Software Patches for Medical Devices: Vendor Validation Is Essential

Applying software patches to address identified security vulnerabilities within a device or system is considered a fundamental cybersecurity practice. For most types of equipment, the appropriateness of applying a patch is noncontroversial. For medical devices and systems, however, the guidance is not so clear-cut. In fact, ECRI Institute advises against patching medical devices, including control workstations (radiology viewing consoles, laptops used with USB-connected ultrasound probes, etc.), without specific guidance from the medical device manufacturer to do so.

Medical devices differ from many consumer devices and other types of equipment in that a malfunction of the device could lead to patient harm. Thus, any change to the device—including a software patch—must be validated by the manufacturer to ensure that the intended use is not affected. Unvalidated patches can make medical devices faulty or inoperative. Additionally, potential effects on device interoperability must also be considered. Many medical devices are connected to, and exchange information with, other devices and systems, creating the possibility that a patch could affect the way connected devices and systems interact with each other.

Our recommendation that healthcare facilities obtain manufacturer guidance before applying a...