Last week, Christopher Sundberg left a comment on my post (removed from paywall) at CFSD Detailed Analysis on CISA’s advisories published on Thursday. He noted that:
“The Baxter LIfe2000 device, with the software version noted in the advisory, is also part of an FDA recall (https://www.fda.gov/medical-devices/ventilator-correction-baxter-healthcare-updates-use-instructions-life2000-ventilation-system-due)”
I just had a chance to look at the ‘recall notice’ (I wish the FDA would call this a ‘software update’ notice, but there are regulatory issues related to the term ‘recall notice’ that would not apply to the more technically correct term). While there certainly appears to be a software-related issue involved in the recall, it does not appear to be a cybersecurity issue.
The FDA and CISA both acknowledge that (different) workarounds
should be implemented (the FDA requires that the recall specific workarounds be
applied, CISA can only report that the cybersecurity workarounds are available)
pending Baxter’s development of a new version of the Life2000 Ventilators
software. The wording of the recall notice is sort of vague, however, when it
comes to whether updating the software will be specifically required when
Baxter makes it available.
“The firm is currently working on a software update to address this issue and will contact all impacted customers to update their devices once the update is available.”
If the update is required, this would be the first time that
the FDA mandated the correction of an unreported (to them anyway) cybersecurity
issue in a medical device.
Posts
No comments:
Post a Comment