Paul Kelly on the Biomed Listserv pointed out this article in NetworkWorld on medical device software patches.

For years, manufacturers had been telling customers that they couldn't
provide timely patches because the U.S. regulatory body in charge of
medical-device safety, the Food and Drug Administration (FDA), had to
approve the software fixes first in a lengthy inspection process.

But inquiries last year to the FDA division in charge, the Center
for Devices and Radiological Health, revealed that the FDA had no such
rules. This shattered a myth that had been at best a misunderstanding
and at worst a deceit.

then, much of the change in the dialogue among manufacturers and
hospital IT staff can be attributed to FDA guidance. The agency has
made clear it isn't opposed on principle to customers patching medical

"There is no FDA legal requirement that would prevent the user from
installing patches without prior approval from the device
manufacturer," says John Murray, the FDA's software and
electronic-records compliance expert.

its "Guidance for Industry: Cybersecurity for Networked Medical Devices
Containing Off-the-Shelf Software," the FDA told manufacturers that
they "bear the responsibility for the continued safe and effective
performance of the medical device, including the performance of the
off-the-shelf software that is part of the device."

The article also provides links (also found in Important Reference Web Links on this site) to some important medical device security resources: