Rob Packard I was hoping we might get some people to answer this one, but the non-software expert will provide a suggestion...There is a huge push to gather more post-market surveillance, because even if regulators could be certain that devices are safe and effective at the time of approval (which they never are) as time passes changes to accessories, new users, new patients and changes to the device itself (like security patches) need verification that the device will remain safe and effective. Follow-up on verification and validation of security patches for software and firmware is an excellent example of how to use PMS. PMS is not just a satisfaction survey.

Ensure you retain administrative privileges to the device in question such that the hospital contacts you before an update.You could then take an informed decision based on the impact the security patch has on your intended use.

thanks Robert Packard for your input. Nowdays hospital taking a more active part in protecting their systems and networks from possible threats and are installing security patches on all connected PCs in their network, including medical devices. However, medical devices require validation prior to such installation. I wanted to know from manufacturers what is the best way to ensure the patch is validated? By a contract with a hospital? by performing routine PMS as you suggested?

Sonja Holten Did you consider a delivery through the Field correction Channel. Except for the Reporting to the country CA's of a mandatory correction, the process is perfectly suited to the task. From development through to Validation and roll out, everything is monitored and traceable, governed by timelines and completeness checks. So if you have it, why not operate it to roll out your security updates?

Sonja Holten Delivery as a Field Correction.

Eckhard Jokisch The best way I know it to put something in the contract that they assure to use a software that checks the dependencies and sends out emails to the software suppliers that may be affected by the patch. I 've seen such a home brewed system but don't know if there is something out there to buy.
An according procedure for validating patches has to be in their QMS.
But if your question is about people doing just something without caring about the definitions in the QMS then there is a big top management issue.

Rob Packard My apologies for the late approval of comments. There is a new LinkedIn interface for managing the group and I did not understand how to use it properly until today.

The question is, IMHO, misplaced: what do suppliers do to ensure that their devices are not affected by zero-day vulnerabilities? Validating standard security patches, e.g. from Microsoft, cannot wait for months - they must be deployed immediately.

The fact that suppliers of Medical Technology are years, if not decades, behind IT-industry standards is a clear and present danger to the day-to-day operations of Hospital IT-infrastructure. Hiding behind CE-markings, or FDA-certifications, is no way to manage the dangers to IT-systems.

If Medical Devices are not hardened and maintained to be deployed and survive in a normally exposed IT-environment the shouldn't be; something which customers rarely are informed of when going through the procurement/purchasing process.