SoylentNews is people
SoylentNews
IEEE Spectrum has a a story on Medical device security, which follows a report from Reuters that The U.S. Department of Homeland Security is investigating possible security flaws in medical devices and hospital equipment.
From Reuters:
The products under review by the agency's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.
According to Spectrum the ICS-CERT team:
wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.
The Spectrum article also references the 2011 case of remotely hacking an insulin pump, demonstrated by Jerome Radcliffe.
(Score: 2) by Sir Garlon on Tuesday October 28 2014, @07:04PM
I agree, but the problem is so serious I am more interested in getting the companies to change their behavior than in beating them up. Let the government give them a chance to clean up their act before bringing out the big stick.
That said, I adamant that we, the taxpayers, not bail out these companies if they get sued into oblivion for their decade of gross negligence.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 3, Insightful) by davester666 on Tuesday October 28 2014, @07:08PM
How many times are we going to give companies velvet-gloved handjobs, "to encourage them to do the right thing", only to find out they all are into S&M, and need a high-heel spike to the groin to even consider doing "the right thing".
(Score: 2) by Sir Garlon on Tuesday October 28 2014, @08:30PM
I understand your frustration and I share it to some considerable extent.
In my own experience, if you take a demanding and compliance-based approach to security, saying "do X or else!" then people resent it. They become passive-aggressive and they will do the minimum required to achieve the appearance of X, and bitterly refuse to do more. The cynic in me says this is what the PCI standards [pcisecuritystandards.org] have achieved.
On the other hand, if you can successfully persuade them of the need to do the Right Thing, then they will do what it takes to do the Right Thing.
Persuading people to do the Right Thing does not have to be all rainbows and unicorns. For example, pointing out that insecure medical devices are a horrendous liability risk (because they are) could be quite persuasive to some suits.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 1, Interesting) by Anonymous Coward on Tuesday October 28 2014, @10:54PM
I worked for a few years at a medical device manufacturer company; one of the big ones that does heart-lung machines and the like. They were all about 'doing the right thing' and 'customer focus' and stuff and had a relatively through CAPA system for all sorts of defects and other reports. But despite that, they had an abysmal investigation rate. There were hundreds of items in the complaint logs for their heart-lung machines that had been 'filed and forgotten'; without even attempting to investigate or reproduce the problems (or very minimal, rudimentary ones). Some of them were pretty serious, like spurious flow rate increases and pump shutdowns.
The FDA eventually caught on to it through audits, and started their process for getting the company to do a proper job investigating their failures (we're talking heart-lung machines after all, they need to be pretty damn sure they're reliable). The FDA process is actually fairly lengthy and involved, escalating through nearly a dozen different 'levels' over a several-year time frame (allowing for time to implement actions), with the final being the closure of the company for non-compliance.
What did the company do? Ignore the FDA. So they got elevated to the next level. Now? Ignore the FDA. It took reaching a consent decree, the final step immediately before company closure, coupled with a 35$ million fine, before the company actually did something about it. It's not like the logs were hidden from view or anything, I was in the hardware department and saw them personally. But that didn't matter because they were too wrapped up in developing their next iteration of products (having failed multiple times at getting one to market) and couldn't be bothered to do the investigations (the 'sustaining' department was minimal and overbooked).
So, a kick to the balls might be more in order than you think, especially when there's a reasonable process in place like the FDA uses and it still takes years and millions of dollars in fines before the company does something about it.....
(Score: 2) by Sir Garlon on Wednesday October 29 2014, @12:40AM
Ouch, because from where I'm standing the FDA looks like an extremely industry-friendly agency.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.