FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

Nice try

[TimMD909]

Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface... if I had a pacer maker than could get over the air updates, I'd not want to be worried that an attacker could push an update. I'd have to live my life inside of a Faraday cage to even feel somewhat safe.

Re:Nice try

Won't give us your iphone pin, how about we upload a little pain.

- Tony CIA

Re:Nice try

[olsmeister]

I bet you could make a really sweet Faraday onesie... bonus points if you wear it and fight crime at the same time.

Re:Nice try

[TimMD909]

I bet you could make a really sweet Faraday onesie... bonus points if you wear it and fight crime at the same time.

Perfect idea for a Halloween costume too

Re: Nice try

This is all going to end in tears.

Re:Nice try

Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface... if I had a pacer maker than could get over the air updates, I'd not want to be worried that an attacker could push an update. I'd have to live my life inside of a Faraday cage to even feel somewhat safe.

faraday cages don't stop bullets

Re:Nice try

A point. Do you have one?

Re:Nice try

[DontBeAMoran]

I think he has bullet points.

Re:Nice try

Neither do medical devices.

Re:Nice try

[ElizabethGreene]

I find it telling that Dick Cheney's pacemaker was replaced with a unit that had all of the RF functions disabled during his tenure as VP.

That tells me two things.
1. He still has some biological components left.
2. I do not want wireless interfaces on my medical devices.

Re:Nice try

A point. Do you have one?

He does, but he wears a hat so people don't stare.

Re: Nice try

They already work that way, except now there is no way to update the device. Itâ(TM)s just vulnerable.

Re:Nice try

Where in TFA does it talk about implanted devices? I got the impression they were talking about external things (i.e. glucose meters, etc.).

So then: if my device (in fact a glucometer) doesn't connect to the internet it shouldn't need security patches. BUT if they make it mandatory for the firmware to be able to receive updates and patches then I'll HAVE to connect to the internet and be exposed to all KINDS of breach attempts and evildoers so I'll definitely NEED those patches to thwart THEM. Yah?

Re:Nice try

[harrkev]

Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface

Have you ever heard of public key cryptography? https://en.wikipedia.org/wiki/... If the manufacturer can keep their private key secret, then only they could push an update. Of course this requires hardware beefy enough to handle either ECC or RSA calculations in a reasonable amount of time... Yeah, this also assumes that they do the cryptography properly (which can be harder than it sounds).

Anyways, that takes care of attack surfaces. It does nothing for back doors, however. But I would imagine that if a back door caused a death, one law suit would change the mind of the manufacturer real quick.

Re:Nice try

But what will you do when they release a new feature that lets you upload your glucose readings to a spreadsheet on your phone? How can you live without THAT?

Re: Nice try

[dhjdhj]

Sigh, it also doesnt help if manufacturers are hacked

Re: Nice try

[DigiShaman]

Bonus? You sure itâ(TM)s not on purpose? Talk about giving the Gov the ultimate âoekill switchâ. Damn shame someone make the wrong political move eh?

Re:Nice try

[gtall]

You have it backwards, the pacemaker was kept and the rest of Dick Cheney replaced. Now he's more of an automaton...well, more so than before.

Re:Nice try

[crunchygranola]

Nonsense, since 2012 when Dick Cheney had a heart transplant we can finally say with certainty that he has a human heart.

Of course, it was once somebody else's.

Re:Nice try

Threaten me with pain again and I'll kill you, boy.

Re:Nice try

My brother has a pacemaker. Over-air updates are already possible and quite standard.

Cost-benefit:
No over-air updates: surgery required to tweak the parameters of the pacemaker.
Over-air updates: pacemaker behavior may be modified to improve your overall health without an additional surgery.

Let's play again...
Cost-benefit:
Encryption: when in the ER with a malfunctioning pacemaker, emergency surgery is now required to remove it because the doctors in the ER lack the key.
No Encryption: The ER doctors update the pacemaker over-air to make it stop malfunctioning.

That's a great idea!

All those medical device manufactor have so much know how on what to do (digital signatures, encrypted communications), let's add firmware update to the list. They can call it "secure firmware update" (because the protocol is secret, which makes it secure!). Well no, scrub that, simply make it illegal to hack devices, much cheaper than security...

