Slashdot Mirror

← Back to Stories (view on slashdot.org)

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com)

Posted by msmash on from the interesting-developments dept.

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

12 of 96 comments (clear)

  1. Nice try by TimMD909 · · Score: 5, Insightful

    Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface... if I had a pacer maker than could get over the air updates, I'd not want to be worried that an attacker could push an update. I'd have to live my life inside of a Faraday cage to even feel somewhat safe.

    1. Re:Nice try by ElizabethGreene · · Score: 5, Insightful

      I find it telling that Dick Cheney's pacemaker was replaced with a unit that had all of the RF functions disabled during his tenure as VP.

      That tells me two things.
      1. He still has some biological components left.
      2. I do not want wireless interfaces on my medical devices.

  2. That's a great idea! by Anonymous Coward · · Score: 2, Insightful

    All those medical device manufactor have so much know how on what to do (digital signatures, encrypted communications), let's add firmware update to the list. They can call it "secure firmware update" (because the protocol is secret, which makes it secure!). Well no, scrub that, simply make it illegal to hack devices, much cheaper than security...

  3. Inb4 a mandated update mechanism gets compromised. by Anonymous Coward · · Score: 5, Insightful

    The only thing that scares me worse than insecure proprietary bullshit that can kill people is people who don't understand technology trying to legislate insecure proprietary bullshit that can kill people.

  4. Not necessarily good by arth1 · · Score: 5, Insightful

    I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
    That just adds a vector for attack where there was none.

  5. About time by The+Grim+Reefer · · Score: 4, Insightful

    the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

    First of all, why does every damn thing have to be able to connect with your phone/internet. Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive. I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

    Any manufacturer that has released an device that a malfunction could cause a lethal event with wireless access with a hard coded password should be fined a lot. And pay for whatever surgery and device is needed to remedy this. Additionally, they should pay the patients for their time and recovery. Just how incompetent are people that make these things? Gee, WiFi and Bluetooth. No one would ever think to try to connect to something like that. I mean seriously, hard coding "1234" or "password" on an implanted defibrillator or and insulin pump?

    1. Re:About time by Obfuscant · · Score: 4, Insightful

      Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive.

      The only reason you would need a "critical security patch" is if there were some way of hacking into the device remotely. For most devices the only way people could hack into them remotely is through the new external connection that allows critical security updates.

      You create a solution for a problem created by the solution. My head hurts.

      I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

      Sending data TO an external monitor does not require receiving data FROM an external device. I have a half a dozen wireless weather sensors around my house that don't receive a single bit of data via radio, but they repeatedly send data out. Your pacemaker could do the same kind of thing.

    2. Re:About time by The+Grim+Reefer · · Score: 3, Insightful

      Agreed, but for the situation you described, you only need one way communication.

      I've read about the security (or lack there of) on some pain pumps and implanted defibrillators. Having some sociopath getting remote access to someone's ICD could be more than a minor inconvenience.

    3. Re:About time by radarskiy · · Score: 3, Insightful

      Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

    4. Re:About time by Anonymous Coward · · Score: 2, Insightful

      Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

      Probably because, like fridges, toasters, light bulbs, etc., there's no good reason for them to be internet-connected, but over time someone -- a device maker or some third-party they source some component from -- will decide that it'd be more convenient for them if the devices were internet-connected and it'll likely "just happen" because "meh, what's the worst that could happen?". Companies cut corners for their convenience or to save a few cents per widget or to simplify mandated requirements. It happens all the time.

      The "damn commenters" have seen it happen often enough that they're just shortcutting things and jumping straight to the inevitable conclusion.

  6. FDA confirmed for out-of-touch, tech-ignorant by Rick+Schumann · · Score: 5, Insightful

    You hospitals think that the ransomware attacks you've been dealing with are bad now? Just wait until you've got criminal assholes hijacking all the OTA-updatable medical devices in your entire organization -- with a couple random people 'accidentally' dying of intravenous drug overdoses or their ventilators being bricked, just to show that they're serious and that their demands should be met promptly. Stupid, stupid, stupid! There is no possible way they can adequately secure such devices. They should require physical access to the device, NEVER wirelessly.

  7. Nothing in the article says "remote" updates by stevelinton · · Score: 5, Insightful

    The article makes no mention of remote updates, let alone wireless ones. A physical port inside the device (perhaps behind a locked panel) makes sense for most devlces. If the device is already remotely accessible in any way (eg to allow a physician to plug into it and recover health data) then it potentially needs security updates. If not, then being able to apply a (suitably checked and signed) firmware update with a special cable may avoid the need for surgery and/or an expensive replacement device. Assuming they get the details right, this sounds sensible.