Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Government Software United States IT Technology

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com) 96

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

This discussion has been archived. No new comments can be posted.

FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms

Comments Filter:
  • Nice try (Score:5, Insightful)

    by TimMD909 ( 260285 ) on Thursday April 19, 2018 @04:03PM (#56467035) Homepage
    Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface... if I had a pacer maker than could get over the air updates, I'd not want to be worried that an attacker could push an update. I'd have to live my life inside of a Faraday cage to even feel somewhat safe.
    • Re: (Score:3, Funny)

      by olsmeister ( 1488789 )
      I bet you could make a really sweet Faraday onesie... bonus points if you wear it and fight crime at the same time.
      • I bet you could make a really sweet Faraday onesie... bonus points if you wear it and fight crime at the same time.

        Perfect idea for a Halloween costume too

    • Say
      in market (small area) $1/meg
      out of market (In state) $5/meg
      out of market (out of state) $10/meg
      Canada / Mexico fringe roaming $11/meg
      Canadian roaming $20/meg
      Other $50/meg
      Cell at sea $60/meg
      ----

      In Lockup free to you

      • But wait, there's more!

        Think about the user experience when Facebook gets real time bio metric feedback on your response to ads!

        So much service improvement, so many ads that we KNOW that you'll just love seeing!

    • Re:Nice try (Score:5, Insightful)

      by ElizabethGreene ( 1185405 ) on Thursday April 19, 2018 @05:14PM (#56467667)

      I find it telling that Dick Cheney's pacemaker was replaced with a unit that had all of the RF functions disabled during his tenure as VP.

      That tells me two things.
      1. He still has some biological components left.
      2. I do not want wireless interfaces on my medical devices.

      • by gtall ( 79522 )

        You have it backwards, the pacemaker was kept and the rest of Dick Cheney replaced. Now he's more of an automaton...well, more so than before.

        • Nonsense, since 2012 when Dick Cheney had a heart transplant we can finally say with certainty that he has a human heart.

          Of course, it was once somebody else's.

    • by Anonymous Coward

      Where in TFA does it talk about implanted devices? I got the impression they were talking about external things (i.e. glucose meters, etc.).

      So then: if my device (in fact a glucometer) doesn't connect to the internet it shouldn't need security patches. BUT if they make it mandatory for the firmware to be able to receive updates and patches then I'll HAVE to connect to the internet and be exposed to all KINDS of breach attempts and evildoers so I'll definitely NEED those patches to thwart THEM. Yah?

    • by harrkev ( 623093 )

      Seems like a nice way to legislate backdoors into all devices with the added bonus of an increased attack surface

      Have you ever heard of public key cryptography? https://en.wikipedia.org/wiki/... [wikipedia.org] If the manufacturer can keep their private key secret, then only they could push an update. Of course this requires hardware beefy enough to handle either ECC or RSA calculations in a reasonable amount of time... Yeah, this also assumes that they do the cryptography properly (which can be harder than it sounds).

      A

    • Bonus? You sure itâ(TM)s not on purpose? Talk about giving the Gov the ultimate âoekill switchâ. Damn shame someone make the wrong political move eh?

  • by Anonymous Coward

    All those medical device manufactor have so much know how on what to do (digital signatures, encrypted communications), let's add firmware update to the list. They can call it "secure firmware update" (because the protocol is secret, which makes it secure!). Well no, scrub that, simply make it illegal to hack devices, much cheaper than security...

  • by Anonymous Coward on Thursday April 19, 2018 @04:06PM (#56467071)

    The only thing that scares me worse than insecure proprietary bullshit that can kill people is people who don't understand technology trying to legislate insecure proprietary bullshit that can kill people.

  • by arth1 ( 260657 ) on Thursday April 19, 2018 @04:08PM (#56467081) Homepage Journal

    I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
    That just adds a vector for attack where there was none.

    • by Anonymous Coward

      They need to have some wireless communication in order to provide the doctor with telemetry. A pacemaker will record the hearts natural rhythm then apply it's own signal, plus it needs to be able to be reprogrammed to the correct range of speeds. Then once you have that information and data transfer method, firmware updates become possible. But those have to be secured. The doctor might store all the passwords/keys on a computer/server in the treatment room.