Inb4 a mandated update mechanism gets compromised.

The only thing that scares me worse than insecure proprietary bullshit that can kill people is people who don't understand technology trying to legislate insecure proprietary bullshit that can kill people.

Not necessarily good

[arth1]

I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
That just adds a vector for attack where there was none.

Re:Not necessarily good

They need to have some wireless communication in order to provide the doctor with telemetry. A pacemaker will record the hearts natural rhythm then apply it's own signal, plus it needs to be able to be reprogrammed to the correct range of speeds. Then once you have that information and data transfer method, firmware updates become possible. But those have to be secured. The doctor might store all the passwords/keys on a computer/server in the treatment room.

Re:Not necessarily good

A) The Doctor has a damn stethoscope for getting your data. They don't need anything else.
B) A Transmitter is different from a Receiver. A pace maker has ZERO reason to have a receiver on it. If it's defective, then remove it and put in a working one, not try to find a hardware hack work-around.

Re:Not necessarily good

[arth1]

Also, adjustment of pacemakers have been done for several generations now - with a couple of screws. It's a tiny incision that doesn't even require a stitch. And it's pretty much hack proof.
If anything, wireless adjustments mean more surgery, because the battery will run out much faster.
(An Apple iPacemaker would presumably need recharging every night...)

Re: Not necessarily good

But the Apple pacemaker would have a kickin bass.

MS active hours

[Joe_Dragon]

It's too bad that you need this to be up 20 hours an day as the max you can set active hours to is 18 or 12 (server 2016) too bad and read the EULA we don't have to do shit.

About time

[The+Grim+Reefer]

the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

First of all, why does every damn thing have to be able to connect with your phone/internet. Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive. I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

Any manufacturer that has released an device that a malfunction could cause a lethal event with wireless access with a hard coded password should be fined a lot. And pay for whatever surgery and device is needed to remedy this. Additionally, they should pay the patients for their time and recovery. Just how incompetent are people that make these things? Gee, WiFi and Bluetooth. No one would ever think to try to connect to something like that. I mean seriously, hard coding "1234" or "password" on an implanted defibrillator or and insulin pump?

Re:About time

[Obfuscant]

Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive.

The only reason you would need a "critical security patch" is if there were some way of hacking into the device remotely. For most devices the only way people could hack into them remotely is through the new external connection that allows critical security updates.

You create a solution for a problem created by the solution. My head hurts.

I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

Sending data TO an external monitor does not require receiving data FROM an external device. I have a half a dozen wireless weather sensors around my house that don't receive a single bit of data via radio, but they repeatedly send data out. Your pacemaker could do the same kind of thing.

Re:About time

[darkain]

As someone with a close family member who has a phone-connected life-critical medical device, let me elaborate on what exactly it is doing.

First off, the user has direct access to statistical health information in real time. This before used to be quite the costly process with throw-away testing supplies. These throw-away supplies previously would only be used maybe once or twice a day, even though health conditions can fluctuate in a few minutes time.

Secondly, the logged data can be reported back to medical professionals. What would you rather have, someone untrained in medicine trying to awkwardly describe how they felt at some random particular moment in time, or having true raw data from that particular experience?

And just because a device is network connected and the device is life critical doesn't mean that the personal can instantly die from wrong doing. In this particular case, if the device was entirely shut off, the person would still survive a few days and would notice the effects within a couple hours and seek medical attention. With the device at full blast, the results would be similar. So at worst, a hacker could potentially make this person feel ill and go see a doctor, which is the exact same case that this person would experience if they were to treat themselves manually (the way things were done before) and messed up on accident.

Re:About time

First of all, why does every damn thing have to be able to connect with your phone/internet.

So that that government(s) can control your life. You think it's invasive now, just wait for the mandatory brain chips to combat terrorism and wrongthink.

Unless there's a damn good reason

There never has been one.

I don't know why you would want to introduce security holes in a device that is keeping you alive.

Makes it much easier to kill a dissident if all you have to do is push a button. Even better if it can happen from anywhere on earth. And the ISS.

