Software “Updates” Aimed to Thwart Reprocessing - AMDR | Association of Medical Device Reprocessors

THE ISSUE:
Many electrosurgical instruments and cardiology catheters have been cleared by FDA or certified by Notified Bodies for reprocessing. These are expensive devices that range from hundreds to thousands of dollars each with several often used in a given procedure. To force hospitals to buy more electrosurgical handpieces or electrophysiology catheters, AMDR believes that some manufacturers have “upgraded” the generator or ultrasound machine’s software to thwart the handpieces/catheters from being reprocessed.
For example, in letters entitled, “Field Cybersecurity Routine Update and Patch Notice” (February 23, 2018), hospitals are urged to “patch” their generators to avoid a potential “cybersecurity vulnerability.” AMDR understands that, with this update, non-OEM or reprocessed devices no longer work with the generator. The letter notes that the security vulnerability is “a controlled risk” meaning there is “sufficiently low (acceptable) residual risk of patient harm” and “the likelihood of risk to the patient is low.” Therefore, according to the letter, the OEM is not required to report this “update and patch” to FDA. AMDR members have advised us that some sales representatives may be upgrading generator software without hospital permission. This can lead to potential cybersecurity holes (click here for more information) which is a nightmare to sort out down the line.

The generators are hospital property; Hospitals may want to alert their vendors that the hospital retains the right to authorize all “upgrades;”
AMDR is not aware of any actual “cybersecurity vulnerabilities” allegedly requiring this software update, but urges hospitals to ask this of vendors;
Forgoing the update means that existing reprocessed devices can continue to be used. The Emergency Care Research Institute (ECRI), in its Health Devices Alert notes “While FDA does encourage manufacturers to implement routine security updates, ECRI Institute considers the potential impact of the … security update to normal hospital operations to be burdensome, especially with facilities relying on non-OEM reprocessed … devices.” [1] Hospitals may want to consult with IT specialists such as sphereit.uk/Hertfordshire-it-support/ to see how they can mitigate any technological issues on their end, in case this potentially can happen.

Another example, from the cardiac catheterization lab, is the upgrading of software on ultrasound machines – head to https://www.butterflynetwork.com/financing for more information – and EP recorders to disallow the use of reprocessed ultrasound and electrophysiology catheters. The hand piece communicates with the ultrasound machine and EP recorder whose software recognizes that the catheter is reprocessed and shuts down imaging and mapping/ablation for the EP recorder. The software upgrade is often associated with the introduction of new disposable devices or with functional improvements in the imaging/mapping/ablation technology. However, the clinical improvement of these may not have been demonstrated, and therefore the justification for blocking reprocessing is lacking or limited to the manufacturers desire to maximize sales. In other cases, the software upgrade is simply introduced as a part of a standard service contract.
Likewise, any application/software that is upgraded without any security measures in place may result in a number of security breaches. For example, it could result in a data breach involving patient information. That could jeopardize the growth of any organization, whether it’s a business or a hospital. To get through such scenarios, app security testing may be the best option before anyone starts using it. The reason is there are certain applications like Pradeo that can determine whether or not the downloaded application could record data. The firm or individual can then decide whether or not the downloaded or upgraded application is worthwhile to invest their time.
SUCCESSFUL WORK AROUNDS:
AMDR’s members have reported that many customers have refused these recent software “updates.” In some instances, at the hospitals’ request, the vendor has reverted generators/ultrasound equipment to the pre-patch versions of the software. To control hospital assets, and limit vendor influence in purchasing decisions, members report that forward-thinking hospitals have advised all medical device reps that their facility reprocesses SUDs and any interference in the reprocessing program may result loss of access to the facility. Interference includes upgrading generators, swapping out cords or cables, or other activity NOT specifically authorized by the hospital.
[1] ECRI Health Devices Alert S0346, April 19, 2018.