  • It's too bad that you need this to be up 20 hours an day as the max you can set active hours to is 18 or 12 (server 2016) too bad and read the EULA we don't have to do shit.

  • About time (Score:4, Insightful)

    by The Grim Reefer ( 1162755 ) on Thursday April 19, 2018 @04:15PM (#56467139)

    the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

    First of all, why does every damn thing have to be able to connect with your phone/internet. Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive. I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

    Any manufacturer that has released an device that a malfunction could cause a lethal event with wireless access with a hard coded password should be fined a lot. And pay for whatever surgery and device is needed to remedy this. Additionally, they should pay the patients for their time and recovery. Just how incompetent are people that make these things? Gee, WiFi and Bluetooth. No one would ever think to try to connect to something like that. I mean seriously, hard coding "1234" or "password" on an implanted defibrillator or and insulin pump?

    • Re:About time (Score:5, Insightful)

      by Obfuscant ( 592200 ) on Thursday April 19, 2018 @04:29PM (#56467301)

      Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive.

      The only reason you would need a "critical security patch" is if there were some way of hacking into the device remotely. For most devices the only way people could hack into them remotely is through the new external connection that allows critical security updates.

      You create a solution for a problem created by the solution. My head hurts.

      I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.

      Sending data TO an external monitor does not require receiving data FROM an external device. I have a half a dozen wireless weather sensors around my house that don't receive a single bit of data via radio, but they repeatedly send data out. Your pacemaker could do the same kind of thing.

      • 3rd party systems in an hospital with old oses that don't get updated is the real issue.

        • 3rd party systems in an hospital with old oses that don't get updated is the real issue.

          If they don't have a way to hack into them, then adding an update mechanism for security patches creates a mechanism to hack into them. If you can install a patch to stop hackers via a USB stick or WiFi, for example, then hackers could install something else using a new exploit in the update system. The age of the OS doesn't matter if nothing from outside can change it.

          I have a glucose meter. It has a connection to dump data to a computer. That connection is probably bi-directional since the computer can a

      • by Anonymous Coward

        Pacemakers are not just a set electric shock on a set interval timer. The size and profile of the shock is tunable to respond to the patient's individual heart condition where the adjustment is different for every person. And they have to react differently depending on the behaviour of the patient. Is their heart rate increasing because they're running or having a heart attack? How it responds is important, and if it gets it wrong the person could pass out or die. If the software making that decision is fou

        • Pacemakers are not just a set electric shock on a set interval timer.

          I know what pacemakers do.

          If the software making that decision is found to have a bug, then yes there's a good reason to issue a critical software patch that's not just to prevent hacking.

          That is not a critical security update. It is a flaw that should have been caught before approval.

          You want to avoid surgery if at all possible so it makes a lot of sense to be able to make updates.

          You do realize that there are systems already designed that have external wired connections, which would require physical access to the device to hack into? Maybe not. Not every medical device needs wireless, and thus at-a-distance, access.

          The pacemaker also makes for a very good data logger to monitor both the device and the patient's condition. The doctors can download valuable information from such a device to inform their choice of ongoing treatment.

          As I already said, OUTPUT of data does not require an external interface for INPUT to the device. It could be as simple as a reed switch that a mag

          • by EvilSS ( 557649 )
            1980 called and it wants you to return their pacemakers. Current (and by current I mean going back at least 15 years if not more) pacemakers and ICDs have wireless communication and adjustment already. It requires a device that looks like a hockey puck connected to a laptop. Want a fun time? Watch the techs do diagnostics on them by running your heart rate up and down with the click of a mouse. They also have home reporting where you use a similar device connected to a phone line to allow the doctor to re
    • Re:About time (Score:5, Interesting)

      by darkain ( 749283 ) on Thursday April 19, 2018 @04:43PM (#56467451) Homepage

      As someone with a close family member who has a phone-connected life-critical medical device, let me elaborate on what exactly it is doing.

      First off, the user has direct access to statistical health information in real time. This before used to be quite the costly process with throw-away testing supplies. These throw-away supplies previously would only be used maybe once or twice a day, even though health conditions can fluctuate in a few minutes time.

      Secondly, the logged data can be reported back to medical professionals. What would you rather have, someone untrained in medicine trying to awkwardly describe how they felt at some random particular moment in time, or having true raw data from that particular experience?

