Although these devices appear to be "appliances" that you simply plug into the network and use for patient care, they are actually sophisticated computers, often running outdated versions of operating systems and applications that are not resilient against purposeful attacks.
For example, we have devices from a major manufacturer that internally use Windows NT as the operating system and Apache 1.0 as the web server. Patches are no longer available for these old versions of software and they cannot be updated to protect them from malware. Instead, we build hardware firewalls around the devices, creating "zero day" protection which mitigates risk by preventing internet-based attacks from reaching the devices.
In the past, manufacturers have claimed they cannot upgrade or patch software to enhance security because changing the device would trigger a new FDA 501k approval process.
Hence they have left the protection of the devices to the CIOs who manage hospital technology infrastructure.
In the past, when I’ve asked major device manufacturers to provide me a functional diagram of the ports and protocols used by their products that would enable me create tightly controlled firewalls, I’ve been told that the manufacturers do not have this information.
I’ve spoken to the FDA about this issue and they have advised me that device manufacturers have a responsibility to secure their products and there is no 510k re-certification needed when security patches are added. The FDA has wisely stated that there is shared responsibility. Device manufacturers must coordinate the updates and changes with hospital IT leaders and business owners. We have had circumstances where manufacturers serviced devices without IT knowledge and left them in a vulnerable state.
In November 2009, the FDA issued Reminder from FDA: Cybersecurity for Networked Medical Devices is a Shared Responsibility that reminded device manufacturers, hospitals, medical device users facilities, healthcare IT and procurement staff, medical device users, and biomedical engineers of the 2005 guidance as well as simple ways to protect against cybersecurity threats.
I’ve also talked to the FDA about including security penetration testing in the 510k process so that devices cannot be brought to market unless they are secure at baseline.
They have assured me that such regulations are in the planning phase. It is true that existing FDA regulations for device safety and efficacy never presumed that purposeful malware attacks would be an issue.
Here are other valuable references from the FDA
FDA issued guidance in 2005, Guidance to Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software which answers question about pre-market review as well as other manufacturer responsibilities, such as validating software changes before releasing them.
At the same time as the guidance, the FDA issued Information for healthcare organizations about FDA’s "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software" that describes FDA’s concerns about cybersecurity and what the guidance document covers.
In April 2005, the FDA hosted a webinar on the cybersecurity. The transcript is available here.
If your device manufacture claims the device cannot be patched due to FDA restrictions, refer them to these references and demand that devices be secured in collaboration with hospital IT staff and business owners. It a world of escalating malware, manufacturers have a duty to keep devices secure and safe.
In addition to his CIO role at BIDMC, Dr. Halamka blogs at GeekDoctor.blogspot.com.