Why fixing security vulnerabilities in medical devices, IoT is so hard

Op-ed: It’s not so easy to just patch or upgrade medical devices, IU Health’s CISO explains. …

The complex web of software and hardware components and their licensing schemes makes it difficult for healthcare organizations to upgrade or patch systems that prove to be vulnerable.

Enlarge / The complex web of software and hardware components and their licensing schemes makes it difficult for healthcare organizations to upgrade or patch systems that prove to be vulnerable.
Universal Images Group / Getty Images

reader comments

60 with 45 posters participating

When your family opened up that brand-new computer when you were a kid, you didn’t think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn’t have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space.

URGENT/11 is a vulnerability in the Interpeak Networks TCP/IP stack (IPNet), which was licensed out to multiple vendors of embedded operating systems. IPNet also became the main networking stack in Wind River VxWorks, until Wind River acquired Interpeak in 2006 and stopped supporting IPNet. (Wind River

Continue reading – Article source

Similar Posts: