And yet ANOTHER ridiculous FDA rule

[Mysty119]

Law Firm IT
The view from the server room.
Sunday, May 03, 2009
FDA Rule on Appying Windows Patches on Medical Devices Could Put Human Life at Risk
One of the scariest uses of Windows OS is that it is installed on medical devices. As a result, every piece of malware coming down the pike can infect this medical devices, putting human life at risk. SANS announced last week that it had discovered Conficker worm infections on medical devices, including MRI machines.

A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions ? presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet ? and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched.

 

[hlichten]

First off, to Bea, my intent is not to "jump on you" with this reply.

On first inspection, I have to disagree with the article in general, and also with the title of this thread, that this is "...yet another ridiculous FDA rule", and here is why I don't agree:

An MRI device is designed to take images, nothing more or less.
The only reason that they put an Ethernet connection on them is so that they can connect to the internet for Windows or other updates.

The manufacturer stated that the devices were not supposed to be connected to the internet normally, and I would agree. I think the error was made by the hospital IT staff, or someone in the radiology department by leaving them plugged in.

As someone in IT, it is normal for any business or government entity not to accept Windows Updates as they are released. For government, 90 days to evaluate a service pack is not out of the ordinary. For an MRI machine that is working fine, there is about zero reason for it to need any Windows Updates, none whatsoever. If it is working, leave it alone!

The key is that these MRI machines were connected to the internet, and that they should not have been, and that is not the FDA's fault.

I would suggest a modification to the MRI machine's firmware by the manufacturer as follows:
If an ethernet (internet) cable is plugged in, the default should be that plugging in the cable does NOT connect to the web by default.
To connect to the web, there should be a command buried in the menus somewhere that requires a password to accomplish.

It is the manufacturer of the MRI machine, and its firmware that should be blamed. If this device is not normally intended to be connected to the web, then IT staff should have to jump through hoops, know a password and do a secret handshake to connect it.

I am someone that has lots and lots of complaints about the FDA's past and current practices, but I don't see any value in jumping on them for rules that we can not prove are not justifiable. In this case, I agree with the FDA's practices, since a working MRI machine has no need for Windows Updates.

I think that being solidified against key FDA practices strengthens our stand, and trying to add complaints such as this one only weaken our position.