Forgot your password?
typodupeerror
Government Medicine Security Software Science

FDA: Software Failure Behind 24% of Last Year's Medical Device Recalls 128

Posted by timothy
from the others-mostly-about-color-coordination dept.
chicksdaddy writes "Software failures were behind 24 percent of all the medical device recalls in 2011, according to data from the U.S. Food and Drug Administration's (FDA's) Office of Science and Engineering Laboratories (OSEL). The absence of solid architecture and 'principled engineering practices' in software development affects a wide range of medical devices, with potentially life-threatening consequences, the FDA warned. In response, FDA told Threatpost that it is developing tools to disassemble and test medical device software and locate security problems and weak design."
This discussion has been archived. No new comments can be posted.

FDA: Software Failure Behind 24% of Last Year's Medical Device Recalls

Comments Filter:
  • by sizzzzlerz (714878) on Thursday June 21, 2012 @11:01AM (#40398379)

    It seems like that should be of even more concern.

  • by ILongForDarkness (1134931) on Thursday June 21, 2012 @11:06AM (#40398433)

    In my experience there is way way more software failures. The vendor just sends software updates every couple months. Oh yeah the previous version had a problem where if you did things in the wrong order it would change the patient that the radiation machine was programmed for. Sorry about that but here is the fix. Or worse notices saying their is a problem so telling users to double check all the time until they release a new version ... sometime.

  • by betterunixthanunix (980855) on Thursday June 21, 2012 @11:07AM (#40398445)
    Can someone please remind me why people should be unable to examine the software in their medical devices, software that their lives may depend on? Why these programs are not open to public review?

    Oh wait, I got sidetracked thinking that the point of medical devices is to keep people healthy, rather than to rake in profits for the companies that make them.
  • by WindBourne (631190) on Thursday June 21, 2012 @11:23AM (#40398687) Journal
    Seriously, the smart thing is to develop an Open platform on Linux, with libraries for equipment to use. Likewise, offer up secured ways of updating the equipment. If FDA was smart, they would talk to NSA.
  • by MozeeToby (1163751) on Thursday June 21, 2012 @11:27AM (#40398755)

    Hiding the source code is not an effective way to prevent hacking, if it were my Windows box wouldn't need a hardware firewall, a software firewall, 3rd party antivirus software, and regular sweeps initiated from a different OS.

  • by Anonymous Coward on Thursday June 21, 2012 @12:03PM (#40399201)

    They might as well just start from scratch then. I used to work for a huge healthcare company and dealt with some of the debacles that these devices cause. "Our device only supports WEP....is that going to be a problem?" Pathetic. Luckily the place I worked was big enough to push them around and do things like force them to implement EAP-TLS, but it was tough going. Then you have all the BS with how the FDA "doesn't allow us to upgrade software without extensive testing", which of course is not entirely true.

    These companies are just like every other medical software vendor...for some reason they feel entitled to produce absolutely terrible products that are 10 years behind the rest of the world. I don't know why the medical industry is like this, or why customers put up with it. The general attitude where I used to work was, "OH NO DON'T UPSET THE POOR VENDORS!!". I was like, "aren't we paying them? tell them to fix their product or go to hell". This was true of desktop software, medical devices...everything. They wanted to bring a new system online for tracking blood donations and the software required "act as part of the operating system" privileges. Really? We're going to update our Group Policy which already gives every user local admin rights to allow that too? Why, exactly, would that be? Especially since it's nothing but a database application. Another application we had on the network would crash when our vulnerability scanner would probe its port. The entire piece of software would just die because it got a packet of a type it wasn't expecting. This wasn't an aggressive scan, this was just a probe looking for open ports. I told the department, we can give you a scan exception, but this is not a problem that's going to go away just because we stop scanning your device.

    I think the entire Medical IT industry has a day of reckoning coming. The unnecessary proprietary requirements, the poor design, the unreasonable legacy OS requirements, the poor security...it's endemic to the industry. There's this attitude that they want to use IT extensively in healthcare, but not change the workflows of providers in any way (including things like requiring strong passwords). It's not a sustainable model.

  • by dark12222000 (1076451) on Thursday June 21, 2012 @12:22PM (#40399537)
    Look up "Code Signing". Then bash your head against your desk three or four times as punishment for the stupidity you typed out above.

"Card readers? We don't need no stinking card readers." -- Peter da Silva (at the National Academy of Sciencies, 1965, in a particularly vivid fantasy)

Working...