Philips Medical Patient Monitors and Downloading Medical Device Software

Earlier this year after speaking about medical device security at a Semiconductor Research Corporation event, I got the gift of food poisoning that landed me in an ER.  I enjoyed a warm IV and a Philips Medical Intellivue patient monitor.  As I writhed in pain, I wondered how the hospital updated the medical device software.

Here's how.  Download an unsigned .EXE file from Philips Medical.

What could go wrong? Don't worry because a 2009 FDA MAUDE adverse event report on a different product explains that "Philips Medical Systems is not responsible for ... the integrity of the ... system infected with a computer virus."  The MAUDE report seems to conflict with the spirit of Philips Medical's own product security policy.  Philips Medical deserves kudos for writing a security policy document; not too many medical manufacturers can claim to have a policy on software security.  However, Philips Medical may wish to hold off on claims of having "security designed in" if the same document later says:

In many of our products, we provide you with a controlled update repository to reduce the risk of equipment outage due to unauthorized or faulty anti-virus signature updates.

Many?  Many is a euphemism for we're sorry that we cannot quantify our cybersecurity preparedness.  There is a diffusion of responsibility between hospitals and manufacturers that leads to certifiable finger pointing over security of medical devices.  It has already been almost a decade since Philips discussed the problem of medical device security.  Let's hope that achieving reasonable medical device security doesn't take as long as it took physicians to accept the advice of Semmelweis et al. on the importance of hand washing.  That was 1847.  And hand washing is still a problem.