That’s some bad juju, that’s what that is. The Software Freedom Law Center (SFLC) recently did some research that points out that most medical software responsible for saving people’s lives is never audited, nor is the source code available for security testing. The concept of hacking a pacemaker isn’t new; don’t you think patients have the right to know the quality of the code that will be supporting their life? The SFLC points out in their research:
The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled.
The FDA has issued 23 recalls of defective devices during the first half of 2010, all of which are categorized as “Class I,” meaning there is “reasonable probability that use of these products will cause serious adverse health consequences or death.” At least six of the recalls were likely caused by software defects. Physio-Control, Inc., a wholly owned subsidiary of Medtronic and the manufacturer of one defibrillator that was probably recalled due to software-related failures, admitted in a press release that it had received reports of similar failures from patients “over the eight year life of the product,” including one “unconfirmed adverse patient event.”
Despite the crucial importance of these devices and the absence of comprehensive federal oversight, medical device software is considered the exclusive property of its manufacturers, meaning neither patients nor their doctors are permitted to access their IMD’s source code or test its security.
Even if the FDA did begin implementing a software security review process for medical devices that sustain patients’ lives, would they even hire people competent enough to detect security flaws and logical errors in the code? As more of these devices expand their wireless capabilities, how long will it be before cyber attackers target medical devices (if it isn’t happening already)?
H/T: Slashdot
No related posts.
