Slashdot Mirror

← Back to Stories (view on slashdot.org)

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com)

Posted by msmash on from the interesting-developments dept.

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

22 of 96 comments (clear)

  1. Nice try by TimMD909 · · Score: 5, Insightful

    Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface... if I had a pacer maker than could get over the air updates, I'd not want to be worried that an attacker could push an update. I'd have to live my life inside of a Faraday cage to even feel somewhat safe.

    1. Re:Nice try by olsmeister · · Score: 3, Funny

      I bet you could make a really sweet Faraday onesie... bonus points if you wear it and fight crime at the same time.

    2. Re:Nice try by ElizabethGreene · · Score: 5, Insightful

      I find it telling that Dick Cheney's pacemaker was replaced with a unit that had all of the RF functions disabled during his tenure as VP.

      That tells me two things.
      1. He still has some biological components left.
      2. I do not want wireless interfaces on my medical devices.

    3. Re:Nice try by gtall · · Score: 2

      You have it backwards, the pacemaker was kept and the rest of Dick Cheney replaced. Now he's more of an automaton...well, more so than before.

    4. Re:Nice try by crunchygranola · · Score: 2

      Nonsense, since 2012 when Dick Cheney had a heart transplant we can finally say with certainty that he has a human heart.

      Of course, it was once somebody else's.

      --
      Second class citizen of the New Gilded Age
  2. That's a great idea! by Anonymous Coward · · Score: 2, Insightful

    All those medical device manufactor have so much know how on what to do (digital signatures, encrypted communications), let's add firmware update to the list. They can call it "secure firmware update" (because the protocol is secret, which makes it secure!). Well no, scrub that, simply make it illegal to hack devices, much cheaper than security...

  3. Inb4 a mandated update mechanism gets compromised. by Anonymous Coward · · Score: 5, Insightful

    The only thing that scares me worse than insecure proprietary bullshit that can kill people is people who don't understand technology trying to legislate insecure proprietary bullshit that can kill people.

  4. Not necessarily good by arth1 · · Score: 5, Insightful

    I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
    That just adds a vector for attack where there was none.

  5. About time by The+Grim+Reefer · · Score: 4, Insightful

    the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

    First of all, why does every damn thing have to be able to connect with your phone/internet. Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive. I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

    Any manufacturer that has released an device that a malfunction could cause a lethal event with wireless access with a hard coded password should be fined a lot. And pay for whatever surgery and device is needed to remedy this. Additionally, they should pay the patients for their time and recovery. Just how incompetent are people that make these things? Gee, WiFi and Bluetooth. No one would ever think to try to connect to something like that. I mean seriously, hard coding "1234" or "password" on an implanted defibrillator or and insulin pump?

    1. Re:About time by Obfuscant · · Score: 4, Insightful

      Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive.

      The only reason you would need a "critical security patch" is if there were some way of hacking into the device remotely. For most devices the only way people could hack into them remotely is through the new external connection that allows critical security updates.

      You create a solution for a problem created by the solution. My head hurts.

      I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

      Sending data TO an external monitor does not require receiving data FROM an external device. I have a half a dozen wireless weather sensors around my house that don't receive a single bit of data via radio, but they repeatedly send data out. Your pacemaker could do the same kind of thing.

    2. Re:About time by darkain · · Score: 5, Interesting

      As someone with a close family member who has a phone-connected life-critical medical device, let me elaborate on what exactly it is doing.

      First off, the user has direct access to statistical health information in real time. This before used to be quite the costly process with throw-away testing supplies. These throw-away supplies previously would only be used maybe once or twice a day, even though health conditions can fluctuate in a few minutes time.

      Secondly, the logged data can be reported back to medical professionals. What would you rather have, someone untrained in medicine trying to awkwardly describe how they felt at some random particular moment in time, or having true raw data from that particular experience?

      And just because a device is network connected and the device is life critical doesn't mean that the personal can instantly die from wrong doing. In this particular case, if the device was entirely shut off, the person would still survive a few days and would notice the effects within a couple hours and seek medical attention. With the device at full blast, the results would be similar. So at worst, a hacker could potentially make this person feel ill and go see a doctor, which is the exact same case that this person would experience if they were to treat themselves manually (the way things were done before) and messed up on accident.