I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something.

Because we all want / need to know your heart skipped a beat. Well, I suppose your insurance company, employer, and murderer / government black ops agent would like to know.

But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

For that to happen you'd need a computer / comm port inside of you to eliminate the need for wireless signals. Once again, brain chip, but what makes you think such a device wouldn't also have it's own back door(s)?

Any manufacturer that has released an device that a malfunction could cause a lethal event with wireless access with a hard coded password should be fined a lot.

Here, here. Better yet they should be put out of business and their shareholders strung up a tree in the village square for all to see. Why? Hardcoded anything doesn't happen without effort. Someone put it there. Which means someone needed to remove it prior to approving public release, or better yet never put it in to begin with.

The best part of the story though is, given the level of certification these things have to go through prior to being sold on the market, why would you need an automatic update function to begin with? The whole friggin point of auto updates is that the manufacturer is incompetent, they want to make something that's just barely enough to sell to the public and worry about reliability never. So, automatic updates are just a way of making sure they can make the damn product tolerable after it hits the market so the bad reviews and word of mouth doesn't take away all of their revenue stream. Now ask yourself this: Would you want such a worthless piece of crap inside of you? Would you want your life to depend on it? Would you want some random java applet or some other buzzword language app made in India to be responsible for keeping you alive? If you answered anything but: "HELL, THE FUCK, NO!!!!" Under this proposal, you'll soon be up for a Darwin Award.

Long story short, this should be scrapped. There is absolutely no bleeping way that this won't wind up hacked and someone killed as a result. The public should scream bloody murder over this.

Re:About time

[The+Grim+Reefer]

Agreed, but for the situation you described, you only need one way communication.

I've read about the security (or lack there of) on some pain pumps and implanted defibrillators. Having some sociopath getting remote access to someone's ICD could be more than a minor inconvenience.

Re:About time

[radarskiy]

Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

Re:About time

[barakn]

Yes, I'm sure the updates will be obtained via Ham Radio. Fucking idiot.

Re:About time

Pacemakers are not just a set electric shock on a set interval timer. The size and profile of the shock is tunable to respond to the patient's individual heart condition where the adjustment is different for every person. And they have to react differently depending on the behaviour of the patient. Is their heart rate increasing because they're running or having a heart attack? How it responds is important, and if it gets it wrong the person could pass out or die. If the software making that decision is found to have a bug, then yes there's a good reason to issue a critical software patch that's not just to prevent hacking. Replacing a pacemaker is an extremely invasive procedure. It's more complicated than putting one in in the first place as the existing one will be held in place by scar tissue. The surgery is not without risks either. You want to avoid surgery if at all possible so it makes a lot of sense to be able to make updates.

The pacemaker also makes for a very good data logger to monitor both the device and the patient's condition. The doctors can download valuable information from such a device to inform their choice of ongoing treatment.

For those who are extremely paranoid perhaps you could make the communication method something that can't be hacked remotely. Something that can't be done at a distance such as WiFi or Bluetooth. Perhaps something that's electromagnetically coupled might work so that a transceiver has to be physically placed against the patient's skin.

Re:About time

[Obfuscant]

Pacemakers are not just a set electric shock on a set interval timer.

I know what pacemakers do.

If the software making that decision is found to have a bug, then yes there's a good reason to issue a critical software patch that's not just to prevent hacking.

That is not a critical security update. It is a flaw that should have been caught before approval.

You want to avoid surgery if at all possible so it makes a lot of sense to be able to make updates.

You do realize that there are systems already designed that have external wired connections, which would require physical access to the device to hack into? Maybe not. Not every medical device needs wireless, and thus at-a-distance, access.

The pacemaker also makes for a very good data logger to monitor both the device and the patient's condition. The doctors can download valuable information from such a device to inform their choice of ongoing treatment.

As I already said, OUTPUT of data does not require an external interface for INPUT to the device. It could be as simple as a reed switch that a magnet triggers to dump data via RF.

For those who are extremely paranoid perhaps you could make the communication method something that can't be hacked remotely.

