FDA reads riot act to device makers

AUSTIN, TEXAS – Amid growing concern about security in hospital patient-care systems, the federal agency that regulates medical devices last week announced a get-tough policy to improve equipment safety.

Medical devices such as ultrasound and radiology systems often rely on commercial off-the-shelf software, including Windows and Unix, that requires continuous patching for security. But increasingly, hospital IT administrators are voicing complaints that manufacturers are failing to patch Windows-based equipment quickly or at all, which then fall prey to computer worms. This not only disrupts hospital operations but poses a potential safety hazard to patients.

Hospitals are calling on the U.S. Food and Drug Administration (FDA) to put pressure on manufacturers, which by law must authorize the patch after testing it to see if it might have a negative impact on the medical application.

In turn, manufacturers have put the blame on hospitals, saying they have to do a better job with security, such as including internal firewalls and intrusion-prevention systems.

Last week, FDA Deputy Director Brian Fitzgerald outlined three initiatives to improve a deteriorating security situation.

Speaking at the annual IT Conference organized by the Department of Veterans Affairs (VA), he said the agency won’t tolerate medical-device manufacturers failing to keep equipment up to date with security patches.

As a penalty, Fitzgerald said, the FDA will withhold regulatory approval on equipment submitted by manufacturers deemed to have a bad track record on patching. “They won’t be able to have certification for new devices,” he said.

This get-tough approach, which will go out in a guidance letter, represents a sharpening in enforcement of FDA regulations Section 510(k) and 518. Those rules give the FDA power to set baselines for safety and security.

The FDA also has planned two new efforts to improve security of medical equipment. Guidelines to be issued in the next six months will detail how the FDA expects device manufacturers to be building and testing “networkable, networthy medical devices,” Fitzgerald said.

Largely inspired by the Air Force medical-device evaluation program launched last fall that’s intended to keep unpatched medical equipment off Air Force networks, the FDA technical guide will be aimed at helping manufacturers achieve “technical excellence,” Fitzgerald said.

The Air Force requires device manufacturers to test Windows, Unix, Oracle and other applications, and adhere to a regimen of responding to patching requirements based on security bulletins.

The third FDA regulatory effort will involve the FDA setting up forensics capability to examine devices infected by computer worms or other malware and track down the culprits. In addition, the FDA will create an investigative arm.

This idea evoked skepticism.

“Why would the FDA want to create their own G-men when there are already a bunch of experts at the FBI at work?” asked Steve Wexler, biomedical engineer at the VA who helped the VA’s network staff design security for medical equipment at VA hospitals. “If someone wants to poison a medical device, that’s a criminal act the FBI should be involved in.”

Wexler is gung-ho on the FDA’s other ideas.

“The more information we can share on the existing regulations and how to apply them is great for everybody,” he said.

Conference speakers talked of the growing security threat.

“As medical devices are networked, threat sources are expanded, endangering all systems attached to the network, including healthcare partners, hospital information infrastructures, patient data and applications,” Kenneth Kizer, CEO of the National Quality Forum, said.

Kizer described a list of problems, ranging from anti-virus software installed by an end user on a GE Medical Systems devices that crashed it, taking days to restore, to the Blaster worm infecting Kodak Imaging Systems radiography servers.

In addition, Kizer said there is the problem of the insider threat, such as the case of Christopher Scott Sandusky, who two years ago admitted to unlawfully accessing the network of a Las Vegas firm, Steinberg Diagnostic Medical Imaging, and locking the employees out of their own system. The computer consulting company that helped set up the Steinberg medical imaging system had fired Sandusky.

National Quality Forum plans to hold meetings with industry representatives to address the range of problems, he said.

Ultimately, hospitals and manufacturers have to take steps to do what they can to minimize security risks, several VA officials said.

The VA has established what it calls the Health Information Security Division (HISD) in Martinsburg, W.Va., to test medical equipment based on commercial off-the-shelf products. HISD is working with the Department of Defense to publish a set of guidelines early next year for assessing medical equipment.

Hal Haislip, WAN manager for the VA’s Integrated Service network in Little Rock, Ark., said the VA tries to make sure unnecessary software features in both Windows- and Unix-based medical equipment is either turned off or removed.

“If you look at Unix devices, there is a default mode that enables telnet, ftp and sendmail. We are trying to get these unused services locked down and turned off, so when the device comes to you it will have fewer vulnerabilities,” he said.

“A CT scanner doesn’t need a mail client,” Wexler noted. “That’s what’s getting patched.”