Slashdot Mirror
FDA Slams St. Jude Medical For Ignoring Security Flaws In Medical Devices (securityledger.com)
chicksdaddy quotes a report from The Security Ledger: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company's devices as "adulterated," in violation of the U.S. Federal Food, Drug and Cosmetic Act, the Security Ledger reports. In a damning warning letter, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death. St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company's "high voltage and peripheral devices" in an April, 2014 "third party assessment" commissioned by the company. But St. Jude "failed to accurately incorporate the findings of that assessment" in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a "hardcoded universal unlock code" for the company's implantable, high voltage devices. The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking "short" positions on firms. At the time, MedSec said that the security of the company's medical devices and support software was "grossly inadequate compared with other leading manufacturers," and represents "unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients." St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.
It's often entertaining reading Slashdot Summaries, because you know that the wording / content is selected to press certain buttons. Just say hard coded password , and you know that the majority of regular Slashdot readers will immediately sport a huge raging erection of epic proportions. Yet there is a lot more to the story than that, for example - SURPRISE! - Lithium Ion Battery issues, who would have thought. As well, serious mechanical as well as software issues that go beyond a backdoor. But of course, Slashdot readers have a long history of becoming "aroused" when the word "backdoor" is uttered...
If you want news from today, you have to come back tomorrow.
love it
The summary should have clarified that this does not involve St. Jude Children's Research Hospital in Memphis. The article seems to be about a facility in California.
"a lapse that resulted in at least one patient death."
Instead of a letter, they should be prosecuting an exec, and putting them in jail for a long time. That will get their attention.
"National Security is the chief cause of national insecurity." - Celine's First Law
The waters are always muddier whenever an investment firm is involved. I'm glad one of these companies is at least honest about their business dealings within their business name.
When there is no regulation, companies will always have the incentive to make as much as money as possible while doing as little work as possible. There has to be a stick, not only a carrot.
Avantgarde Hebrew science fiction
The FDA has killed more people than St. Jude ever did. These are the people who brought us the Food Pyramid. The FOOD PYRAMID which was obviously constructed to favor the big agro industries and had nothing to do with health. Also, when it comes to medical devices, these shitty things are over-pattented, over-protected, and pieces of crap. My fiance is diabetic and has a pump that costs $300 to buy but is using technology older than the TI-85. Pretty sure it costs them $10 to make it. Oh and one time she had a pump that when given your blood sugar level, could not tell you how much insulin to administer because another company had a patent on that feature.
i hate the FDA with every bone in my body and want them abolished. A panel of unelected, unaccountable, unconstitutional bureaucrats often lobbied by the very industry that they pretend to regulate does not safety make. Get rid of them entirely and replace it with a simple law: "Sell unsafe food/drugs/medical devices that kill people? There is no cap on how much you can be sued and a jury will get 100% discretion in deciding whether your behavior was negligent and 100% discretion to decide how much you owe the families that where hurt"
That single, easy-to-read constitutional law would do more good than the FDA ever did. Sorry, i get really really emotionally charged when talking about these murderers, probably because my fiance is diabetic and I am a libertarian
Is that the lesson here? Maybe the these children were foreigners or "radical Islamic terrorists" and don't deserve the dignity for privacy (sarcasm). IoT devices have been around for a while now. There's no reason for this kind of crap. If the device can't be encrypted like it should, then how about the network? Oh wait, the U.S. Internet is the FCC's domain and the gov would rather spy on you legally (only to avoid paperwork) by letting ISPs sell your information to them with your tax dollars, this includes your laptop, phone, AND medical device connections. It's illegal to sell medical information, but do you think an ISP has time to filter that out for everyone? No, and they wouldn't anyway (backs itch sometimes). There are companies that say they won't sell browsing info, but unless it's written down in a contract, they can do whatever they want. Laws are only written to prevent, not to allow; that's what amendments are for. Public announcements don't constitute as verbal contracts. Besides, if you pay close attention, they say "individual" browsing history. Ok, but what about the "household?" People love loopholes.
