medical-device equipment gets sick
FDA reads riot act to device makers
Fed up hospitals defy patching rules

Imaging, radiological and cancer-care equipment made by GE Healthcare, Siemens, Agfa, Kodak's Health Imaging Group, Philips Medical Systems and others is often networked and includes commercial off-the-shelf software. Hospitals have been in a bind because device manufacturers - often unable to keep pace with new worms, viruses and other security threats - traditionally prohibited them from applying software updates to their medical equipment, threatening to cancel contracts or legal action.

While it might be easy to suggest that healthcare organizations should refrain from tying medical devices to their networks, having systems interconnected can pay dividends in terms of management and data sharing.

For years, manufacturers had been telling customers that they couldn't provide timely patches because the U.S. regulatory body in charge of medical-device safety, the Food and Drug Administration (FDA), had to approve the software fixes first in a lengthy inspection process.

But inquiries last year to the FDA division in charge, the Center for Devices and Radiological Health, revealed that the FDA had no such rules. This shattered a myth that had been at best a misunderstanding and at worst a deceit.

Since then, much of the change in the dialogue among manufacturers and hospital IT staff can be attributed to FDA guidance. The agency has made clear it isn't opposed on principle to customers patching medical devices.

"There is no FDA legal requirement that would prevent the user from installing patches without prior approval from the device manufacturer," says John Murray, the FDA's software and electronic-records compliance expert.

In its "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software," the FDA told manufacturers that they "bear the responsibility for the continued safe and effective performance of the medical device, including the performance of the off-the-shelf software that is part of the device."

The document also states: "The need to be vigilant and responsive to cybersecurity vulnerabilities is part of your obligation."

The FDA's guidelines require manufacturers to perform software validation and risk analysis on patches. But the FDA made clear that it does not require an extensive pre-market review for a device implementing a software patch, though the agency wants vendors to report regularly to the FDA on the process.

The agency will take a closer look if the software patch affects how the medical device treats diseases, or if it affects device effectiveness or safety.

The FDA told medical-device manufacturers they should establish formal business relationships with commercial software vendors and validate software changes to medical devices to address cybersecurity vulnerabilities.

And "because of the frequency of the cybersecurity patches," says the FDA, manufacturers should come up with a "single cybersecurity maintenance plan."

The plan could allow the manufacturers to delegate tasks to customers, the software vendor or third parties, the FDA said.

Community Health Network's McClain says relations with device manufacturers have improved noticeably on patching issues. He consults with all his vendors, including GE Medical, Agfa and McKesson, when the hospital decides to patch medical devices. This is especially true on the large, cumulative patches that Microsoft has released periodically over the past year.

"If there's an urgent patch [where a breach could be opened] without it, we let the vendors know we're doing it," he says.

Other organizations, including the U.S. Department of Veterans Affairs, are more comfortable adhering to a policy that a customer make no modification to a medical device, unless the manufacturer "explicitly supports the modification," says Steven Wexler, biomedical engineer at the agency.