From: Wall Street Journal
Hospital IT and security executives say medical device manufacturers often resist pleas to better secure medical devices against cybercrime or are slow to take such measures.
By Gregory J. Millman
Barnaby Jack, the renowned hacker who died last week, had shown it’s possible to hack insulin pumps and pacemakers, and the U.S. Food and Drug Administration last month called on medical device manufacturers to build security into devices before they hit the market, as previously reported by the Wall Street Journal.
GE Healthcare said in a statement in response to questions from the Wall Street Journal: “For medical devices using commercial operating systems, GEHC supports security patches and operating system updates, and generally supports use of anti-virus software except when it may affect the medical functionality of the device. Many specialized medical devices do not use commercial operating systems and therefore other measures are employed to mitigate security risks.” The company would not comment on the specific examples above.
An email from Siemens Healthcare Diagnostics to a U.S. health care center, viewed by the Wall Street Journal, said Windows patches for a pathology testing system would be applied quarterly. “One day shy of the quarter-end you are almost three months out of date with security patches,”said the CIO of the health care center, who asked not to be named.
“In general, our service contracts are tailored according to customer needs and requests, therefore some service contracts may provide updates within fixed schedules,” said a Siemens spokesman. “If a cybersecurity risk is brought to our attention we generally focus on providing software updates, and we try to take necessary steps to ensure that the issue is addressed.”
An email from Roche Diagnostics Corp. to a health center, viewed by the Wall Street Journal, specifically prohibited use of antivirus software for the cobas 8000 automated blood testing system, and required the use of a Roche firewall it said would isolate the system from the hospital’s network. However, the CIO of the health care system said Roche gave him no way to determine how the firewall was configured, and how or whether it worked. “They are sort of taking the approach, ‘just hang this on your network and trust us,’” he said.
Roche responded to the Wall Street Journal, “When Roche becomes aware of possible security vulnerabilities, we assess and address them in a manner to ensure product safety and effectiveness. Any modification to the device software will require validation or verification under the FDA’s design control regulations and Roche’s internal procedures. We look forward to the final guidance the FDA will issue about this topic and we will continue to work with the agency and customers to ensure patient safety.” The company would not comment on the specific allegations by the CIO of the health care system.
Hospital IT and security executives say medical device makers have often pointed to the FDA as an obstacle to improving security. Chuck Podesta, chief information officer of Fletcher Allen Healthcare in Vermont, an academic hospital attached to the University of Vermont College of Medicine, said he received resistance from medical device makers to installing anti-virus after a virus hit the hospital’s system about two and a half years ago. “Part of the reluctance was whether they needed to go back to the FDA to get approval to put virus protection on,” he said.
Leave a Reply