back to article IEEE's prescription for med-tech crowd: preventing hacks is better than a cure

Medical devices shouldn't be hackable, so the IEEE has published the first steps towards laying down decent security practise for the sector. From the late Barnaby Jack's work on insulin pumps through to this month's "hackable infusion pump", this decade has seen growing interest in medical device vulns. Working with the IEEE …

  1. Duncan Macdonald
    Mushroom

    So of course they will do the reverse

    Expect to see a pacemaker using XOR encryption, a hard coded password of PACEMAKER, coded in C++ (coding offshored to India), running with full root access and no security log.

    1. Tomato42

      Re: So of course they will do the reverse

      you forgot to add that will also run Linux 2.2 or other as ancient OS

  2. Sir Sham Cad

    No incentive

    The medical devices market is a very restricted field. Certainly if you're after medical software it's even worse. Basically there's a certain amount of "BT Syndrome" in that these companies don't need to have fantastic products because where else are you going to go? As the title says there's no incentive for these companies to spend time and money aiming for excellence when they just need to be good enough to flog to a captive audience.

    My personal worry is that, as more and more devices are connecting wirelessly, the potential for attack grows massively. I can tell you from personal experience that even newer devices have old wireless crypto and authentication standards. Why bother updating it? It's "good enough". *sigh*

    1. ScottAS2

      Re: No incentive

      Presumably we need the medical device certification authorities to issue some smackdown and require these standards: that will soon provide the incentive. The certification process for medical equipment is pretty tortuous already (and I would be surprised if it ignored the software entirely); it just needs to include security, too.

      1. Anonymous Coward
        Anonymous Coward

        Re: No incentive

        The current set of standards for Medical Device Software (BS EN 62304) is hopelessly out of date and is so vague as to make it pretty much useless.

        Let's hope they take the opportunity to completely re-write the standards when considering this and not just tack it on as an addendum.

        1. Anonymous Coward
          Anonymous Coward

          Re: No incentive

          Though not the gist of the paper (which rightfully tries to stop the crap from getting in there), there is also the big problem with correcting security woes found post-certification. So many vendors treat their med products as write-once (because patching requires re-certification).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon