FDA Issues Guidance On Cybersecurity of Medical Devices 26
chicksdaddy writes "The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," asks device makers seeking FDA approval of medical devices to disclose any "risks identified and controls in place to mitigate those risks" in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers.
Re: This is good (Score:1)
Wish i had known that before i bought those piece of shit dr. dre beats headphones.
Something to look forward to... (Score:3)
Re: (Score:2)
just hope they are not running MS software on there as there EULA not for use in Medical Devices
Re: (Score:1)
Maybe you can upgrade to a wired version and have a UTP cable run out your ass?
Re: (Score:3)
Presumably Jay Radcliffe's research [bloomberg.com] is old news to you, correct? If not, I'd take a quick look-see [blackhat.com]...
Oh great. (Score:2)
Re:Oh great. (Score:5, Insightful)
If anything, you should be asking yourself: if the FDA is only now issuing this guidance, and you haven't already been worried about security in your devices, how far behind are you?
Re: (Score:2)
If anything, you should be asking yourself: if the FDA is only now issuing this guidance, and you haven't already been worried about security in your devices, how far behind are you?
If anything, we should all be asking ourselves where the secure OS'es (and, by this, I mean as verifiably secure as we can make them, via proof, extraordinary levels of test, etc., to the point where they can be insured for a relatively small amount of money) and languages that we can use to build secure systems? Not to mention
Re: (Score:2)
Well yes, as the husband of someone who wears an insulin pump, I do expect you to get your shit together before shipping the product. And considering how much we pay for these pumps and sensors, I think it's reasonable for you to demand properly documented hardware and correct compilers from your suppliers.
OR... you could stop trying to make medical devices that try to be part of the Internet of Things
Are these going to need backdoors also? (Score:4, Interesting)
Is the Government, FBI, NSA, etc going to demand a backdoor into these devices so they can be able to scan them for info in case terrorist or child pornographers are hiding info there?
Re: (Score:2)
flamebait? I was going for funny, sheesh, no sense of humor anymore...
Re: (Score:2)
Already Tracking Cybersecurity (Score:2)
Use of "Cyber" strongly indicates incompetence (Score:2)
That term is only used by people without a clue. Professionals call this "IT security" or sometimes "ICT security".
Signed by whom? (Score:2)
Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers.
Should the patient be in control of the choice of certificate through which the signatures are verified? If not, why not?
Re: Signed by whom? (Score:1)
Absolutely not.
The patient does not have the skills, knowledge of the device's internal hardware/firmware/software design, testing tools, or the time to make sure an update is safe and won't break the device. Only the manufacturer can do that.
Besides, "signed" doesn't necessarily mean the same certificate-based chain-of-trust process that most people are familiar with. It could be much simpler (and usually is for firmware or software on embedded devices).
User control of devices, more generally (Score:2)
The patient does not have the skills, knowledge of the device's internal hardware/firmware/software design, testing tools, or the time to make sure an update is safe and won't break the device.
Do you intend this reasoning to apply only narrowly to medical devices, more broadly to all electronic devices, or something in the middle? And even in the field of medical devices, do you intend to exclude a third party from being able to refurbish a medical device that has reached end of support with updated firmware and get this new firmware approved?
Besides, "signed" doesn't necessarily mean the same certificate-based chain-of-trust process that most people are familiar with. It could be much simpler (and usually is for firmware or software on embedded devices).
I was using "certificate" more broadly to refer to any data structure including a public key against which a message's authenticity is verified. In video ga