Last but not least was Brian Fitzgerald's presentation, "Operating System Updates and Fixes for Computerized Medical Monitoring." Brian is Deputy Director of the Division of Electrical and Software Engineering at the FDA. He talked about issues revolving around patching software in medical devices, especially patching off the shelf operating system software in response to malicious software. I've written on this topics numerous times before and thought that this issue was mostly behind us, but judging from the comments of some of the attendees of this session, some vendors are still behind the curve on this issue.
Standalone embedded devices are not the problem; networked medical devices are vulnerable to malicious code from the Internet, email, or outside computers that are connected to the hospital's network. Combine network connectivity with a device built on a widely available general purpose computing operating system (i.e., Microsoft) and medical devices can be rendered useless by software viruses and worms.
Device vendors new to the unique requirements of connected medical devices don't have special maintenance procedures defined in their Quality System to deal with networked medical devices. This results in either unreasonably long periods required to release patched software, or an outright refusal to update software until a scheduled software release. In these situations, company representatives sometimes say their inability to provide timely responses are the fault of the FDA.
When a medical device's software is changed that is considered a "design change" per the law and FDA regulations. If a hospital changes the software (by applying a Windows patch, for example) that hospital becomes a medical device remanufacturer, and falls under FDA regulatory oversight. Consequently, hospitals are at the mercy of their vendors for patching software vulnerabilities.
There were lots of questions from the audience about "rights" customers might have to force vendors to fix their virus infected products. The only exposure vendors might have in this situation is the threat of a recall. If a vendor becomes aware of anything that could impact the patient safety, they are obligated to recall that product to ensure that no patients are inadvertently injured. Recalls are expensive, and a customer could do certain things that might force a vendor into a recall.
According to Brian, the best and most practical solution for hospitals is to address all of these issues at the purchase of the device. Once you own it, well, its yours. Buyers cannot force vendors to disclose other complaints they've received, or commit to certain levels of performance - questions about medical device security and device updates have to be asked before the sale.
This problem area also highlights the continued co-mingling of IT and biomed responsibilities. Many hospitals have rules of thumb that say if anything computer-like is FDA regulated it's the responsibility of Biomed, and if not it falls under IT. Brian's point was that these are not yours or mine issues, and must be addressed as partners.
If you'd like more information on this topic go to Important Reference Web Links, under the Resources tab above and scroll down to Medical Device Security. You can also use the Google search box on the left hand column (be sure to click the "This site" button) to find more.