Hospitals’ patch fears on the wane

In the year or so since conflict between hospitals and manufacturers over the security of networked medical devices went public, much has changed for the better.

“The threats have abated,” says Dave McClain, information security manager at Community Health Network, an organization in Indianapolis that operates five hospitals. “A year ago the vendors were saying they wouldn’t support the contracts if we went ahead with patching.”

Our 2004 series on hospital patching:

Rx for patching mired in red tape

Users, vendors treating healthcare patching ills

When medical-device equipment gets sick

FDA reads riot act to device makers

Fed up hospitals defy patching rules

Imaging, radiological and cancer-care equipment made by GE Healthcare, Siemens, Agfa, Kodak’s Health Imaging Group, Philips Medical Systems and others is often networked and includes commercial off-the-shelf software. Hospitals have been in a bind because device manufacturers – often unable to keep pace with new worms, viruses and other security threats – traditionally prohibited them from applying software updates to their medical equipment, threatening to cancel contracts or legal action.

While it might be easy to suggest that healthcare organizations should refrain from tying medical devices to their networks, having systems interconnected can pay dividends in terms of management and data sharing.

For years, manufacturers had been telling customers that they couldn’t provide timely patches because the U.S. regulatory body in charge of medical-device safety, the Food and Drug Administration (FDA), had to approve the software fixes first in a lengthy inspection process.

But inquiries last year to the FDA division in charge, the Center for Devices and Radiological Health, revealed that the FDA had no such rules. This shattered a myth that had been at best a misunderstanding and at worst a deceit.

Since then, much of the change in the dialogue among manufacturers and hospital IT staff can be attributed to FDA guidance. The agency has made clear it isn’t opposed on principle to customers patching medical devices.

“There is no FDA legal requirement that would prevent the user from installing patches without prior approval from the device manufacturer,” says John Murray, the FDA’s software and electronic-records compliance expert.

In its “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software,” the FDA told manufacturers that they “bear the responsibility for the continued safe and effective performance of the medical device, including the performance of the off-the-shelf software that is part of the device.”

The document also states: “The need to be vigilant and responsive to cybersecurity vulnerabilities is part of your obligation.”

The FDA’s guidelines require manufacturers to perform software validation and risk analysis on patches. But the FDA made clear that it does not require an extensive pre-market review for a device implementing a software patch, though the agency wants vendors to report regularly to the FDA on the process.

The agency will take a closer look if the software patch affects how the medical device treats diseases, or if it affects device effectiveness or safety.

The FDA told medical-device manufacturers they should establish formal business relationships with commercial software vendors and validate software changes to medical devices to address cybersecurity vulnerabilities.

And “because of the frequency of the cybersecurity patches,” says the FDA, manufacturers should come up with a “single cybersecurity maintenance plan.”

The plan could allow the manufacturers to delegate tasks to customers, the software vendor or third parties, the FDA said.

Community Health Network’s McClain says relations with device manufacturers have improved noticeably on patching issues. He consults with all his vendors, including GE Medical, Agfa and McKesson, when the hospital decides to patch medical devices. This is especially true on the large, cumulative patches that Microsoft has released periodically over the past year.

“If there’s an urgent patch [where a breach could be opened] without it, we let the vendors know we’re doing it,” he says.

Other organizations, including the U.S. Department of Veterans Affairs, are more comfortable adhering to a policy that a customer make no modification to a medical device, unless the manufacturer “explicitly supports the modification,” says Steven Wexler, biomedical engineer at the agency.

Wexler has helped the agency and the VA hospitals craft a policy that emphasizes network defenses, such as intrusion-detection and prevention and network segmentation of medical devices through virtual LANs (VLAN).

Some IT professionals say manufacturers are sometimes part of the problem and there’s a long way to go to improve the intrinsic security of medical devices.

“Vendors have introduced viruses into the network,” says Bill Bailey, enterprise architect in ProHealth Care, Milwaukee. Bailey has advocated that the FDA play a stronger role in policy for networked medical devices.

