With federal rules such as HIPAA governing patient privacy (and imposing fines if they are violated), regular malware occurrences and the constant threat of breaches, the security of IT-based medical devices has become very important. One security measure that is sometimes overlooked is computer system software updates.
The primary problem with the routine updating of computerized medical devices is one of omission. Quite simply, these updates often are not taken care of by hospitals. The reasons range from the clinical engineering (or healthcare technology management) department not knowing about the updates, to the lack of a process to perform them, to manufacturers failing to notify customers of tested updates in a timely manner.
For example, on one of our older systems, a member of our IT network staff asked the manufacturer how often it updated the software on its Cisco switch (this was part of a small dedicated network that we were moving to an institutional network). The manufacturer’s answer was “never.” The manufacturer’s mindset was that the Cisco switch would forever remain at the software code level at the time of purchase.
More commonly, with Microsoft releasing Windows OS patches weekly, a medical device vendor will tell customers to wait until after the patch is tested by the manufacturer before installing the patch. These tests are important to ensure the product meets its performance specifications without any negative impact from the patch. However, the test period does extend the device “vulnerability window” should the malware spread.
Unfortunately in my experience, many medical device manufacturers do a poor job of notifying their customers if and when the patches have been tested and are ready for installation. Some manufacturers post update information on their websites, some only notify customers with service contracts, and others notify their own staff internally and tell them to “fix on observation” (i.e., wait until after the damage is done and then fix the customers problem, often with a time and material charge).
Manufacturers need to do a much better job of timely testing of updates and communicating update relevance and testing completion information to customers. I am hopeful that recent discussions with ECRI Institute will result in improvements. One idea is for ECRI Institute, using its communication channels with manufacturers and subscribers—similar to its product recall and alerts system—to develop a process to periodically “post” software security update release information.
Meanwhile, what can we do? We need to record medical device software rev levels in our computerized maintenance management system (CMMS) to make it easier to track update relevance. We need to include requirements in our purchase agreements, specifying that manufacturers provide IT security-related information (e.g., virus scanner installation and update capabilities, update information for the operating system.). And we need to use the HIMSS MDS2, or a similar specifications document, for IT-related medical device purchasing requirements.
Do you have other ideas on how to improve update compliance?
Theodore Cohen is the manager of clinical engineering at UC Davis Medical Center. He also sits on the Editorial Board for BI&T, AAMI’s peer-reviewed journal.