Sunday, May 03, 2009

FDA Rule on Appying Windows Patches on Medical Devices Could Put Human Life at Risk

One of the scariest uses of Windows OS is that it is installed on medical devices. As a result, every piece of malware coming down the pike can infect this medical devices, putting human life at risk. SANS announced last week that it had discovered Conficker worm infections on medical devices, including MRI machines.
A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched.

Yes you read that correctly. Windows patches for medical devices must be approved by the FDA, and the FDA must receive a 90-day notice to apply patches. The result is epic fail that could put human life at risk. This FDA rule needs to be revisited.

Labels: , , ,

5 Comments:

Blogger Mysty119 said...

This does not surprise me. It seems the FDA is in the habit of over regulating when lives are at stake. After all, they also have ruled that our very own stem cells are DRUGS! That's right. You read it correctly. They have decided that even though God gave us our bodies and everything they are made up of, that THEY have decided that our very own stem cells are drugs and therefore have to be regulated by them. Meanwhile, hundreds of thousands of people that are using these medical devices or wanting to use their own stem cells to heal their bodies or at least halt their diseases are dying. They are dying because when the FDA decides to "regulate" our cells, they are making these people wait and wait and wait to get what is already theirs. Now, they are waiting to give the OK to have the Windows patches put on Medical Devices. It's ridiculous.

12:47 PM  
Anonymous Medical Device Blogger said...

I like your post and replied to it at the link.

11:53 PM  
Anonymous Anonymous said...

Could someone please site the regulation?

4:45 PM  
Anonymous Anonymous said...

I do not believe this is correct, the FDA only requires that the manufacturer test the patches through their standard processes and guidelines for good manufacturing process. This would apply to Class 1 & 2 devices that are approved through the 510K process. The only time the FDA has to re-approve a device is if a change was made that significantly alters the functionality or intended use.

From the FDA:
"Ordinarily, FDA will not need to review software patches before a device manufacturer puts them in place. FDA views most software patches as design changes that manufacturers can make without prior discussion with FDA. FDA has already advised manufacturers on when they should involve FDA. (See FDA's guidances on General Principles of Software Validation and Deciding When to Submit a 510(k) for a Change to an Existing Device and regulations on notification and premarket approval application supplements and reports.)"

http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm070634.htm

Look for the rules from the FDA that address OTS (off the shelf software) in medical device systems.

kreedh2o

9:10 AM  
Anonymous Nick P said...

I've read the FDA regulations on software development. They just seem to require a thorough process for design, analysis, and testing. Plenty weren't so bad. Seeing how manufacturers are putting things like Windows on devices, I can see a need for tough black-box testing.

However, what I've noted from this article is that FDA isn't the problem at all: the users were. The machine wasn't supposed to be connected to the Internet. Like many embedded devices, it's difficult to change (maybe even uneconomical) and probably won't stay current with evolving threats. This is why the manufacturers said keep it off the net. So, what do they do? Connect it to the net and get some malware. (rolls eyes)

As mentioned on another blog, there are steps one can take to protect both SCADA and medical devices. Strong network level security is the easy step. A cryptoseal approach via low cost VPN's can defeat many external attacks. Better network management, end-to-end IPSec for safety-critical devices, and/or trusted front ends for them can stop threats from within the network. It just seems that many aren't even trying.

12:00 AM  

Post a Comment

<< Home