At the SANS NetSec conference in Las Vegas last week, we had a HealthCare Security breakfast, and one of the issue brought up was that medical machinery and servers often remain vulnerable because the vendors don't issues updates incorporating patches to Windows or other commercial software running underneath the application. The system vendors often claim "We can't patch, because then we would have to go through FDA certification all over again."
This is, to put it politely, a lie. Back in 2005, the FDA issued guidance saying that patching did not necessarily require re-certification, they reiterated that guidance in 2009 after Conficker hit, and the re-reiterated it in June 2013.
I wrote Gartner Research Notes on this in 2006 and 2009, and here we are all those years later still hearing this! Security managers need to get CIOs and operations procurement to start pushing back on this, or at least including questions about patching in RFPs or into manufacture customer feedback.
Here's the info I sent the breakfast attendees:
I did a Gartner research note on this back in 2006! The FDA guidance came out in late 2005, they reiterated it in 2009 - see http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm
If you are a Gartner client, you can see get my original RN using the document ID below, I also did a follow-on in 2009:
Findings From 'Client Inquiry': Vendors Should Patch Vulnerabilities in Networked Medical Devices
Published: 23 March 2006 ID:G00138839
Analyst(s): John Pescatore
The Food and Drug Administration issued guidance that removed barriers to medical equipment vendors rapidly issuing patches for vulnerabilities in their products because of FDA certification issues. Enterprises should demand that vendors step up the timeliness of their patch processes.
The FDA recently re-reiterated that guidance — the link is below:
US FDA Issues Cybersecurity Recommendations for Electronic Medical Devices (June 13, 2013)
The US Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical devices. The FDA is urging manufacturers of these products to incorporate measures to protect them from malware and attacks, suggesting that the agency might not approve devices that haven't taken cybersecurity into consideration. The FDA's recommendations follow news of security issues in certain fetal monitors and software used in body fluid analysis. The agency also recommended that health care providers improve their cybersecurity practices, as it has noted instances in which passwords were widely distributed or even disabled on software that is supposed to have limited access. There are also reports that health care providers have not applied security updates "in a timely manner." There is no evidence that medical devices are being targeted, and there have been no reports of patients injured or killed as a result of cybersecurity issues.
FDA's Cybersecurity for Medical Devices and Hospital Networks
[Editor's Note (Pescatore): This document reinforces a 2005 (8 years ago!) guidance memo from FDA saying "Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity." Many medical device manufacturers have been falsely claiming that they couldn't patch vulnerable software because they would need to go back through device recertification - not true! Never been true! The rest of the guidance basically reinforces many of the Critical Security Controls.