Applying software patches to address security vulnerabilities within a device or system is considered a fundamental cybersecurity practice. For most types of equipment, the appropriateness of applying a patch is noncontroversial. For medical devices and systems, however, the guidance is not so clear-cut. In fact, ECRI advises against patching medical devices without specific guidance from the medical device manufacturer to do so.
“Patching is key, but the process must be driven by sound policy and conducted in coordination with the medical device manufacturer,” notes Chad Waters, senior cybersecurity engineer in ECRI’s Health Devices Group. For medical devices – including equipment like radiology viewing consoles, laptops used with USB-connected ultrasound probes, and other control workstations – an unvalidated patch could do more harm than good.
3 Reasons to Wait
Reason 1: Medical devices are different. Medical devices differ from many consumer devices and other types of equipment in that a malfunction of the device could lead to patient harm. Thus, any modification to the device – including a software patch – must be validated by the manufacturer to ensure that the intended use is not affected. Unvalidated patches can make medical devices faulty or inoperative.
Additionally, potential effects on device interoperability must be considered. Many medical devices are connected to, and exchange information with, other devices and systems. Thus, the possibility exists that a patch could affect the way connected devices and systems interact with each other.
Reason 2: The manufacturer knows the device better than you do. The manufacturer is in a better position than the hospital to assess the implications of a security patch, and is required to do so. In its fact sheet The FDA’s Role in Medical Device Cybersecurity, FDA specifies: “The medical device manufacturer is responsible for the validation of all software design changes, including computer software changes to address cybersecurity vulnerabilities.” Medical device regulations require that modifications to a device not affect the device’s safety or effectiveness; thus, manufacturers must verify that their devices will function properly after the patch has been applied.
Reason 3: Applying an unvalidated patch can increase your liability. A hospital that applies an unvalidated software patch risks shifting liability for problems that occur with the device from the manufacturer to the hospital. In its white paper Medical Device Software Patching, Integrating the Healthcare Enterprise (IHE) notes that directives not to “install any software or components on the medical device that have not been validated and approved by the manufacturer … may be further enforced through contracts and warranty conditions,” adding that, “as a result, any change to the device without manufacturer approval can create substantial liability for the [health delivery organization].”
4 Steps to Take Right Now
ECRI recommends the following steps to improve your preparedness for, and management of, security updates and patches for medical devices and systems:
Step 1. Institute a policy that details when and how medical device patches will be applied, and which staff will need to be informed about and involved in the process. The policy should specify that medical device security updates or patches must first be validated by the medical device manufacturer before being installed.
Step 2. Establish processes and assign responsibilities for learning about and disseminating cybersecurity information, including information about software patches. During the WannaCry cybersecurity attack in 2017, one of the issues that emerged was the difficulty healthcare organizations had obtaining timely information from medical device manufacturers and government agencies. There remains no single channel through which manufacturers disseminate information for easy access by healthcare organizations. (To help address this issue, ECRI now disseminates cybersecurity notices to hospitals via its Health Devices Alerts service.)
Sources of information about device patches include:
Step 3. Follow the device manufacturer’s instructions, if supplied, about how to proceed until a validated patch becomes available. Often, device manufacturers will issue an advisory with interim guidance when a security risk has been identified. The manufacturer may recommend mitigations. For example, if the vulnerability is network based, compensating controls may include network segmentation.
Step 4. Update your device procurement practices to include obtaining information about a device manufacturer’s patching policies and how the manufacturer distributes software updates. It will be important for healthcare providers to know – before purchase – how often a manufacturer intends to patch and update a device. The updates may need to be applied by the manufacturer, either remotely or on-site by a field technician. The 2019 revision of the MDS2 form includes a section that specifically addresses patches and other cybersecurity product upgrades. (Device manufacturers use the MDS2 form – the Manufacturer Disclosure Statement for Medical Device Security – to communicate information about a product’s security capabilities to their customers.)
When It’s Time to Act
Once a patch for a medical device or system has been made available and validated, you’ll need to (1) coordinate next steps with device stakeholders and clinical staff and (2) apply the patch according to your patch management policies. According to ECRI’s Waters, these policies should provide guidance for activities such as prioritizing devices to be patched, managing devices that need to be removed from service to apply a patch, and responding if it becomes necessary to roll back the patch.
Difficulties in medical device patching should lessen over time as suppliers include support for security patching in their new device design requirements. FDA is working on ways to clarify and improve the regulatory requirements for the design of new medical devices so that future devices will be better suited to being updated as new cybersecurity risks become known. For medical devices currently marketed and in use, however, healthcare facilities will need to rely on manufacturer communications and internal policies and mitigation strategies to identify the need for, and to implement, medical device software patches.
This article is adapted from ECRI’s Guidance Article “Software Patches for Medical Devices: Vendor Validation Is Essential” (Health Devices 2020 Jan 22). The complete article is available to members of ECRI’s membership programs. To learn more about membership, visit www.ecri.org/solutions/device-evaluations, or contact ECRI by telephone at (610) 825-6000, ext. 5891, or by e-mail at email@example.com.
*By entering your email address, you agree to receive emails regarding TechNation Magazine, Webinars, and Exclusive Promos.
© 2020, TechNation Magazine. Site designed by MD Publishing, Inc.