By Inhel Rekik
Even today, after WannaCry and Not Petya, there are myths and misunderstandings around patching of medical devices. Patching is paramount to reduce cybersecurity risks.
Patching of medical devices is a shared responsibility between a healthcare delivery organization (HDO) and medical device manufacturer. The biggest misconception out there is that a HDO can’t perform cybersecurity updates and patch medical devices.
The FDA states that health care organizations can patch, change devices or infrastructure to reduce cybersecurity risks. The FDA encourages HDOs to perform risk assessments and work with medical device manufacturers to implement the above changes. This means patching devices before manufacturer validation. Installing a patching agent that can monitor patch level and push needed patches on a scheduled basis is a risk-based decision for each HDO. I recommend that you get familiar with the FDA fact sheet.i Medical device manufacturers don’t need to notify the FDA of any changes or updates that are applied to a medical device solely to address cybersecurity risks. In fact, they are encouraged to do so. If a cybersecurity fix modifies the function of the device or if it is released to address a cybersecurity vulnerability that poses a risk to health, they are required to notify the agency.
The FDA post market guidanceii mentions that there are two types of risks: controlled and uncontrolled. Controlled risks are described as acceptable low-residual risk. The medical device manufacturer can release the fix for it whether it’s a patch, software update, firmware update or modification of settings. All you need to do is contact the medical device manufacturer to get the cybersecurity fix when it’s available. An uncontrolled risk is a risk where there is unacceptable patient harm. Medical device manufacturers need to notify customers within 30 days about the vulnerability, provide HDOs with compensating controls and residual risk information. They will need to provide the vulnerability fix within 60 days. Manufacturers must report the uncontrolled risks of products.
Two major points to consider when addressing medical device patching: Do you have a detailed process for patching your medical device? How are you validating that vendor supported equipment is being patched and is there a clear understanding of who will perform the patch?
Every HTM professional will need to be proactive in making sure that they receive communication about cybersecurity vulnerabilities and patches in a timely manner. This information can be gathered from multiple sources. They can be received from the medical device manufacturer or via membership in the medical device security group MDSISC that was created by NHISAC.
i https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf
Inhel Rekik is director of health technology security at MedStar Health.