      And just because a device is network connected and the device is life critical doesn't mean that the personal can instantly die from wrong doing. In this particular case, if the device was entirely shut off, the person would still survive a few days and would notice the effects within a couple hours and seek medical attention. With the device at full blast, the results would be similar. So at worst, a hacker could potentially make this person feel ill and go see a doctor, which is the exact same case that this person would experience if they were to treat themselves manually (the way things were done before) and messed up on accident.

      • Re: (Score:3, Insightful)

        Agreed, but for the situation you described, you only need one way communication.

        I've read about the security (or lack there of) on some pain pumps and implanted defibrillators. Having some sociopath getting remote access to someone's ICD could be more than a minor inconvenience.

      • There are devices where a bad actor could cause the device to kill someone. An AICD could be programmed to give a shock at the point in the cardiac cycle where itâ(TM)d cause the heart to arrest and then be programmed not to give itâ(TM)s usual life saving shock.
    • Re:About time (Score:4, Insightful)

      by radarskiy ( 2874255 ) on Thursday April 19, 2018 @05:08PM (#56467629)

      Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

      • by barakn ( 641218 ) on Thursday April 19, 2018 @05:24PM (#56467707)

        Yes, I'm sure the updates will be obtained via Ham Radio. Fucking idiot.

        • by EvilSS ( 557649 )
          Many of these devices have wireless capability that can be accessed by a doctor or tech from the manufacturer using a laptop and special antenna that goes over the device. This includes making changes to the settings of the device and running diagnostics (on both the device and the patient as needed)

          The only thing worse than an asshole is an ignorant asshole.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

        Probably because, like fridges, toasters, light bulbs, etc., there's no good reason for them to be internet-connected, but over time someone -- a device maker or some third-party they source some component from -- will decide that it'd be more convenient for them if the devices were internet-connected and it'll likely "just happen" because "meh, what's the worst that could happen?"

      • by chr1sb ( 642707 )

        Why does every damn commenter have to go off on a "connected to the internet" sidetrack when the article mentions no such thing?

        Agreed. Furthermore, why does every damn poster post about implantables? The term "medical device" covers a broad range of products.

        For example, when you visit your GP and get your blood tested, your blood is sent off to a lab where the machine used to conduct those tests is also a medical device, regulated by the FDA (in the US at least, but the FDA has influence in many other jurisdictions). Many of those devices by the way run Windows. Yes, Windows. Usually at least one embedded system too, to handle h

        • Agreed. Furthermore, why does every damn poster post about implantables?

          Because if your implantable device gets pwnd, there's nothing you can do. An external device can be disconnected or disabled without the need for surgery. If your implanted defibrillator starts shocking the shit out of your heart or a pain or insulin pump runs until it's empty there's not much you can do.

    • by gtall ( 79522 )

      I can understand the need to update a device, certainly for discovered faults. I have a hard time thinking updates are going to be done in realtime while the device is functioning. Say you are on the phone and an update occurs, "Hey fella, I'll need to call you back. An update just bricked my pacemaker."

  • 3rd party vendors must let hospital have full os update control and no forced open 24/7 links to the outside.

  • by Rick Schumann ( 4662797 ) on Thursday April 19, 2018 @04:22PM (#56467225) Journal
    You hospitals think that the ransomware attacks you've been dealing with are bad now? Just wait until you've got criminal assholes hijacking all the OTA-updatable medical devices in your entire organization -- with a couple random people 'accidentally' dying of intravenous drug overdoses or their ventilators being bricked, just to show that they're serious and that their demands should be met promptly. Stupid, stupid, stupid! There is no possible way they can adequately secure such devices. They should require physical access to the device, NEVER wirelessly.
    • It is only a matter of time before a contract hit gets carried out this way. Untraceable.
      • No kidding. As someone else pointed out: all it'd take is a pacemaker that has OTA updatable firmware, and you've got a built-in 'kill switch' for someone.
        Imagine getting an email from the attacker: "Send us 100 Bitcoins, or we'll stop your heart."
        Imagine getting that email every few months for the rest of your life. :-(
    • by Striek ( 1811980 )

      They should require physical access to the device, NEVER wirelessly.