You mean like wires? Hold on, I'm gonna go patent that idea. I'll make a killing. Oh wait, prior art. Damn. And electromagnetic coupling, the same. Maybe if I say "on a computer" I'll get a patent I can troll big pharma with?

Re:About time

My commiserations for your unwell family member.

Personally, I've used a number of devices for tracking health data and in my experience, the big issue that no one is talking about, is that the doctors do not care! I can't even get a doctor to thoroughly review blood test results, or medical history summaries, let alone pore over weeks of minute-by-minute health logs!

Perhaps I've been unlucky and always visited bad doctors, but I'm talking about spending ten years with a chronic illness and visiting doctors in a number of countries, and everywhere I've been the result has been the same: doctors are extremely apathetic about fine-grained medical data logs.

Re:About time

Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

Probably because, like fridges, toasters, light bulbs, etc., there's no good reason for them to be internet-connected, but over time someone -- a device maker or some third-party they source some component from -- will decide that it'd be more convenient for them if the devices were internet-connected and it'll likely "just happen" because "meh, what's the worst that could happen?". Companies cut corners for their convenience or to save a few cents per widget or to simplify mandated requirements. It happens all the time.

The "damn commenters" have seen it happen often enough that they're just shortcutting things and jumping straight to the inevitable conclusion.

Re: About time

[nanter]

There are devices where a bad actor could cause the device to kill someone. An AICD could be programmed to give a shock at the point in the cardiac cycle where itâ(TM)d cause the heart to arrest and then be programmed not to give itâ(TM)s usual life saving shock.

Re: About time

Having some sociopath get ahold of a pair of scissirs to stab you in the chest would alsi be bad. I don't see anybody proposing that access to scissors be restricted.

Re: About time

[The+Grim+Reefer]

Having some sociopath get ahold of a pair of scissirs to stab you in the chest would alsi be bad. I don't see anybody proposing that access to scissors be restricted. Flag as Inappropriate

Except stabbing someone with scissors is likely to be noticed. If you log into to someones defibrillator and light it up a couple of times, there's a pretty good chance they won't get caught. Or causing a pain pump to deliver all of it's medication at once. Hell, the manufacturer may even wipe the logs so they don't get caught for having no security on the device.

Re:About time

[EvilSS]

1980 called and it wants you to return their pacemakers. Current (and by current I mean going back at least 15 years if not more) pacemakers and ICDs have wireless communication and adjustment already. It requires a device that looks like a hockey puck connected to a laptop. Want a fun time? Watch the techs do diagnostics on them by running your heart rate up and down with the click of a mouse. They also have home reporting where you use a similar device connected to a phone line to allow the doctor to review data from the device.

Re:About time

[EvilSS]

Many of these devices have wireless capability that can be accessed by a doctor or tech from the manufacturer using a laptop and special antenna that goes over the device. This includes making changes to the settings of the device and running diagnostics (on both the device and the patient as needed)

The only thing worse than an asshole is an ignorant asshole.

Re:About time

[gtall]

I can understand the need to update a device, certainly for discovered faults. I have a hard time thinking updates are going to be done in realtime while the device is functioning. Say you are on the phone and an update occurs, "Hey fella, I'll need to call you back. An update just bricked my pacemaker."

Re:About time

[chr1sb]

Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

Agreed. Furthermore, why does every damn poster post about implantables? The term "medical device" covers a broad range of products.

For example, when you visit your GP and get your blood tested, your blood is sent off to a lab where the machine used to conduct those tests is also a medical device, regulated by the FDA (in the US at least, but the FDA has influence in many other jurisdictions). Many of those devices by the way run Windows. Yes, Windows. Usually at least one embedded system too, to handle hard real-time requirements, but the HMI is often Windows-based. And they are network connected. To the lab network, but they are connected nevertheless.

There does need to be an upgrade mechanism for them (and there usually is). However, automatic (or even manual) Windows Update is not that. What if an update interferes with the correct operation of the device? What if e.g. some test results start coming back negative when they should be positive, because of an update? Sure, the device being maliciously compromised is also a risk, but updates cannot just be applied with the hope that the device still operates correctly.

This is not as straight-forward a nut to crack as simply applying O/S vendor-supplied patches. Testing needs to be performed first. Whilst needing this testing is a good thing, maintaining a long-term ability to monitor available updates and then approving them for release substantially increases the cost of ownership of those devices. And only the original device manufacturer can perform those activities.

Having said that, the article refers to the ability to have updates applied, but I did not see a requirement to actually apply updates. I can guess what is likely to happen.

One final point - all medical devices have to undergo a hazard assessment. For some devices, the hazard assessment might have determined that it is safer to burn the software onto a ROM rather than have it on a writeable medium such as FLASH. What happens there? Is ROM no longer an option for medical device firmware?!

Re:About time

[The+Grim+Reefer]

Agreed. Furthermore, why does every damn poster post about implantables?

Because if your implantable device gets pwnd, there's nothing you can do. An external device can be disconnected or disabled without the need for surgery. If your implanted defibrillator starts shocking the shit out of your heart or a pain or insulin pump runs until it's empty there's not much you can do.

Re: About time

[apoc.famine]

Most medical pumps that I'm aware of have built-in mechanisms to prevent the situation you're describing. Manufacturers understand that delivering all of a drug once is pretty much the best way to kill a person. Since their goal is the opposite of doing that, they tend to put safeguards in their medical devices to prevent that.

While 0 rate or max rate might adversely affect the patient, in general, it won't kill them instantly. Plenty of time to rectify the issue and seek medical treatment.

Are you unaware that medical devices have to go through very arduous vetting processes before they're certified? This isn't Jim Bob wiring up a syringe to a servo and taping it to his leg that we're talking about here. All that I'm aware of are designed to fail safely and give ample notification.

Re:About time

That is not a critical security update.

A bug that could kill the user is a lot more critical than your average security flaw.

It is a flaw that should have been caught before approval.

You could say that about any bug.

And writing perfectly secure code is a lot easier than writing a perfect ECG analyzer. The former is a problem that can be defined rigorously, and if you're willing to put in the effort, you can prove that your system is secure. The latter is a problem that even the best human cardiologists can't solve.

Can we please update msmash

and teach that poorly done copy/paste bot to get some better sources for his regurgitated press release "news"?

data romaing at Health Care Prices

[Joe_Dragon]

Say
in market (small area) $1/meg
out of market (In state) $5/meg
out of market (out of state) $10/meg
Canada / Mexico fringe roaming $11/meg
Canadian roaming $20/meg
Other $50/meg
Cell at sea $60/meg
----

In Lockup free to you

Re:data romaing at Health Care Prices

[forkfail]

But wait, there's more!

Think about the user experience when Facebook gets real time bio metric feedback on your response to ads!

So much service improvement, so many ads that we KNOW that you'll just love seeing!

Re: data romaing at Health Care Prices

heart racing...no Fuckerburg...that was anger...not adulation.

3rd party vendors must let hosblesm

[Joe_Dragon]

3rd party vendors must let hospital have full os update control and no forced open 24/7 links to the outside.

FDA confirmed for out-of-touch, tech-ignorant

[Rick+Schumann]

You hospitals think that the ransomware attacks you've been dealing with are bad now? Just wait until you've got criminal assholes hijacking all the OTA-updatable medical devices in your entire organization -- with a couple random people 'accidentally' dying of intravenous drug overdoses or their ventilators being bricked, just to show that they're serious and that their demands should be met promptly. Stupid, stupid, stupid! There is no possible way they can adequately secure such devices. They should require physical access to the device, NEVER wirelessly.

Re:FDA confirmed for out-of-touch, tech-ignorant

[AlanObject]

It is only a matter of time before a contract hit gets carried out this way. Untraceable.

Re:FDA confirmed for out-of-touch, tech-ignorant

I could see maybe using NFC for certain devices. Go to your doctor to have an update applied from inches away, but wi-fi or other long range comms is just begging for a disaster.

Re:FDA confirmed for out-of-touch, tech-ignorant

[Rick+Schumann]

No kidding. As someone else pointed out: all it'd take is a pacemaker that has OTA updatable firmware, and you've got a built-in 'kill switch' for someone.
Imagine getting an email from the attacker: "Send us 100 Bitcoins, or we'll stop your heart."
Imagine getting that email every few months for the rest of your life. :-(

Re:FDA confirmed for out-of-touch, tech-ignorant

[quantaman]

I could see maybe using NFC for certain devices. Go to your doctor to have an update applied from inches away, but wi-fi or other long range comms is just begging for a disaster.

NFC would still be problematic, since someone on the bus or bumping into you on the street could still get close enough to interface.

In general, I think you do need a physical interface that requires some kind of surgical day procedure to update.

Re:FDA confirmed for out-of-touch, tech-ignorant

[Striek]

They should require physical access to the device, NEVER wirelessly.

Physical access to a pacemaker...

I do not think this means what you think it means...

So when creimer upgrades his brain

to this one, he'll be able to upgrade to a rat brain after?

This will go great!

1. My pacemaker BSOD'ed during a firmware update.

2. My insulin pump gained an attack vector.

3. I can now co-pay for software updates to my oxygen tank.

4. My GPS-assisted wheelchair didn't know there was construction on Main St. and now I'm stuck in 6" of concrete.

5. The same gov't that runs the DMV has the ability to decide what happens to my dialysis machine.

Re: This will go great!

No, better! Link it with Facebook so that the Zuck can sell access to it.

Re:This will go great!

[darkain]

"The same gov't that runs the DMV" The DMV is ran by your state government. Instead, this is the federal government, ya'know, that one that has the NSA running a global spying operation that went undetected for years. Don't worry. They're not spying on your medical data too!

This ^

I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
That just adds a vector for attack where there was none.

And I just updated my Buffalo network drive with the latest firmware and now it's flaking out. Point: upgrades aren't so good all the time.

That'd be so great if a pacemaker were to be upgraded and start pounding hearts!

Re:This ^

[Hognoxious]

And I just updated my Buffalo network drive with the latest firmware and now it's flaking out. Point: upgrades aren't so good all the time.

I remember back on win XP getting updates that, among other things, would break networking. Awesome, because you couldn't download the next update that fixed or undid the shit update.

Thankfully there was a way to roll back to a prior state - "restore points" I think they were called.

It'd be a bit more than an inconvenience for something your life depended on.

Hospital staff will fail to keep up

[hired+killer]

My worry is that vendors of devices update the software for equipment that requires training. An OTA update WILL change how a device works.

Hospital staff may or may not notice, and then even if they notice, who has time to figure out which devices have changed their behavior.

Nothing in the article says "remote" updates

[stevelinton]

The article makes no mention of remote updates, let alone wireless ones. A physical port inside the device (perhaps behind a locked panel) makes sense for most devlces. If the device is already remotely accessible in any way (eg to allow a physician to plug into it and recover health data) then it potentially needs security updates. If not, then being able to apply a (suitably checked and signed) firmware update with a special cable may avoid the need for surgery and/or an expensive replacement device. Assuming they get the details right, this sounds sensible.

Re:Nothing in the article says "remote" updates

[Locke2005]

Because all implanted pacemakers/defibrillators come with a USB port for easy updates!

Re:Nothing in the article says "remote" updates

[Jamu]

I hate to think where they put that.

I wonder if the elite will get smart

I wonder if the elite will get smart medical devices implanted into themselves.

I'm gonna guess no.

What could possibly go wrong???

[Locke2005]

Experience shows that the Microsoft mandatory updates ALWAYS make things much better and NEVER cause problems! FDA, now bringing new meaning to the phrase "Blue screen of death"! Ack! They automatically updated my pacemaker! Will anybody with a computerized medical device now be forbidden from going out of WiFi range?

Re:What could possibly go wrong???

[iggymanz]

medical device manufacturers have some incentive to do actual engineering unlike Microsoft's clusterfuck of a QA system

I can see the repercussions now

[nimbius]

kids: dad what happened to grandma?
dad: well kids...shes gone to a better place
mom: dad flashed a rom to her pacemaker with the wrong binary architecture
dad: Its more complicated than that kids, Grandma was one SMA antenna away from being able to route our IPv6 traffic so we can use faster fortnight servers.
kids: is grandma in heaven?

