Ted Cohen: Let’s Actively Reduce Security Hazards Through Better Patch Management

Medical devices have become increasingly computerized, networked, and integrated with electronic health records, picture archiving and communication systems, and other systems. Meanwhile, we have seen a major increase in computer malware attacks (e.g., WannaCry).

Given this environment, it is imperative for the medical device industry and healthcare technology management (HTM) field to improve information technology (IT) security management. IT security in healthcare is a multipronged approach that includes physical security, network security, security built in to the medical device, patch management, educating technical and clinical staff, and more. This blog post focuses on patch management processes.

New malware typically affects Microsoft (MS) Windows operating systems, causing MS to issue a patch. Then, IT departments push that patch wherever they can. Unfortunately, in the medical device environment, many products require manufacturers to test the patch prior to pushing it to their medical devices. With many variations in operating systems, particularly embedded systems, variations in a medical device’s application software and hardware revision levels, and other variations, it can take weeks, months, or longer (or sometimes never) for the manufacturer to “approve” a tested MS patch or issue its own patch. This dilemma is one of the reasons that a variety of isolated network architectures, both physically and virtually isolated, were developed and put in place during the previous 10 years or so. Network security, via architecture design and intrusion-protection systems, remain extremely important to manage this extra-long “zero day” period of time for patching connected medical devices.

Unfortunately, in some cases, this improved network security also made the HTM community somewhat complacent with regard to patch management. So, what needs to be done for improving patch management of medical devices? I suggest the following.

  1. The IT community needs to understand that most medical devices require manufacturers to test and approve any patches prior to implementation. Patches have caused failures, and in some cases, “blindly” patching a medical device without first getting device manufacturer approval is unsafe.
  2. Manufacturers need to design their products with IT security in mind. For example, unneeded ports and services should be closed/off.
  3. Manufacturers need to share information about the software that they use in their products (e.g., which version of an embedded operating system is in use). The 2013 version of MDS2 helps but is not always available or complete.
  4. HTM departments need to track operating systems, software versions, and other IT security–relevant information in their computerized maintenance management system.
  5. Manufacturers need to share information about the status of patch management for their devices, and when patches are tested, complete the testing and final recommendation in a reasonable period of time.
  6. An entity (e.g., ECRI Institute, Food and Drug Administration, BDNA Technopedia, RASMAS) needs to step up to track and communicate when a manufacturer releases a newly tested patch. Previously, it has been suggested that these patches should be treated like product hazards and recall and alert notices. This will allow HTM departments to get notified when a patch is ready for deployment instead of wasting time when MS releases a patch and very few medical device manufacturers are ready to deploy it.
  7. When tested, approved, and available, HTM departments need to make sure that the patches are deployed.

Medical device security has become another technically complex healthcare institution priority (and headache), as well as a potential patient safety issue. The good news is that device security is another reason that healthcare organizations need to hire clinical engineers, clinical systems engineers, biomedical equipment technician IT specialists, and other HTM professionals to help manage and mitigate this new, complex, and significant risk. Let’s take advantage of this opportunity and actively help to reduce these new hazards.

Ted Cohen is a clinical engineering consultant and retired manager of clinical engineering at the University of California, Davis Medical Center in Sacramento, CA. He also is a member of the BI&T Editorial Board.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s