Law Firm IT has an interesting post on installing the latest Windows patches on medical devices, including this:
"...because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.I'm not sure if that is completely correct about a required 90 day notice to the FDA before patching Windows. I'll leave that to a regulatory expert.
Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched."
I do know that any changes to Windows and the medical device software has to be revalidated, at least the potentially affected parts anyway. The revalidation is obviously going to take time and effort and the rewards are often low, especially if you label your device to not be connected to the internet. You want your software guys putting in new features, not screwing around with Windows compatibility for people who are using the device off label. Additionally, the Windows patch needs to be installed, no small feat for a device that is not supposed to be connected to the internet. All of this time adds up and the bottom line is you're never going to be a step ahead of software virii on a medical device, which is why they almost all say do not connect them to the internet.
That being said, Windows with the help of one of several off the shelf software programs, such as Clean Slate, Rollback Rx, and Deep Freeze, can be fairly easily configured so that the chances of a virus are minimized, meaning that you wouldn't have to update Windows with every patch. In fact, this seems like a halfway decent mitigation (along with the aforementioned labeling) to your "device connected to the internet" hazard as part of your risk management.
(Picture by Alexander Fediachov)