Back when computers were a hot new thing for families and we all shared one in the house and we wrote commands to make them do something, we didn’t worry about if our medical devices would be secure from the terrible people on the internet.
Bugs in medical devices is becoming something to worry about today. Mainly, it’s security bugs in embedded devices. Companies being acquired by others and not updating their hardware is an issue. Critical bugs are being found and who is left to correct these deficiencies?
Most embedded devices depend on free software or open source software as their backbones. Many of these “companies” software tools are only maintained by a couple people, some are only one person who has developed the product in their freetime. This makes updating difficult.
Many electronic parts come with preinstalled reference designed software. They include code needed to install an OS on the board. Usually the board package is not updatable, similar to how cheaper Android phones will never get an update from Google, because the software embedded on the hardware is not updatable. The work needed to update a product that sold very few items would not be worth the development time for the company.
Large companies have the ability to create updated software since they have the teams, money, and contacts to do so. They also sell a lot more of the products they sell. Getting new software to run on hardware designed on old OS’s and old hardware can be a difficult task.
Consumer grade applications may not think that this is a huge problem due to how items like cell phones are tossed away every year or two. Medical devices though are expected to be long term use items. People write them into the budget years at a time.
Having medical device creators provide long term support will come at a cost. That cost will have to be taken up by users and businesses. Doing this will cause device users to turn to third party tech support to manage those devices instead. This in-turn does not give device manufactures a reason to do anything about the situation.
Manufactures don’t always have the ability to upgrade their components either. Licenses are usually for one function only and only for certain versions of kernels. The Linux community is great at maintaining the kernel, but patching a kernel takes much more work. The major OS companies have many more resources to be able to keep older systems up to date.
Legislation has been proposed to force some software maintenance by companies. It would force manufactures to maintain support of their products. But, this comes with it’s own issues.
Understanding how development of products works is important. Development of the devices would have to change to match the level of major manufactures. Manufactures will have to create update teams and expect that companies will use their products longer. The entire chain of building changes.
The problem is supply and demand as opposed to technology. We as consumers of medical IoT devices need to let manufactures know that we want support and that we are willing to pay for it. This will have to be addressed through contracts. We have to let them know upfront that we expect a certain level of service. We need to let them know what devices we are going to expect to use. Support costs money and we are going to have to commit to that financial burden for the long-term.
We are not going to get the level of security we get with companies like Microsoft or Apple. We will need to understand these smaller companies have much smaller budgets, selling much smaller amounts of devices. We will need to be understanding of their positions and give them the time to develop what we need.
LIS 4022 Spring 2020 