Slashdot Mirror

← Back to Stories (view on slashdot.org)

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com)

Posted by msmash on from the interesting-developments dept.

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

7 of 96 comments (clear)

  1. Nice try by TimMD909 · · Score: 5, Insightful

    Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface... if I had a pacer maker than could get over the air updates, I'd not want to be worried that an attacker could push an update. I'd have to live my life inside of a Faraday cage to even feel somewhat safe.

    1. Re:Nice try by ElizabethGreene · · Score: 5, Insightful

      I find it telling that Dick Cheney's pacemaker was replaced with a unit that had all of the RF functions disabled during his tenure as VP.

      That tells me two things.
      1. He still has some biological components left.
      2. I do not want wireless interfaces on my medical devices.

  2. Inb4 a mandated update mechanism gets compromised. by Anonymous Coward · · Score: 5, Insightful

    The only thing that scares me worse than insecure proprietary bullshit that can kill people is people who don't understand technology trying to legislate insecure proprietary bullshit that can kill people.

  3. Not necessarily good by arth1 · · Score: 5, Insightful

    I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
    That just adds a vector for attack where there was none.

  4. FDA confirmed for out-of-touch, tech-ignorant by Rick+Schumann · · Score: 5, Insightful

    You hospitals think that the ransomware attacks you've been dealing with are bad now? Just wait until you've got criminal assholes hijacking all the OTA-updatable medical devices in your entire organization -- with a couple random people 'accidentally' dying of intravenous drug overdoses or their ventilators being bricked, just to show that they're serious and that their demands should be met promptly. Stupid, stupid, stupid! There is no possible way they can adequately secure such devices. They should require physical access to the device, NEVER wirelessly.

  5. Nothing in the article says "remote" updates by stevelinton · · Score: 5, Insightful

    The article makes no mention of remote updates, let alone wireless ones. A physical port inside the device (perhaps behind a locked panel) makes sense for most devlces. If the device is already remotely accessible in any way (eg to allow a physician to plug into it and recover health data) then it potentially needs security updates. If not, then being able to apply a (suitably checked and signed) firmware update with a special cable may avoid the need for surgery and/or an expensive replacement device. Assuming they get the details right, this sounds sensible.

  6. Re:About time by darkain · · Score: 5, Interesting

    As someone with a close family member who has a phone-connected life-critical medical device, let me elaborate on what exactly it is doing.

    First off, the user has direct access to statistical health information in real time. This before used to be quite the costly process with throw-away testing supplies. These throw-away supplies previously would only be used maybe once or twice a day, even though health conditions can fluctuate in a few minutes time.

    Secondly, the logged data can be reported back to medical professionals. What would you rather have, someone untrained in medicine trying to awkwardly describe how they felt at some random particular moment in time, or having true raw data from that particular experience?

    And just because a device is network connected and the device is life critical doesn't mean that the personal can instantly die from wrong doing. In this particular case, if the device was entirely shut off, the person would still survive a few days and would notice the effects within a couple hours and seek medical attention. With the device at full blast, the results would be similar. So at worst, a hacker could potentially make this person feel ill and go see a doctor, which is the exact same case that this person would experience if they were to treat themselves manually (the way things were done before) and messed up on accident.