Monday, June 16, 2014

NIST ISPAB on Emerging Guidance and Standards Affecting Medical Device Security

Download the audio recording of the June 2014 NIST ISPAB panel on medical device security.

As a member of the NIST Information Security and Privacy Advisory Board (ISPAB), I regularly moderate panels on issues affecting medical device security. In June 2014, the ISPAB held a panel on emerging guidance and standards affecting medical device security. The panelists:
  • Kevin Fu (moderator), Associate Professor, University of Michigan; Director, Archimedes Center for Medical Device Security
  • Ken Hoyme, Distinguished Scientist, Adventium Labs
  • Dale Nordenberg, M.D., Co-Founder, Executive Director, Medical Device Innovation, Safety & Security Consortium
  • Bakul Patel, Policy Advisor, Office of Center Director, Center for Devices and Radiological Health, FDA
We covered topics ranging from FDA's draft cybersecurity guidance to the AAMI working group on medical device security and its upcoming Technical Information Report.

Wednesday, April 16, 2014

Not Again! When Anti-Virus Updates Go Awry, Microsoft Forefront and Hospitals?

Long-time readers will remember incidents such as the 2010 event when hospitals were stuck in an endless reboot cycle as a result of an automated update from McAfee gone awry. Also see the NPR report. At the time, a hospital in Rhode Island reportedly had to stop treating certain patients because of the computer malfunction, except for extreme cases like gunshot wounds.

On the heels of XP going out of support, it is happening again, now with Microsoft Forefront.

I am receiving reports from the hospital IT community that a problem in Microsoft Forefront is leading to down time of computers. If a hospital uses an anti-virus product or if a medical device integrates an anti-virus product, a sad risk is that the anti-virus product itself might cause denial of service. It is more difficult to deliver patient care when the computers go down.  It disturbs workflow too.

More technical details below.
Programmers are human, so it's not surprising that these problems arise from time to time. But shouldn't devices be resilient to such problems that are certain to happen again? The design controls of a medical device should ensure the device remains safe and effective even if the anti-virus product malfunctions. This is a key reason why I believe in analog, non-software methods to detect malware on high-confidence systems such as medical devices. Less integrated software, less complexity, less risk. Independent failure modes!

Wednesday, February 26, 2014

A Gentle Reminder to Dan Haley of Athenahealth on FDA and Software Updates

I noticed an article in the Boston Globe about an attempt to remove safety checks on certain medical device software.

"The industry asserts that excessive regulation of software changes, for instance, could hinder the continuous software updates that are required to fix bugs."

I'd like to share with Mr. Haley my now classic one page guidance document on FDA and software updates.

"'That would essentially kill the way we do business and kill our ability to continually improve our product for doctors and patients,' said Haley of Athenahealth."

Shouldn't the dialog instead focus finding methods to not kill patients with unsafe software as recommended by the Institute of Medicine?