Crappy medical devices
Rick Murray (539) 13850 posts |
https://www.theregister.com/2022/04/12/critical_vuln_hospital_robots/ Kind of makes you think that there ought to be legislation passed ensuring that any device of this nature sold to the NHS is fully open source. Clearly one cannot trust the manufacturers to get it right (or, in this case, even bother). |
Steve Pampling (1551) 8172 posts |
Fixed |
David J. Ruck (33) 1636 posts |
Open or closed source isn’t the issue, it’s coming up with a suitable certification standards, that the devices can be tested against by firms such as Cynerio, before the equipment is installed in hospitals. |
Steve Pampling (1551) 8172 posts |
Silly large numbers of suppliers quote what the FDA allow or do not, as though this was some portion of that trans-pond place. |
Pip Ahrens (8995) 18 posts |
I actually (broadly) work in this field, the vast majority of devices I work with day to day are nowhere near this sophisticated and aren’t even networked (damn near everything communicates over a 9600 baud rs232 connection or the super secure plaintext files over SMB method). |
Rick Murray (539) 13850 posts |
Like the process machines at work. It was a bit of a surprise to look inside the box and see serial connections between the major parts. But, then, 9600bps serial is “fast enough” and pretty much bomb proof. |
Pip Ahrens (8995) 18 posts |
Well this isn’t just internal, this is often large scale high throughput stuff. It really isn’t fast enough for some purposes now. Older analysers have to go through a “dance” of enq>ack>stx>ack>stx>ack>eot etc. for every single message where the speed difference between that and some of the newer standards that work over tcp/ip are night and day. |
Steve Pampling (1551) 8172 posts |
Sounds like most of the pathology labs analysers. The nearest most manufacturers seem to come to discovering TCP/IP is feeding the serial into a cheap serial/ip converter and blaming the network for anything that doesn’t work. For fairness I should also refer to a product in use in a department allied to taking the urea where the devices ignore the presence of a network interface on the controlling (PC) motherboard and use a USB plugin network interface instead – flakier than anything Cadbury ever made.1
NHSIA2 advice was to treat N3 as “hostile” and the advice given since the financially driven change to HSCN strengthens that advice. 1 I’m being kind, my manager is much more expressive on that subject 2 Name changed at intervals to protect the guilty. 2 I may be stretching reality somewhat. |
Steve Pampling (1551) 8172 posts |
It’s totally useless if the server it is talking to is in a different building, or in the case of the stuff we deal with in a different town. |
Rick Murray (539) 13850 posts |
Well, true. You won’t get live video down a 9600bps link. Not even Sophie Wilson is able to do that!
On the other hand, sticking stuff “on the internet” is a taking a risk, as this article shows. I know it’s possible to set up a private VPN between devices and sites where the public internet only carries encrypted packets (or, if money isn’t a problem, a private leased line entirely independent of the public internet). Sadly, beancounters will get into the equation, and so to rapacious manufacturers who think nothing wrong with sending themselves loads of telemetry “for diagnostic purposes” and suddenly the door is open. We already see this with smart home security cameras. The early ones had an app but could also be controlled with a browser, and it wasn’t too hard to work out the underlying commands.
Dude’s now a criminal, and he’s still in power. Once upon a time, this sort of thing would have brought down the entire government. Makes me worry about the future, that politics is less about what is viable and can be done, and more about cult of personality. How else can one explain Johnson? Or Brexit, for that matter. I fear for what sort of disaster will happen in five year’s time if there’s no moderate voice, just demagogues shouting at each other on social media… [in other words, I think Macron has his work cut out for him] |
Steve Pampling (1551) 8172 posts |
Well HL7 comms is a fairly simple message passing, but when the supplier starts throwing images around it just ain’t going anywhere fast on a serial line. |
Rick Murray (539) 13850 posts |
Oh, I’m glad I’m not you, I have no tolerance whatsoever for that degree of stupid, and I’d make damn certain they knew that (and why). ****wits. |
Pip Ahrens (8995) 18 posts |
We don’t even support direct SMB any more, we force the use of FTPS, NHSI (Digital(?)) simply won’t allow plaintext files sent willy nilly into the aether any more.
Oh I wish people would actually use HL7 (although typically all HL7 use MLLP over TCP/IP now, don’t think I’ve seen any using serial. There is one company that insists on fully framed H-P-O-{R}-L blocks for literally every single message and all on a single channel… That one is err… fun.
Thankfully I don’t have to deal with the specifics of that, we just ask people to poke holes in it for us I’m just waiting until we can use FIHR but then again that just leads to yet another standard (cue xkcd comic) to join the pipe delimited hellscape of ASTM, PMIP, HL7 v2 and the various awful hybrid rubbish that some suppliers pull out of god knows where (I want to name and shame the company that mix ASTM and HL7 but that would be unprofessional – but seriously who the hell frames a message as H – P – OBR – OBX – L). |
Steve Pampling (1551) 8172 posts |
NHSD for short, but as I say “name changed at intervals to…” FTPS There was a bit of whining a little while back because someone said they wanted to be sure things like plain FTP didn’t go anywhere, and I love closing holes :) |
Steve Fryatt (216) 2105 posts |
TCP/IP != “sticking stuff on the internet”, though. My own area of “expertise” is industrial or lab test equipment, and there the move is from RS232 for “low end” and GPIB at high end or if you need lots of devices, over to ethernet. I’ve never encountered such stuff on open networks, though: in just the same way that RS232 needs a COM Port card, or GPIB needs a GPIB interface, LAN-attached equipment goes on to a local network attached to a second network card in the host PC, which has no connection to anything in the world outside of the system itself. If you need a connection out to a “public” network, or even local servers on a building network, that’s done via a second network card in the PC, with no connection to the equipment LAN. That’s for systems that I’ve specified or designed, though; elsewhere, I suppose, YMMV. Oh, and RS232 is still very common, because it’s cheap and easy to use. |
Steve Pampling (1551) 8172 posts |
It’s pretty much covered in the thread title. |
Rick Murray (539) 13850 posts |
This time it’s not a crappy medical device so much as a crappy device often used in a medical environment (plus hotels, places of work, etc). https://www.theregister.com/2022/05/03/aruba_avaya_critical_vulns/ |