While waiting for my flight back from Las Vegas, I ran into an old
friend, Tim Gurno by the slot machines. Tim was the Program Manager on the ultrasound
miniPACS product at ATL Ultrasound (before they were acquired by
Philips) – I was the Product Manager on the project. Since I left
Philips, Tim has become the Philips Ultrasound R&D Security Officer
for their ultrasound products.
It seems that Tim has whipped things into shape for the Ultrasound
group. Their latest flagship product runs Windows XP embedded, and
they've cut out a major portion of the code that's not used. This
reduces the number of malicious exploits that could damage the product.
They also run a firewall to harden the device. We've all heard the
vendor excuse that they can't patch their device's OS because: a) the
FDA won't let them (untrue), or b) they'll have to re-validate the
entire product/system and that will take months (poor process). Well at
Philips Ultrasound, they've instituted a process were they do a risk
assessment on each vulnerability and Windows patch, determine whether
it's even applicable (because they've reduced the XP footprint) and the
scope of required validation. Depending on the patch, validation could
be done in as little as a few weeks – lightening speed for an FDA
regulated device. In addition to the above, Philips has completed the
HIMSS MDS2 Medical Device Disclosure Statement for medical device
Philips Medical has a link right off their home page to a section on Product Security.
They have a link to MDS2 forms that detail how the product manages ePHI
(electronic protected health information), security safeguards, and
recommended security practices. Registration is required to access this
information, and the Firefox browser is not supported. The MDS2 was
created by the HIMSS Medical Device Security Workgroup to help users
quickly access basic information about ePHI related to medical devices.
Here's a blurb on MDS2 from ECRI.
The larger vendors have been pretty good about completing the forms and making them available. Here's a GE Healthcare MDS2
(pdf file) that came up in a Google search – couldn't find it on their
web site (searches on their site for “ePHI”, “HIPAA” and “MDS2” got no
Check out the HIMSS Medical Device Security web page for more.