Baxa's Non-Approved Software Policy: That's Your Problem

While browsing the web for medical devices that appear to run on Windows operating systems, I came across the Baxa ExactaMix Compounder. One could use a compounder for parenteral nutrition. These devices do run a "Microsoft Operating System" according to Baxa. Interestingly, the product page contains a link to a Baxa-authored whitepaper titled Preventing Cyber Attacks (PDF). At first glance, I was pleased to see that Baxa actually offers guidance on this issue, but the content of the whitepaper raises alarms. This excerpt in particular is unsettling (my emphasis added):

FDA regulations require manufacturers to “Validate all changes, updates, and patches, including operating systems, before installing them to ensure the safety and effectiveness of the medical devices.”1 Baxa ExactaMix Compounders have been verified and validated only with the software that was installed by Baxa. Thus, any changes to the original, validated image, including installation of antivirus software, nullifies the validated state, may create an unsafe operating condition, and would constitute off‐label use. 

As an FDA‐regulated manufacturer, Baxa Corporation will not/cannot support nor endorse off‐label use of its compounder. Only validated systems are approved by Baxa as being safe and effective for use. Any unauthorized programs installed on a Baxa product will void the manufacturer’s warranty. ExactaMix Compounders have been validated only with the operating system and patches installed by Baxa. Installing any software not provided by Baxa, including OS updates, firewall software and anti‐virus products, on Baxa automated compounding devices may change the operating parameters and adversely affect the operation of the device, rendering it unsafe to use. 

The footnote above points to an FDA document titled Reminder from FDA: Cybersecurity for Networked Medical Devices is a Shared Responsibility, of which Baxa has adopted a very narrow interpretation that maximally reduces their responsibility for software security.  How convenient.

While the quote that Baxa pulled from the document is really there, it does not tell the whole story. Rather than taking the draconian stance on the issue of software configuration that Baxa suggests, the document also explicitly states that, "Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner." and furthermore that:

The need to be alert and responsive to cybersecurity issues is part of the device manufacturer’s obligation...Software patches and updates are essential to the continued safe and effective performance of medical devices. Typically, FDA approval is not required before install changes, updates, or patches that address cybersecurity issues (see question #10 of the guidance).

Other highlights from the FDA document include these two bullet points that appear to directly contradict Baxa's stance on software updates:

• Make sure that you have adequate anti-virus software and firewalls installed, properly set up and current.

• Update your operating system and medical device software. Software updates offer the latest protection against harmful activities.

In fairness to Baxa, the FDA guidance does not make it entirely clear what the company's responsibilities are in terms of validation for software updates and antivirus software, but a blanket mandate that customers must not take vital steps to protect their devices or patients seems like an irresponsible choice by a manufacturer that could put patients at risk. Rather than sharing responsibility as FDA recommends, Baxa is completely abdicating responsibility for security and forcing customers to do the same by forbidding them to install software updates.