Medical Devices: When to PatchA Device Manufacturer Outlines How to Apply Updates
The issue of medical device security, including applying patches to address potential threats to Web-enabled devices, has been a hot topic in recent months. For example, ethical hackers have demonstrated device vulnerabilities. And the Food and Drug Administration has issued guidance about medical device cybersecurity issues.
In an interview with Information Security Media Group, Stewart explains how Phillips Healthcare works with organizations using its medical devices to address security issues.
"When it comes to [implementing] software patches, anti-malware or updates, obviously if the medical device is running on a commercial operating system [such as Windows], and that developer is releasing security patches, of course we would want to provide a mechanism to get those patches onto the medical device as quickly and efficiently as possible," Stewart says.
In some cases, hospitals can implement patches and updates themselves, Stewart says. "There are really very little restrictions, and we encourage the IT departments to put a plan together and keep the devices updated as they would any computing devices on their network.
"However, there are medical devices that, for various reasons, we have decided that we don't really want the hospitals applying patches without our knowledge and authorization," he says. "If it's a particularly sensitive device [we sometimes determine] that we should validate the patches before they're applied to the system. It gets back to our obligations to the FDA for the safety and effectiveness of the device."
For some devices, the addition of a software patch is not considered a risk, but for others, there is definitely risk involved, Stewart stresses. "There's a wide variety of rules and guidelines for how and when and who can update these systems."
In the interview, Stewart also discusses:
- The business associate agreements that Philips signs with healthcare customers, as well as subcontractors, in compliance with the HIPAA Omnibus Rule;
- The biggest privacy and security threats facing medical devices, and how Philips is addressing them;
- The recent FDA guidance recommending medical device makers assess cybersecurity risks in the development phase of products.
As privacy officer and product security officer of Philips Healthcare Sales & Service - Americas, Stewart manages initiatives in North American and South American sales and service organizations. He has been in the medical device business for more than 25 years, previously with GE Medical Systems in Germany and Siemens Healthcare. Stewart is also a member of the International Association of Privacy Professionals.