Dad: more importantly, does daddys toolchain documentation cover the insulin pump in grandpa....

3rd party systems in an hospital with old oses

[Joe_Dragon]

3rd party systems in an hospital with old oses that don't get updated is the real issue.

Re:3rd party systems in an hospital with old oses

[Obfuscant]

3rd party systems in an hospital with old oses that don't get updated is the real issue.

If they don't have a way to hack into them, then adding an update mechanism for security patches creates a mechanism to hack into them. If you can install a patch to stop hackers via a USB stick or WiFi, for example, then hackers could install something else using a new exploit in the update system. The age of the OS doesn't matter if nothing from outside can change it.

I have a glucose meter. It has a connection to dump data to a computer. That connection is probably bi-directional since the computer can ask for the dump. That's a pathway for hacking. If the meter did not have that connection then there is no fear of it being hacked. Well, someone could steal it and pry it open to use JTAG to reprogram it, I suppose, but then I'd miss it and simply get a new one. And JTAG would be the "method to update" that I mentioned. Use a micro with a non-resettable fuse on the program and it won't be hacked. It would also not need critical security patches to keep people from hacking it.

Stay the F' away from my insulin pump.

No F'n way I am letting my insulin pump be auto-updated. Period.

Wrong Industry

[freeze128]

The medical industry doesn't need mandatory updates. It's the electrical grid's control systems with their SCADA controllers that are always connected to the internet (even though they shouldn't be) that need mandatory updates.

cut that resistor and save!

[AndyKron]

I worked at a medical company that "unlocked" premium features by cutting out a resistor that the software checks. Will that be on the BOM too?

Why do they need more money?

That is the real question. Funny how spending money US Federal Government doesn't have isn't even a question anymore.

IETF Firmware Update Architecture for IoT

The IETF actually has a Working Group (WG) looking at this, Software Updates for Internet of Things (suit):

* https://tools.ietf.org/html/draft-moran-suit-architecture
* https://datatracker.ietf.org/wg/suit/documents/

Not as good an idea as it seems

I worked for a medical devices company for a couple of years, one of the big players on the global stage, and I can tell you that before we worry about including methods for updating critical software issues, we need to first focus on getting companies to put patient safety back before profits and share price.

These are just examples that I personally saw. Let's just say for example that to go from an idea in someone's head to a finished product, it will require $1m and take 1 year if you give the lead engineer everything they want. These numbers are representative and chosen because they are easy to work with. It's also assumed that these numbers are the bare minimum needed to do the job effectively, not padded in any way. So right out of the gate, the budget for the instrument might be set at say $800,000 and the release date is set for 10 months, plus the lead engineer might only get 90% of the manpower needed. As the project progresses, the budget will be steadily slashed, manpower diverted to newer projects, and the timetable moved up. So the engineer in charge is constantly scrambling to get everything done, and most of the time the initial product is being built with a number of "deviations" from what is reported to the FDA, and it's a crapshoot whether or not any of those deviations will be cleaned up.

I personally saw a case where an IVD (clinical use) instrument was released, then a near-identical RUO (research only) model was released. The very first units of the RUO model came back as DOA. Turns out they were using the blue laser in the device at a slightly different power level than the IVD model, and it was causing the lasers to blow out. You don't need to be an engineer to figure out that this is the sort of thing that would have been caught during testing... if the engineers had been given sufficient time to test units before shipping them out. I was speaking directly with the engineers involved as they were having a meltdown. They were counting on having a couple of weeks to be able to set up all the service and repair parts, then the very first units started coming back DOA almost immediately, so I had to help them triage the situation.

There was another case where the company launches what is supposed to be a new flagship product and allows people to carry the instrument with them into remote regions. My coworkers and I were still literally finishing up some of the FDA REQUIRED work when they started the launch party down the hall from us... and we weren't even on the invite list. A customer had threatened to cancel a large order if they didn't take possession of the units by a specific date, and the only way to meet that date was to push up the release date of the entire instrument by around two weeks. Since the company chose to ignore the fact that the WHO was phasing out the primary test this instrument did, it was almost immediately abandoned by the company.

