DECEMBER 2021CIOAPPLICATIONS.COM8PATCHING AS A PANACEA OPERATIONAL REALITIES ON MEDICAL DEVICE PATCHING FROM A HOSPITAL PERSPECTIVEith the rise in cybersecurity events, remediation teams have become hyper focused on patching as the primary methodology to mitigate software vulnerabilities the faster the better. In businesses where networks are composed of computers, laptops, and servers, pushing patches centrally using automation has become operationally orchestrated to such a level that events are almost as smooth as a master composed symphony. Unfortunately, for those hospitals trying to patch their medical devices, there is no symphony. Instead, it looks much more like a fifth-grade band class with students who just picked up their first instruments an off-key uncoordinated cacophony in need of much more practice. Hospitals have thousands of devices from hundreds of different manufacturers that sit on hospital networks. In some hospitals, over 50 percent of those devices are no longer supported by the manufacturer and so patches aren't even available. For devices where patching is available, the process to get that patch from the manufacturer and install it is almost as varied as the number of manufactures hospitals have. So, let's deep dive into what it looks like. The first question asked is the device supported? If not, it's nearly impossible to even determine if the vulnerability affects that device. The manufacturers generally don't have a team or any individuals who know these devices well enough to know the impacts of vulnerabilities. These devices require other risk mitigation methodologies to mitigate any potential impact of the vulnerability. If the device is supported, then next we wait. According to FDA guidance, medical device manufacturers are supposed to assess vulnerabilities and notify affected parties in 30 days. Almost no manufacturer meets Samantha JacquesIN MY ViewIN MY ViewSAMANTHA JACQUES, PHD, FACHE, AAMIF, MCLAREN CLINICAL ENGINEERING SERVICES (MCES), MCLAREN HEALTH CAREW
<
Page 7 |
Page 9 >
