As part of a three-part plan to improve medical equipment security, the U.S. Food and Drug Administration revealed that it will withhold regulatory approval on new medical devices submitted by manufacturers that do not keep up with current security patches.
The FDA said in the next six months that it will also issue guidelines outlining how manufacturers should build acceptable medical devices. As a third step, the agency will create an investigative unit and develop forensics capability to study devices infected by computer worms and determine who is responsible.
The FDA encourages hospitals to file complaints against manufacturers that do not provide patches, but hospitals are reluctant to report companies because it could damage their relationships with the vendors. To protect against viruses that have recently affected hospital networks, device makers say hospitals should apply security measures such as internal firewalls.
However, some hospital information technology officials say that the viruses sometimes originate from vendors' medical devices.
Vendors say they also want to resolve the patching issues, and they hope to issue industry standards this fall for off-the-shelf software used for medical systems.