    3. Re:About time by The+Grim+Reefer · · Score: 3, Insightful

      Agreed, but for the situation you described, you only need one way communication.

      I've read about the security (or lack there of) on some pain pumps and implanted defibrillators. Having some sociopath getting remote access to someone's ICD could be more than a minor inconvenience.

    4. Re:About time by radarskiy · · Score: 3, Insightful

      Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

    5. Re:About time by barakn · · Score: 4, Funny

      Yes, I'm sure the updates will be obtained via Ham Radio. Fucking idiot.

      --
      "I'm so moist I'm sticking to the leather." -Kermit the Frog on The Late Late Show
    6. Re:About time by Anonymous Coward · · Score: 2, Insightful

      Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

      Probably because, like fridges, toasters, light bulbs, etc., there's no good reason for them to be internet-connected, but over time someone -- a device maker or some third-party they source some component from -- will decide that it'd be more convenient for them if the devices were internet-connected and it'll likely "just happen" because "meh, what's the worst that could happen?". Companies cut corners for their convenience or to save a few cents per widget or to simplify mandated requirements. It happens all the time.

      The "damn commenters" have seen it happen often enough that they're just shortcutting things and jumping straight to the inevitable conclusion.

    7. Re:About time by EvilSS · · Score: 2

      1980 called and it wants you to return their pacemakers. Current (and by current I mean going back at least 15 years if not more) pacemakers and ICDs have wireless communication and adjustment already. It requires a device that looks like a hockey puck connected to a laptop. Want a fun time? Watch the techs do diagnostics on them by running your heart rate up and down with the click of a mouse. They also have home reporting where you use a similar device connected to a phone line to allow the doctor to review data from the device.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  6. FDA confirmed for out-of-touch, tech-ignorant by Rick+Schumann · · Score: 5, Insightful

    You hospitals think that the ransomware attacks you've been dealing with are bad now? Just wait until you've got criminal assholes hijacking all the OTA-updatable medical devices in your entire organization -- with a couple random people 'accidentally' dying of intravenous drug overdoses or their ventilators being bricked, just to show that they're serious and that their demands should be met promptly. Stupid, stupid, stupid! There is no possible way they can adequately secure such devices. They should require physical access to the device, NEVER wirelessly.

    1. Re:FDA confirmed for out-of-touch, tech-ignorant by Rick+Schumann · · Score: 2

      No kidding. As someone else pointed out: all it'd take is a pacemaker that has OTA updatable firmware, and you've got a built-in 'kill switch' for someone.
      Imagine getting an email from the attacker: "Send us 100 Bitcoins, or we'll stop your heart."
      Imagine getting that email every few months for the rest of your life. :-(

  7. Nothing in the article says "remote" updates by stevelinton · · Score: 5, Insightful

    The article makes no mention of remote updates, let alone wireless ones. A physical port inside the device (perhaps behind a locked panel) makes sense for most devlces. If the device is already remotely accessible in any way (eg to allow a physician to plug into it and recover health data) then it potentially needs security updates. If not, then being able to apply a (suitably checked and signed) firmware update with a special cable may avoid the need for surgery and/or an expensive replacement device. Assuming they get the details right, this sounds sensible.

    1. Re:Nothing in the article says "remote" updates by Jamu · · Score: 3, Funny

      I hate to think where they put that.

      --
      Who ordered that?
  8. I can see the repercussions now by nimbius · · Score: 3, Funny

    kids: dad what happened to grandma?
    dad: well kids...shes gone to a better place
    mom: dad flashed a rom to her pacemaker with the wrong binary architecture
    dad: Its more complicated than that kids, Grandma was one SMA antenna away from being able to route our IPv6 traffic so we can use faster fortnight servers.
    kids: is grandma in heaven?

    Dad: more importantly, does daddys toolchain documentation cover the insulin pump in grandpa....

    --
    Good people go to bed earlier.
  9. cut that resistor and save! by AndyKron · · Score: 3, Interesting

    I worked at a medical company that "unlocked" premium features by cutting out a resistor that the software checks. Will that be on the BOM too?