Software-Virus

No, this is not a Microsoft bashing blog post. True there are problems with medical devices running Windows operating systems. But the problems discussed below start and end with the vendors that develop medical devices using Microsoft operating systems.

Bill Mohr from Nacogdoches Medical Center asked the following today on the Biomed Listserv:

Since more and more of our equipment is going onto the hospital network and becoming vulnerable to viruses and such. I have a manufacturer that just installed a system using a Windows XP OS, but has NO virus protection on the system or no plans to do MS security updates on the system. I asked about this and was told the old adage "You are the first ever customer to ask that question" and they did not know the answer, but the system has to be on the network so as to send its information to the proper areas.

So are manufactures going to continue to snub there nose at this trend or is there going to be something done? It's frustrating to be told that the system needs to be on the network but we are not going to protect it from those that would exploit it. This hasn't been that much of a problem when most of the companies still used Unix as their OS. Now that more are going to MS OS what are we going to do? Better yet, what are the companies that make these units going to do?

Medical devices based on general purpose computing
platforms (using Microsoft operating systems, PCs and Servers) are still
regulated as medical devices. As such, they must be verified to meet
requirements whenever they are updated, enhanced, or changed in any way (this
includes patches). Only major changes in functionality, technology or intended
use require a vendor to file with the FDA. Operating system (OS) patches don't require
filing.

The reason many vendors object
to patching an OS is the time required to re-verify the system. The most common
bottleneck in vendor R&D operations is the test lab that does verification
testing, especially if they sell networked products.

Many vendors still mistakenly
think that they have to re-verify the entire product after patching the OS. More, ahem, progressive
vendors do a risk analysis on each Windows patch and only re-verify those parts
of the system that could be impacted by the patch. In most cases, the resulting
scope of re-verification is very manageable and updates can be turned around in
a few days. Some vendors also strip out portions of the OEM's OS that aren't
used by their device - if the patch targets a portion of the OS that is not in
the product, there's no need to install the patch.

Regarding anti-virus software,
there's no regulatory reason why this feature is not supported. Adding anti-virus
software to a released product would be an expensive and time consuming process
- just going through the release cycle without doing much real work costs
vendors a few hundred thousand dollars. Anti-virus software will be added to
new products when there is sufficient market demand.

An increasing number of vendors
are selling "hardened" boxes - these are servers and PCs that run
their own firewall software. This is still the exception rather than the rule.

As Paul
Sherman
of the VA noted in a reply to Mohr's question, network design can go a long ways towards
protecting your vulnerable medical devices - and can serve as a starting point
for some meaningful Biomed and IT collaboration in your hospital. The VA has published their Medical Device Architecture Guide which details using VLANs to protect medical device networks from malicious code. Also mentioned was the FDA's Cyber Security Guidance document. Both of these documents, and more, can be found on the Important Reference Web Links page under the Resources tab at the top of this screen.

Like many of the issues
discussed on the Biomed Listserv, the time to address them is before you buy:

  1. Require all vendors to
    submit a completed MDS2 - this is a Manufacturer Disclosure Statement for Medical
    Device Security. You should have these completed for all your current products
    too.
  2. Review a prospective vendor's
    documented process for handling OS patches. The FDA's Quality System Regulation
    requires that this be documented - if they can't produce it, or it looks
    laborious and time consuming look at another vendor. If the vendor says this is
    proprietary (and in fairness it is) see number 4 below.
  3. Include requirements in all
    of your RFPs for networked medical devices for anti-virus software, internal
    firewall software, and a verifiable method for quickly restoring systems that
    are corrupted by malicious software (test the restoration method before buying).
  4. Negotiate a service level
    agreement (SLA) with your vendor for new purchases that stipulates the vendor's responsibilities
    and response times for infected devices. (Your IT department should be a good
    resource for this.)
  5. Review network design with
    IT to ensure adequate protection for your devices. Expect to spend some real
    money (probably IT's money) to address this issue.