As John D. Halamka, MD, is CIO of Beth Israel Deaconess Medical Center (BIDMC), notes in a recent blog post, dealing with medical device security can certainly be a hassle for CIOs on a number of levels.
One of the major barriers in securing these devices is the fact that many healthcare organizations’ legacy systems are out of date and need to be replaced or somehow updated. Halamka mentioned an example of devices that BIDMC uses from a major manufacturer that internally use Windows NT as the operating system (OS) and the Apache 1.0 web server. There are no patches around to help protect these devices from hacks and malware. So instead, Halamka and BIDMC have built device firewalls for safeguards. It’s safe to say that not every organization has the expertise and resources available to build these firewalls on the fly, so this remains a huge issue. Furthermore, manufacturers rarely allow product mappings that would allow these executives to form and manage the firewalls.
FDA 501k certification is another hurdle that organizations need to deal with, as manufacturers have stated that an upgrade or software patch would require re-certification. Of course, there are two sides to every story and the FDA claims that both organizations and manufacturers have to collaborate in keeping these devices secure.
I’ve spoken to the FDA about this issue and they have advised me that device manufacturers have a responsibility to secure their products and there is no 510k re-certification needed when security patches are added. The FDA has wisely stated that there is shared responsibility. Device manufacturers must coordinate the updates and changes with hospital IT leaders and business owners. We have had circumstances where manufacturers serviced devices without IT knowledge and left them in a vulnerable state.
This discrepancy in communication between manufacturers and healthcare organizations illuminates the need for communication between the two parties. If possible, perhaps going forward there may be some organizations that have security patches and updates written into a product purchase.