Many of you have seen my talk about medical devices and general software safety. In fact, I’m up in the Boston area, having given a similar talk yesterday at the Women’s Leadership Community Luncheon alongside the Red Hat Summit. Well, I seem to have gotten through, at least a little! While I was giving the talk yesterday, the FDA finally admitted that there is a big problem. In their Safety Communication, the FDA says that medical devices can be vulnerable to attack. They recommend that manufacturers assure that appropriate safeguards are in place to prevent security attacks on devices, though they do not recommend how this should be accomplished. They say:
The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.
As I’ve been saying for a few years and as you can see in the paper I wrote when I was at the Software Freedom Law Center, software is more secure when the code is published for review by all. Allowing device manufacturers to keep their source code proprietary prevents us from developing the societal mechanisms and review that will truly keep us safe. As a patient and as a software expert, I applaud the FDA for taking this step, and I hope they will make a real strike for safety by at least encouraging if not requiring these companies to publish their code.