SoylentNews is people
SoylentNews
IEEE Spectrum has a a story on Medical device security, which follows a report from Reuters that The U.S. Department of Homeland Security is investigating possible security flaws in medical devices and hospital equipment.
From Reuters:
The products under review by the agency's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.
According to Spectrum the ICS-CERT team:
wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.
The Spectrum article also references the 2011 case of remotely hacking an insulin pump, demonstrated by Jerome Radcliffe.
(Score: 1, Interesting) by Anonymous Coward on Tuesday October 28 2014, @10:54PM
I worked for a few years at a medical device manufacturer company; one of the big ones that does heart-lung machines and the like. They were all about 'doing the right thing' and 'customer focus' and stuff and had a relatively through CAPA system for all sorts of defects and other reports. But despite that, they had an abysmal investigation rate. There were hundreds of items in the complaint logs for their heart-lung machines that had been 'filed and forgotten'; without even attempting to investigate or reproduce the problems (or very minimal, rudimentary ones). Some of them were pretty serious, like spurious flow rate increases and pump shutdowns.
The FDA eventually caught on to it through audits, and started their process for getting the company to do a proper job investigating their failures (we're talking heart-lung machines after all, they need to be pretty damn sure they're reliable). The FDA process is actually fairly lengthy and involved, escalating through nearly a dozen different 'levels' over a several-year time frame (allowing for time to implement actions), with the final being the closure of the company for non-compliance.
What did the company do? Ignore the FDA. So they got elevated to the next level. Now? Ignore the FDA. It took reaching a consent decree, the final step immediately before company closure, coupled with a 35$ million fine, before the company actually did something about it. It's not like the logs were hidden from view or anything, I was in the hardware department and saw them personally. But that didn't matter because they were too wrapped up in developing their next iteration of products (having failed multiple times at getting one to market) and couldn't be bothered to do the investigations (the 'sustaining' department was minimal and overbooked).
So, a kick to the balls might be more in order than you think, especially when there's a reasonable process in place like the FDA uses and it still takes years and millions of dollars in fines before the company does something about it.....
(Score: 2) by Sir Garlon on Wednesday October 29 2014, @12:40AM
Ouch, because from where I'm standing the FDA looks like an extremely industry-friendly agency.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.