You know Allah is just God in Arabic right? The reason there is Judaism and Islam is because Abraham chose Isaac over Ishmael. If Ishmael hadn't existed, there would be no Islam. Because of Abraham's religion, Judaism, Ishmael and those he grew up around believed in the same prophecies, ergo a "savior" will come one day and bring his followers with him when the End comes. However, some people think that Ishmael was supposed to inherit Abrahams stuff, and not Isaac simply because he was from a slave and not his wife. Those people created Islam. That's why there's both a Jesus (Christians) and a Muhammad (Muslims). Both of these people thought/think they were/are fulfilling the same role. So, there are three possibilities: one is right and the other is wrong, they are both wrong and we are still waiting, or it's all bs created to get out of a bad situation that blew out of control. Abraham could of just been an asshole because who cares about a slaves kid after having one with your actual wife? Maybe Mary maybe had an affair? Either way, the morals and ethics created from both religions has helped a lot more people than its actually hurt. People keep focusing on all the bad stuff and forgot to count their blessings, something all religions teach.
No-one every seems to mention how medical device manufacturers often extort the device users via a delicate yet precarious conspiracy among physicians, the medical industrial complex, the insurance companies and the federal government.
Specifically, if a physician recommends (in order to limit their liability in compliance w/ medical malpractice insurance) that a patient use a specific device (e.g., a heart implant) then the insurance companies will generally threaten to cancel your insurance if you don't comply w/ the physician's orders (i.e., if you decline the device against your physician's medical advice). Often, physicians are specific about exactly what device they recommend for implantation (St.Jude model XYZ). If you don't comply then the federal government steps in to financially penalize you for not having “health insurance” (which is only incidentally related to actual health or health care).
These doohickies ain't cheap, and they often require on-going maintenance (e.g., periodic data downloading, software updates, etc.) as well as periodic surgical replacement—e.g., every five years or so when the batteries need replacing, it is often more cost effective to surgically replace the entire device than simply replace a removable battery pack. Such services don't come cheap, since (almost by definition) these devices are a matter of life and death yet price regulation is spotty, at best.
So imagine being threatened w/ cancellation of medical insurance if you don't agree to a lifetime contract of, say, $120,000 per year ($30,000 per quarter) for routine maintenance (that's $10,000 per month ($333/day) for insecure data upload/storage/analysis) and $30,000 every five years or so for surgical replacement. Oh, and you cannot service, maintain or otherwise upgrade/hack the electronic device yourself or through a trusted 3rd party, under penalty of violating the warranty and/or infringing a vague family of medical jargon rich patents and/or (again) losing your insurance. You cannot even legally review the details of just how the device and data are secured (or not) since the algorithms and data protection methods used are proprietary.
And security reviews as well as medical testing details are also not public, including both hardware and software updates, both of the devices themselves and of the monitoring & data analysis ecosystems.
This isn't merely predatory capitalism at it's worst: this is state-sanctioned economic & technical oligarchical totalitarianism at its pinnacle, courtesy of so-called ObamaCare. Welcome to the socialist nightmare. Resistance is futile: you will be assimilated.
Keep in mind: it isn't paranoia when the system really is conspiring against you for unrestrained compliance, control and profit, all complements of The Deep State.
“Welcome, my friends. Welcome... to The Machine.” –Pink Floyd
Error: NSE - No Signature Error
If you read the warning letter at the link, it may not make a lot of sense to many of you. Here goes:
FDA wants to have companies work with it to make things as safe as possible. Cooperation with FDA means that FDA worries less about you.
FDA usually starts with an "untitled letter" or "notice of violation" letter. This is FDA's way letting a company know that it found something that is concerning them. It may be that there is no problem, but FDA's concern has to be addressed or things may escalate. Obviously, St. Jude's efforts to convince FDA that there was not a problem did not work here.
When FDA moves to a warning letter, it has convinced itself that there is a problem that has to be fixed. The idea is to get the company to fix it on its own, which happens 99% of the time. Most companies address problems at this stage because they want to protect their reputation as a good company at FDA. Recalcitrant companies applications for approval can be viewed with somewhat more suspicion than companies that jump on issues and fix them right away. Nobody really wants more on-site FDA inspections.
We saw with Theranos what can happen if you fail to fix the problem identified in a warning letter: escalation to enforcement to make the company comply.
A company of any size, or with a product of significant complexity, needs to have written procedures for addressing problems and escalating unsolved problems to a higher level of management. FDA found that St. Jude did not follow its procedures and that the procedures were inadequate. So, to satisfy FDA the company will need to convince FDA that the written procedures are adequate and that there is supervision to enforce those procedures within the company.
At this stage companies will often turn to outside consultants to help fix the problem because higher management no longer has confidence in lower management to fix the problem.