Sell It and Forget It

By Charles Miller

In the “truth is stranger than fiction” department, take the stories of two heart pacemakers. One was the fictional storyline of the television series “Homeland” that had terrorists assassinating the vice president of the U.S. by wirelessly hacking the electronic controls of his pacemaker. Then in 2013, real-life former Vice President Dick Cheney revealed he had his doctors disable wireless connectivity of his pacemaker to prevent an adversary from turning off his heart (thereby proving he has one).

There are about 3,000,000 people in the U.S. who have pacemakers, and some of them are undoubtedly concerned by the 2020 warning from the U.S. Food and Drug Administration (FDA) that they could be remotely hacked with SweynTooth. This cybersecurity vulnerability could possibly be exploited against certain medical devices, but the FDA assures that to date it is not aware of any confirmed adverse events. This does seem to have moved forward something I first addressed in this column five years ago. In 2018 I wrote, “Quietly and out of the public eye there has been a fierce and acrimonious battle fought between the FDA and the makers of medical devices. Today more and more medical devices from big MRI machines to tiny blood pressure and blood sugar monitors run on software that is connected to the internet. The FDA has argued that the safety of these devices depends, in part, on the ability to audit the software for security vulnerabilities and to be able to fix any problems that are discovered. The manufacturers have fought against this tooth and nail.”

Now our patience is being rewarded. As of March 30 of this year, any and all medical devices submitted to the FDA for approval are required to meet specific cybersecurity requirements. In a section of the new law titled “Ensuring Cybersecurity of Medical Devices,” manufacturers of all new medical devices are required to include a specific plan for identifying and addressing vulnerabilities and exploits along with procedures for releasing post-market updates that address security issues. English translation: in the future manufacturers of medical devices will be required to fix bugs in their software after the sale. This effectively ends the practice of “sell it and forget it” that is the current modus operandi for many manufacturers.

For now this step forward only applies to new medical devices, but we can hope that in the future we will see a trend in the direction of similar after-sale support for other internet-connected devices. I am not advocating that every inexpensive internet-connected device should have to be supported indefinitely by its manufacturer, but the “sell it and forget it” policy many manufacturers follow today has left us with millions of manufacturer-abandoned Internet of Things (IoT) appliances that have serious security vulnerabilities that will never be fixed. So as of now, new medical devices costing thousands of dollars can no longer be sold in the U.S. without continuing support. That seems to me to be a positive step.

Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981, and now practically a full-time resident.  He may be contacted at 415 101 8528 or email FAQ8@SMAguru.com.