What Could Make Your Medical Devices Go Haywire?

Leigh Page


August 27, 2013

In This Article

No Security Patches Against New Viruses

Providing security patches or updates to defend against a new computer virus is routine in the world of personal computers. Microsoft sends you a security update that can be seamlessly installed in your personal computer.

In the world of medical devices, however, updates are not so routine, said John Halamka, MD, Chief Information Officer at Harvard Medical School and Beth Israel Deaconess Medical Center in Boston. In many cases, "we have not been able to get updates from manufacturers," he said. Even when the hospital has a service contract with the manufacturer, "they won't provide a security patch," he said.

The Harvard technician says he complained to the FDA about the problem, and the agency's recent safety communication supported his concerns. One of the problems it listed was "failure to provide timely security software updates and patches to medical devices and networks."

Dr. Halamka reports that manufacturers who refused to provide patches claimed that the patch would have to go through the FDA approval process. However, the agency has specifically denied this, and its safety communication noted that "the FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity."[1]

Bernie Liebler, Director of Technology and Regulatory Affairs at the Advanced Medical Technology Association (AdvaMed), a trade group that represents medical device manufacturers, acknowledged that FDA clearance for patches is not needed.

Asked about manufacturers not providing patches, Liebler said, "I have no idea what that is about. It's probably a communications failure. It's in the manufacturer's best interest to keep the software up to date and virus-free. They want their equipment to function well."

Creating patches is not an easy task, however, Liebler added. Manufacturers cannot simply pass on patches from Microsoft or another original source. The changes need to be "validated," which means tailoring them to comply with alterations the manufacturer made in the software. "The FDA expects that," he said.

Device Users Add to the Problem

Hospitals and practices help create the problems with medical devices, according to Dennis Seymour, Chief Security Architect for Ellumen, a healthcare IT firm in Arlington, Virginia, and former Chair of the Privacy and Security Committee at the Healthcare Information and Management Systems Society.

He said maintenance of these devices in hospitals often falls to the bioengineering department, which does not understand network issues. He added that in some cases, hospital IT staff are barred from accessing medical devices.

Seymour said hospitals also tend to keep medical devices for too long, to the point where they can no longer be supported by the manufacturer. "Their attitude is, 'If it's not broken, don't throw it away,' but the older devices are prone to viruses," he said. In 2009, he saw a medical device in a hospital running on a DOS 6.2 operating system, used in the early 1990s. Dr. Halamka conceded that some hospital devices may be somewhat old, but even the new devices tend to have old operating systems.

Dr. Halamka has built numerous firewalls around the devices to protect them from other networks in the hospital. A firewall is software that allows only certain outside sources to communicate with the devices. A hospital or practice typically has a firewall between the Internet and its internal network, including its electronic health record system, billing system, and other computers, and also has firewalls between different internal networks.

However, firewalls are expensive to build and require information from the manufacturer. Dr. Halamka said some device manufacturers could not give him the information he needed to build a firewall.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.