FDA Wants Medical Devices To Have Mandatory Built-In Update Mechanisms (bleepingcomputer.com) 13
Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.
In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.
$1/meg
$5/meg
$10/meg
$11/meg
$20/meg
$50/meg
$60/meg
In Lockup free to you
All those medical device manufactor have so much know how on what to do (digital signatures, encrypted communications), let's add firmware update to the list. They can call it "secure firmware update" (because the protocol is secret, which makes it secure!). Well no, scrub that, simply make it illegal to hack devices, much cheaper than security...
The only thing that scares me worse than insecure proprietary bullshit that can kill people is people who don't understand technology trying to legislate insecure proprietary bullshit that can kill people.
I'd rather have a device with no external connectivity than one that has external connectivity because one is needed by the upgrade mechanism.
That just adds a vector for attack where there was none.
It's too bad that you need this to be up 20 hours an day as the max you can set active hours to is 18 or 12 (server 2016) too bad and read the EULA we don't have to do shit.
the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.
First of all, why does every damn thing have to be able to connect with your phone/internet. Unless there's a damn good reason, I don't know why you would want to introduce security holes in a device that is keeping you alive. I suppose it's convenient to have your pacemaker app on your phone giving you live updates about how well it's working so you can post it to Facebook or something. But not if it means that anyone within range can turn the thing off, or cause it to malfunction.
3rd party vendors must let hospital have full os update control and no forced open 24/7 links to the outside.
