Hospital execs: Med device makers react slowly to security threats

Some hospital executives are upset with medical device makers, who they say aren't reacting fast enough in the face of looming cybersecurity threats, according to a post in the Wall Street Journal.

Two anonymous provider CIOs expressed dismay for what they perceived to be subpar security efforts. One, who used devices from Siemens Healthcare Diagnostics, was upset that the device maker only updated their security patches on a quarterly basis.

"One day shy of the quarter-end you are almost three months out of date with security patches," the CIO said.

Siemens responded by telling WSJ that while language in some customers' contracts calls for regularly scheduled security updates, the company also tries to take care of issues as they arise.

Another CIO,Chuck Podesta of Feltcher Allen Health Care, an academic medical center in Burlington, Vt., told WSJ that device makers he dealt with after a virus infiltrated the system essentially hid behind processes involving the U.S. Food and Drug Administration.

"Part of the reluctance was whether they needed to go back to the FDA to get approval to put virus protection on," Podesta said. In an email to WSJ, an FDA official said that the agency "typically does not need to review or approve" such measures as they pertain to bolstering security.

In June, the FDA published guidance calling for developers and healthcare facilities to beef up security efforts while creating and using those devices. In its guidelines, the FDA recommended that all device manufacturers work to:

  • Limit unauthorized device access to only trusted users
  • Protect individual components from exploitation
  • Craft strategies for active security protections appropriate for a device's use environment
  • Provide methods for retention and recovery following security breakdowns

For healthcare facilities, the FDA's recommendations included:

  • Restricting unauthorized access to networks and medical devices, and tracking network activity, just in case
  • Updating antivirus and firewall efforts, as well as security patches
  • Creating and evaluating strategies for maintaining functionality during adverse events

To learn more:
- read the Wall Street Journal post (subscription required)


Suggested Articles

Federal regulators have listened to physicians' complaints about health IT burdens and they have some solutions.

NRC Health was hit with a ransomware attack Feb. 11 and it still working to restore its systems and services.

Welcome to this week's Chutes & Ladders, our roundup of hirings, firings and retirings throughout the industry.