Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday February 20 2020, @01:24AM   Printer-friendly
from the security++ dept.

https://arstechnica.com/information-technology/2020/02/medical-device-vulnerability-highlights-problem-of-third-party-code-in-iot-devices/

When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices.

[...] medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for the device's use with a certain version of an operating system or kernel.

[...] addressing the risks means understanding and addressing the value chain for how a device evolves from concept to disposition. We need to also evolve how devices are designed and updated to match the level of support that Samsung and Apple provide. This means there needs to be dedication by manufacturers to use platforms for a longer time and a commitment to keeping the build chains current to be able to consistently deliver patches and updates to customers.

[...] Outside of the major manufacturers, many of the companies that manufacture these devices are smaller businesses, and they have to be able to afford to develop new devices and support what they have at the same time—which is often difficult even for large companies.

We need to partner with our medical device vendors to solve issues like Urgent/11 through better processes. We need to understand how the devices work, and we need to understand that it takes a lot of work to get a patch out for devices that are more complex than a standard PC. Deploying patches to these devices also carries different risks.

The S in Medical IoT stands for Security.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by c0lo on Thursday February 20 2020, @01:42AM (3 children)

    by c0lo (156) Subscriber Badge on Thursday February 20 2020, @01:42AM (#960120) Journal

    medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for the device's use with a certain version of an operating system or kernel.

    When copyright is more important than human lives.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 4, Interesting) by JoeMerchant on Thursday February 20 2020, @02:58AM

    by JoeMerchant (3937) on Thursday February 20 2020, @02:58AM (#960152)

    Restrictively licensed specialty software components are rarely the problem. It's the mass market components (starting with Windoze, and all the lovely support libraries) that are so highly vulnerable, and they're usually begging to be upgraded faster than they can be tested. Unfortunately, when marketing gets together for their brainstorming sessions, they mostly play with their cellphones and other consumer electronic gadgets and then ask Med Device R&D: "why can't our product do this, too?" pointing at some cool thing on some cool device that has dubious value to the patient or their caregivers. Then they get all pouty and whine: "but competitor X ALREADY has cool device Y's cool feature Z on their product, and if we don't get it too, plus somethings even cooler, we'll never be able to make our targets next quarter!!!" Unfortunately, corporate leadership is mostly about handling your sales staff as lucratively as possible, and that frequently involves giving them whatever they ask for so they're happy and confident and thereby sell more bling.

    --
    🌻🌻 [google.com]
  • (Score: 3, Interesting) by bzipitidoo on Thursday February 20 2020, @03:21AM

    by bzipitidoo (4388) on Thursday February 20 2020, @03:21AM (#960165) Journal

    Indeed. Hollywood evidently wishes so:

    https://www.youtube.com/watch?v=LZ6-q59bL9M [youtube.com]

    And this isn't just any genre, it's Science Fiction. Ahh, SF that has faster than light interstellar travel, instant teleportation, and a society that has moved beyond money (except in poker games), but intellectual property law hasn't advanced or even changed an iota from the 20th century.

    One state of affairs where no one has gone before, or ever will go!

  • (Score: 2) by RS3 on Thursday February 20 2020, @04:16PM

    by RS3 (6367) on Thursday February 20 2020, @04:16PM (#960327)

    When copyright is more important than human lives.

    When money is involved, money is always top priority.

    That said, checking into software (API?) licensing should be a top priority when choosing OSes and software for a product.