FDA Issues Medical Device Warning – But They Are Not Sure for What

Well that makes me feel a whole lot better.

The FDA says that devices that use the decades old IPNet software are vulnerable to hacking,

But they are not sure what devices that  may include.  Possibly insulin pumps.  Maybe pacemakers.

They also don’t know how many devices are affected.

Given that, I am not sure what use the warning is, other than to make people who use medical devices or have them implanted, worry.

They do say that they have identified 11 vulnerabilities that allow hackers to take over these devices.

The FDA also says that the bugs allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

The FDA is working with device makers, but they say that the problem is complicated.

Well, actually, it is pretty simple, but we are talking about the government, after all.

The concept is called SOFTWARE BILL OF MATERIALS.

Think of a home appliance such as a toaster.  The bill of materials for a toaster might include a heating element or two, a timer, a glass door, a display, etc.

In the software world, a software bill of materials means a list of every piece of third party software that is used in the system that is delivered.

At one point in time, things were made out of hardware.  Now, virtually everything contains software.

Manufacturers don’t want to have to produce Bills of Materials because it tells competitors what is inside and they have to upgrade the document when they make changes.

As long as customers don’t demand bills of materials, vendors are not going to produce them and make them available.

Occasionally, not knowing what is in the software you use can cause problems.  Perhaps you have heard of a small breach at Equifax?  Because they did not realize that Apache Struts was used on a particular server, that server wasn’t completely patched.  And the rest is history.

The Department of Defense is looking at making software bills of materials a required deliverable on defense contracts.

If you as a customer know that a system that you use contains a particular software library or module, then you can proactively watch to see if that software has been updated.  You probably will have to contact the vendor at that point to get an upgrade, but at least you can ride herd on the vendor.

In the case of medical devices, things are way simpler.  Since vendors have to submit paperwork to the FDA to get devices approved, the FDA **COULD** require those vendors to provide a bill of materials.  Then that data could be entered into a database and easily searched, avoiding warnings like this one.

But, we are talking about the government, so do not hold your breath.  Source: CNBC

by