AAMI News August 2017

Patch Management Tips Every HDO Should Know

Patch ManagementHealthcare delivery organizations (HDOs) continue to struggle in the face of cyberattacks that seek to paralyze networks and devices, steal or encrypt sensitive information, and extort money. The WannaCry ransomware cyberattack in May—considered one of the largest in history—underscored the importance of ensuring network-connected devices are running the latest software and deploying mitigation strategies for those that can’t be updated.

In the latest podcast from AAMI, cybersecurity expert Axel Wirth, a distinguished technical architect for Symantec Corporation and a member of the BI&T Editorial Board, called WannaCry a “wake-up call for many,” one that set the standard for the damage exploited, unpatched software vulnerabilities could cause.

HDOs are behind the curve with patch management due to several reasons: regulations that can slow down the creation and adoption of medical device patches, practical concerns with devices that patients depend on to live, and economic limitations, Wirth said during the podcast, which was recorded at the AAMI 2017 Conference & Expo in Austin, TX. While the healthcare industry depends on unsupported operating systems more than other industries, it also stumbles when patching current operating systems—90% of systems affected by WannaCry were unpatched Windows 7 systems, which are still supported by patches from Microsoft, Wirth said.

“The overarching issues are complexity and dependencies ... I don’t think there’s any other industry that has such a diversity of different devices from so many different manufacturers run in an environment where pieces are so dependent on each other that it makes it difficult to take one device down, patch it, and reboot it without affecting other devices,” Wirth said. “In a highly complex environment with so many interdependencies, and so many devices that cannot be patched because they support a patient currently, it becomes tricky.”

Since patch management offers such unique challenges to HDOs, Wirth provided several strategies to help:

  • Automatically apply patches to standard platforms such as servers, workstations, and laptops.
  • For those devices where you cannot automate patch deployment, automate the workflow of deploying the patch. “There are tools that allow automatic patch deployment or allow the creation of a ticket-based workflow that will send someone with a data carrier to update, test, and confirm the device update,” Wirth said.
  • Ensure that you work closely with your vendors, who can guide you on the most current version of the software and what should be patched.
  • Utilize resources such as AAMI’s technical information report, TIR57, Principles for medical device security—Risk management, and IEC 80001, Application of risk management for IT-networks incorporating medical devices.
  • Don’t let manufacturers off the hook. Understand that recertification or approval by the Food and Drug Administration (FDA) is not required when software patches are developed to address security issues, so long as they do not change the function of the medical device. Patches do require testing by the manufacturer to ensure they won’t negatively affect the device. “One healthcare organization felt that the risk of WannaCry was so high that they implemented patches that had not been approved by the manufacturer ... The FDA has said that a healthcare organization can deploy patches if they’re willing to accept the risk and understand the impact of that patch,” Wirth said.

Patch management is a crucial element of protecting HDOs from cybersecurity threats. “But it’s not the only thing,” according to Wirth. “It’s not just the device, the network, or the firewall—it’s everything playing with and working together.”

That means having a comprehensive understanding of your network, executive-level responsibility for cyberthreats, and a tested incident response plan.

“Who takes down the firewall? Who begins routing ambulances to another hospital because you’re having a malware outbreak?” Wirth asked. “You better know who that person is beforehand.”

This episode of the the AAMI Podcast and others are available at www.aami.org/podcasts.