I was also personally in a meeting where the lead engineer of a product was very nonchalantly talking about how they were going to build a couple of prototype units, and then they would ship those to customers who were complaining about how long their orders were taking. Not that they would bother telling the customers they were getting prototype units, which are intended to help find and work out any kinks in the manufacturing process. It was also against company policy to sell prototype units, and part of that is because all of the FDA mandated documentation hasn't been finalized at that point. Turns out the sales department had been making all kinds of wild promises about delivery dates to customers to make their quotas, and then the leadership expected the engineers to be able to meet these ridiculous dates so they didn't lose that revenue.

I know of an IVD instrument that was released over the objections of the lead engineer, who tried to tell local management that the instrument still had fundamental design flaws that needed to be worked out. I was in a meeting in a conference room near the production floo

Re:Not as good an idea as it seems

The FDA rules already exist. If a patient were ever harmed or a customer gets mad enough to complain to the FDA, that division could be audited and suddenly shut down.

Wow...

I maintain medical equipment for a living.

The comments to this story are so full of head-up-tailpipe pontificating it makes my head spin.

Trust me, this would be a good thing.

Re:Wow...

[arth1]

Trust me, this would be a good thing.

Whenever someone says "trust me", that's the last thing you want to do.

MDK security

The medical industrial complex has "other" ways of dealing with security vulnerabilities. Just ask Barnaby Jack.

Update Tuesday

[RhettLivingston]

Wow. Definitely don't want to be getting critical care in the hospital on the new medical device's equivalent of update Tuesday.

Re:Update Tuesday

[munch117]

I wouldn't worry about that. Nothing will ever actually be upgraded.

Think about it: The firmware that the device is born with is FDA approved, at great expense. If the manufacturer discovers a bug and fixes it, then the fixed version is not FDA approved. Getting a renewed approval for a software modification is expensive, time-consuming and risky. Who's going to pay for that? Customers buy the cheapest thing that is approved anyway, and since the original firmware is approved, the manufacturer's salespeople will happily keep selling it.

Lethal Injection update?

what could this hurt >>>update>>>

-Phone rings

IT: "IT how can I help you"
Doctor: "The medical devices are pushing all the medicine into the patients at once"
"Half are dead now"
IT: "have you tried disconnecting the intravenous tube from their skin"
Doctor: "your missing the point"
IT: "I'm sorry to hear that, Let me transfer you to level 2 support"

IT L2: "I have remote into the device and have turned down the dosage"
Doctor: "You do realize that patient has been dead for 15 min now"
IT L2: "I'm sorry let me quickly transfer you to Level 3 support"

IT L3: " have you turned the device off and on again?"

To be honest though, the day I've had taking calls because of a GPO update changed firewall settings (windows firewall on the laptops) and kicked a bunch of our users from having the ability to connect to networks remotely. Was not expecting that today.

eeryone here

thought mandatory hacking mechanisms immediately right?

Drive by

Drive by heart attacks. Malware asking for payment by bitcoin within 24 hours or you will die.

Evil idea as government rarely does anything well.

No thanks, I'll pass

[iamacat]

Even at best mandatory Windows updates are making me lose productivity at critical time. Quite a few times they crash. I don't want any of these in a pacemaker. I also don't want to have to walk in a Faraday cage if government or hackers are out to get me. Actually, keep all the radios off unless activated by means like a magnet that can not be easily faked from a distance.

Please wait ...

[cowtamer]

Windows is installing update 17/67. Please do not reboot your pacemaker or die during this process ...

We're sorry for the inconvenience

of bricking your pacemaker. Your next of kin can rest easy in the knowledge that we've all learned something here.

Re:Inb4 a mandated update mechanism gets compromis

Implantable medical devices require extremely near (centimeters) field communication and have extremely complicated encryption mechanisms. Moreover the FDA, AMA, and the courts have long ruled that once a medical device is implanted it becomes "legally" part of the persons body and is thus no longer anyone (or anything) else's property. Tangible or otherwise. Moreover, modifying a device once implanted is still considered a "surgical" procedure. Meaning, they know full well changing settings could "brick" the device and cause a problem that would cause risk to the patient. Doctors (well, surgeons anyway) are smarter than this.