      Physical access to a pacemaker...

      I do not think this means what you think it means...

  • My worry is that vendors of devices update the software for equipment that requires training. An OTA update WILL change how a device works.

    Hospital staff may or may not notice, and then even if they notice, who has time to figure out which devices have changed their behavior.

  • by stevelinton ( 4044 ) <sal@dcs.st-and.ac.uk> on Thursday April 19, 2018 @04:36PM (#56467373) Homepage

    The article makes no mention of remote updates, let alone wireless ones. A physical port inside the device (perhaps behind a locked panel) makes sense for most devlces. If the device is already remotely accessible in any way (eg to allow a physician to plug into it and recover health data) then it potentially needs security updates. If not, then being able to apply a (suitably checked and signed) firmware update with a special cable may avoid the need for surgery and/or an expensive replacement device. Assuming they get the details right, this sounds sensible.

  • Experience shows that the Microsoft mandatory updates ALWAYS make things much better and NEVER cause problems! FDA, now bringing new meaning to the phrase "Blue screen of death"! Ack! They automatically updated my pacemaker! Will anybody with a computerized medical device now be forbidden from going out of WiFi range?
    • medical device manufacturers have some incentive to do actual engineering unlike Microsoft's clusterfuck of a QA system

  • by nimbius ( 983462 ) on Thursday April 19, 2018 @04:43PM (#56467441) Homepage

    kids: dad what happened to grandma?
    dad: well kids...shes gone to a better place
    mom: dad flashed a rom to her pacemaker with the wrong binary architecture
    dad: Its more complicated than that kids, Grandma was one SMA antenna away from being able to route our IPv6 traffic so we can use faster fortnight servers.
    kids: is grandma in heaven?

    Dad: more importantly, does daddys toolchain documentation cover the insulin pump in grandpa....

  • The medical industry doesn't need mandatory updates. It's the electrical grid's control systems with their SCADA controllers that are always connected to the internet (even though they shouldn't be) that need mandatory updates.
  • by AndyKron ( 937105 ) on Thursday April 19, 2018 @05:32PM (#56467765)
    I worked at a medical company that "unlocked" premium features by cutting out a resistor that the software checks. Will that be on the BOM too?
  • by Anonymous Coward

    I worked for a medical devices company for a couple of years, one of the big players on the global stage, and I can tell you that before we worry about including methods for updating critical software issues, we need to first focus on getting companies to put patient safety back before profits and share price.

    These are just examples that I personally saw. Let's just say for example that to go from an idea in someone's head to a finished product, it will require $1m and take 1 year if you give the lead engin

  • Wow. Definitely don't want to be getting critical care in the hospital on the new medical device's equivalent of update Tuesday.
    • I wouldn't worry about that. Nothing will ever actually be upgraded.

      Think about it: The firmware that the device is born with is FDA approved, at great expense. If the manufacturer discovers a bug and fixes it, then the fixed version is not FDA approved. Getting a renewed approval for a software modification is expensive, time-consuming and risky. Who's going to pay for that? Customers buy the cheapest thing that is approved anyway, and since the original firmware is approved, the manufacturer's salespeo

  • by Anonymous Coward

    what could this hurt >>>update>>>

    -Phone rings

    IT: "IT how can I help you"
    Doctor: "The medical devices are pushing all the medicine into the patients at once"
    "Half are dead now"
    IT: "have you tried disconnecting the intravenous tube from their skin"
    Doctor: "your missing the point"
    IT: "I'm sorry to hear that, Let me transfer you to level 2 support"

    IT L2: "I have remote into the device and have turned down the dosage"
    Doctor: "You do realize that patient has been dead for 15 min now"
    IT L2: "I'

  • Even at best mandatory Windows updates are making me lose productivity at critical time. Quite a few times they crash. I don't want any of these in a pacemaker. I also don't want to have to walk in a Faraday cage if government or hackers are out to get me. Actually, keep all the radios off unless activated by means like a magnet that can not be easily faked from a distance.

  • Windows is installing update 17/67. Please do not reboot your pacemaker or die during this process ...

You know, Callahan's is a peaceable bar, but if you ask that dog what his favorite formatter is, and he says "roff! roff!", well, I'll just have to...

Working...