No policies address PACS security flaws

Events of last August - when three widespread infestations of computer worms attacked Windows-based systems - illustrated the vulnerabilities of many medical applications, including PACS.

The pressing need for software patches was also revealed. Yet no clear policy addresses medical device software patch management, according to a scientific paper presented at the SCAR annual meeting.

"The application of software patches on medical devices requires a risk assessment to balance network risk verses the medical/legal risk of altering an FDA-regulated medical device," said Michael A. Nielsen, a clinical engineer with the U.S. Air Force's Medical Logistics Office.

Lack of directive policy on how security vulnerabilities associated with software fixes must be handled and what security standards apply to medical device OEMs creates further confusion and risk, Nielsen said.

Complexities associated with networked environments, current world events, and the OEM shift to Windows-based systems further exacerbate the problem, he said.

Neilsen appeared at SCAR to sound the alarm and raise awareness. He said the healthcare technology community must work with both OEMs and the FDA to develop a working model for software maintenance and validation.

Ideally, as vulnerabilities and advisories are released, OEMs would implement a process to immediately initiate an assessment of alerts from watchdog bodies such as the Computer Emergency Response Team.

Once a patch is validated, the OEM would have a global mechanism, such as a secure Web site, for customer downloads, Nielsen said.

"Failure to recognize the need for vulnerability assessments and security patch response on medical devices platforms as part of the overall device life cycle puts the healthcare community at undue risk for catastrophic failure," he said.

A culture paradigm shift must occur, according to Nielsen.