Slash Boxes

SoylentNews is people

posted by martyb on Thursday February 20 2020, @01:24AM   Printer-friendly
from the security++ dept.

When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices.

[...] medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for the device's use with a certain version of an operating system or kernel.

[...] addressing the risks means understanding and addressing the value chain for how a device evolves from concept to disposition. We need to also evolve how devices are designed and updated to match the level of support that Samsung and Apple provide. This means there needs to be dedication by manufacturers to use platforms for a longer time and a commitment to keeping the build chains current to be able to consistently deliver patches and updates to customers.

[...] Outside of the major manufacturers, many of the companies that manufacture these devices are smaller businesses, and they have to be able to afford to develop new devices and support what they have at the same time—which is often difficult even for large companies.

We need to partner with our medical device vendors to solve issues like Urgent/11 through better processes. We need to understand how the devices work, and we need to understand that it takes a lot of work to get a patch out for devices that are more complex than a standard PC. Deploying patches to these devices also carries different risks.

The S in Medical IoT stands for Security.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Rich on Thursday February 20 2020, @05:38PM

    by Rich (945) on Thursday February 20 2020, @05:38PM (#960361) Journal

    I've been working on medical devices software (and also a bit hardware) as a contractor for the better part of my life and can give you an idea of how the processes work.

    While the software development as such isn't much different from that in unregulated markets, the verification and validation that has to go into the products is massive. At the moment I'm helping a customer with an obsolescence issue that takes me about a man-year to work out - but I would estimate that on the customer's side at least 10 man-years are being sunk for a group of testers, project leads, documentation maintainers, localization and local regulation liasions, and finally service technicians supervising installations. Maintaining high standard lab sites with a good number of devices to be tested adds to that.

    If there is the slightest change, the local regulators (EU, FDA, China, Korea, ...) all want their proof of suitability done. I'm not saying "paperwork" here, because in many cases they really want to understand what's going on and suitable testing has to be successfully done and documented. One might pull an upstream fix and do a rebuild in under an hour - but after that at least five people are occupied for two months with getting that version going in the different regulated markets. And then, add about a technician's day of work for each of about, say, 2000 deployed machines.

    The machines I work on are still air-gapped, so the upgrade has to be seen after, but they are about to be internet-ized. While that may make some things easier, it adds the effort of implementing security measures onto a legacy system. The correct approach to security is of course to design it in. But that would need a new system and sink two-to-three figures of Euro/Dollar millions for the whole process, which is infeasible in many of the niches the different vendors compete for. It might not even be a market big enough to justify an investment needed for today's standards at all. (I and colleagues at my customer just recently talked about Boeing, who produced the 737 continuously on a 1960s permit, because they couldn't really afford to design something similar to today's regulations. We could very well understand how that happened, and only remind each other to be watchful to steer well clear of such situations).

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3