Theodore Cohen: The Importance of Software Security Updates for Medical Devices

With federal rules such as HIPAA governing patient privacy (and imposing fines if they are violated), regular malware occurrences and the constant threat of breaches, the security of IT-based medical devices has become very important. One security measure that is sometimes overlooked is computer system software updates.

The primary problem with the routine updating of computerized medical devices is one of omission. Quite simply, these updates often are not taken care of by hospitals. The reasons range from the clinical engineering (or healthcare technology management) department not knowing about the updates, to the lack of a process to perform them, to manufacturers failing to notify customers of tested updates in a timely manner.

For example, on one of our older systems, a member of our IT network staff asked the manufacturer how often it updated the software on its Cisco switch (this was part of a small dedicated network that we were moving to an institutional network). The manufacturer’s answer was “never.” The manufacturer’s mindset was that the Cisco switch would forever remain at the software code level at the time of purchase.

More commonly, with Microsoft releasing Windows OS patches weekly, a medical device vendor will tell customers to wait until after the patch is tested by the manufacturer before installing the patch. These tests are important to ensure the product meets its performance specifications without any negative impact from the patch. However, the test period does extend the device “vulnerability window” should the malware spread.

Unfortunately in my experience, many medical device manufacturers do a poor job of notifying their customers if and when the patches have been tested and are ready for installation. Some manufacturers post update information on their websites, some only notify customers with service contracts, and others notify their own staff internally and tell them to “fix on observation” (i.e., wait until after the damage is done and then fix the customers problem, often with a time and material charge).

Manufacturers need to do a much better job of timely testing of updates and communicating update relevance and testing completion information to customers. I am hopeful that recent discussions with ECRI Institute will result in improvements. One idea is for ECRI Institute, using its communication channels with manufacturers and subscribers—similar to its product recall and alerts system—to develop a process to periodically “post” software security update release information.

Meanwhile, what can we do?  We need to record medical device software rev levels in our computerized maintenance management system (CMMS) to make it easier to track update relevance. We need to include requirements in our purchase agreements, specifying that manufacturers provide IT security-related information (e.g., virus scanner installation and update capabilities, update information for the operating system.). And we need to use the HIMSS MDS2, or a similar specifications document, for IT-related medical device purchasing requirements.

Do you have other ideas on how to improve update compliance?

Theodore Cohen is the manager of clinical engineering at UC Davis Medical Center. He also sits on the Editorial Board for BI&T, AAMI’s peer-reviewed journal.

One thought on “Theodore Cohen: The Importance of Software Security Updates for Medical Devices

  1. Thanks Ted for bringing this topic to discussion. Our institution has a strategic plan to tackle software, and security updates on medical devices. We are leveraging our clinical technology database to audit, track, resolve, and document the software updates, antivirus updates and encryption information on every piece of medical device. The task force tackling this project includes chief security officer, information technology delivery manager, and the director of clinical technology and biomedical engineering. The manufacturers are responding well. We are using the FDA circular titled “FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks” (
    to get rapid response and action from the manufacturers. We have mandated the manufacturer’s to respond, take action and resolve the software patch issues and security issues in 30 days. Manufacturer’s unwilling to adhere to our request will have their equipment taken out of service.
    Our BMETs are required to check for software updates, and security updates as a part of their preventative maintenance cycle. Clinical technology engineers will test the new updates in a test environment. Once approved, the updates will be installed in a production environment. Some manufacturers have given us access to their update web site. Adding to your suggestion, ECRI can help the medical centers by creating a web page that provides links to the manufacturer’s software and security update page.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s