Medical devices increasingly are proliferating on hospitals' wireless networks, as well as on their wired networks. Wireless technology makes it easier for data to be pushed to
[A] cybersecurity vulnerability exists whenever the software provides the opportunity for unauthorized access," said Food and Drug Administration (FDA) software compliance expert John F. Murray Jr., at the recent Healthsec '10 conference in Washington, D.C. "Medical device manufacturers spend a large amount of time and money and effort in making safe devices, and cybersecurity represents a hole in that."
Murray offered 10 pieces of advice for locking down medical devices that incorporate off-the-shelf (OTS) software -- including those connected to a private intranet or the public Internet. His advice is based on FDA guidance documents.
1. Before a security problem comes up, have a risk management and quality assurance system in place to respond to and address it. Apply your current biomedical engineering practices and risk management process to software updates and security patches.
2. Don't put off addressing medical device security. Make sure it's included up front, in the vendor request for proposals.
3. Establish a validation process to prove that a device works once it has been changed -- for example, when a new security patch or update is installed. If you cannot prove that a patch closes a vulnerability, but you still need to use the device, consider disconnecting it from the network until it can be validated.
4. Stay in contact with your medical device manufacturer, sharing germane details about changes, such as those to network configurations, that might interact with a particular piece of equipment. When customers sign up for monitoring programs, some vendors, including Microsoft, offer advance notice of potential upcoming security threats. Users thus have a jump on hackers and virus writers, who are tipped off when patches are released publicly.
5. Do not attempt to make custom changes to a medical device without first seeking the manufacturer's guidance. "To me, this is merely common sense," Murray said. "When I look at the back of my television, I clearly see a sign that says, 'To be serviced by qualified personnel only'. We believe that the device manufacturers know best about the safety packages and the criteria from which the devices were built."
Medical device manufactures spend a large amount of time and money and effort in making safe devices, and cybersecurity represents a hole in that.
John F. Murray Jr., FDA software compliance expert
6. &Have a backup plan so providers can continue administering patient care if a particular device goes down.
7. Maintain a formal business relationship with your OTS software vendors and medical device manufacturers to keep up with maintenance and to receive information concerning quality problems and recommended corrective and preventive actions.
8. Develop a maintenance system that assures that cybersecurity maintenance actions do not affect device operation.
9. Involve the user facility, OTS vendor or a third party in software maintenance where this is appropriate, even though the medical device manufacturer customarily performs this maintenance. "The idea is that the device manufacturer provides the engineering leadership," Murray said. "[It] may delegate some of that authority or some of that activity to the hospital, and that would be a very good thing."
10. Read the FDA guidance documents that cover the software maintenance actions required to address medical device security, cybersecurity and other vulnerabilities. These include general principles of software validation, the use of OTS software in medical devices and premarket submissions for medical device software.
"Once the doors are open, some unknown force or unknown hacker or virus can penetrate the inner workings of a medical device," Murray said. "This represents a risk to the safe and effective operation of these devices."
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in August 2010