Although Bailey says he perceives “no sea change” in security for medical devices over the past year, he does see substantial progress in certain areas.

He notes that a few vendors, including GE Medical and Agfa, are exploring ways to monitor devices such as cardiac monitors and imaging systems so patch updates for Windows or Unix might be applied remotely.

Bailey points to specialized gateways that both manufacturers are testing at ProHealth to monitor patient-care equipment for security purposes. “The gateway sits onsite to act as a Layer 3 security bridge,” he says.

While such specialized medical-device gateways might one day become common, Bailey also sees a downside: They would be another device to monitor.

Manufacturers say they’re striving to find common ground with customers and to improve security in medical devices.

Agfa, for one, maintains that the FDA’s cybersecurity guidelines have helped to promote a more positive dialogue.

“Prior to that, there was a cloud hanging over the whole thing,” says Tim Artz, Agfa’s director of global government programs.

The FDA’s guidance prompted Agfa to undertake a broad assessment of its products. “The risk of applying patches is very extremely low,” Artz says, adding Agfa is exploring ways it might automate security updates to devices that “would be done in line with customers’ policies.”

Even before the FDA guidelines appeared, Agfa had been involved in an Air Force-run program to make sure imaging devices, which can share patient data remotely, would be kept patched and maintained according to Air Force procedures. That effort, which required extensive testing of Agfa teleradiology machines by the Air Force, earned the vendor’s equipment the “Certificate of Networthiness” from the Air Force.

Last summer the FDA eyed the certificate program for medical devices as a process it might espouse for broader use. However, that effort is not currently being pursued, according to the FDA.

Philips Medical Systems and GE Medical also want to make it easier and faster to apply patches, but worry the patching process could have repercussions if it eludes their control.

As far as policy goes, Philips “warns” against any modification of its devices “unless modifications are authorized in writing by Philips,” says Nick Mankovich, director of product security.

Philips, which validates software patches, typically has its own service staff apply them to customer equipment. There are no set time frames for this.

Mankovich says Philips will let customers install patches and anti-virus protection on some devices, but only with specific authorization from the vendor.

Philips has focused on “hardening” commercial operation systems and applications used in its ultrasound and tomography scanners, as well as cardiac monitoring and cardiovascular systems, so that unused services and ports are closed and internal firewalls are incorporated into the devices.

Mankovich notes that Philips, along with other manufacturers, is working on ways to patch that will be “designed, validated and verified for use by customer staff where feasible.”

Device manufacturers see the dark side of patching, particularly the disruptions a patch can cause when it’s flawed or interferes with a machine’s operation.

“All patches are guilty until proven innocent,” says Scott Bolte, GE Healthcare product-security program manager. “An unexpected side effect of a patch, one that disrupts normal operations, is annoying on a general-purpose system such as your desktop. The same side effect on a medical device is intolerable.”

Because medical systems are sold internationally, device makers periodically get together to hash out answers on a global basis.

One important forum for doing this is the Joint Security and Privacy Committee, which unites three regional industry groups: the National Electrical Manufacturers Association in the United States, the European Coordination Committee of the Radiological and Electromedical Industry and the Japan Industries Association of Radiological Systems.

Stephen Vastagh, the secretary for the Joint Security and Privacy Committee in Washington, D.C., points to the difficulties in managing IT security risks associated with medical devices, because the regions in which devices are manufactured and operated define the regulatory requirements.

Vastagh says the “incredible diversity of devices, ranging from on- or in-the-body devices to MRI scanners to multi-facility information systems,” makes it difficult to have standards.

Vastagh says healthcare providers and manufacturers have to work together to balance information flow and cost issues with IT security requirements.

“Of course, we know that there are those who remain frustrated with the fact that medical devices cannot be patched with the same speed as the desktop computing environment,” Vastagh says. “This is the reality of having people’s safety and lives connected directly to medical devices. If your life depended on OpenOffice or Photoshop or Quicken working perfectly after every operating-system patch and upgrade, you might reasonably be more cautious before setting AutoUpdate to ‘on’ – even more cautious if your children’s and neighbors’ lives were in the mix.”