Really?
“We are thinking about those machines that are really hard to patch, really hard to upgrade, and really hard to get inside."
If they are so hard to get inside, how come they're running malware?!?! The problem is that they're too easy to get inside...
Like others on this forum I think it's ridiculous that such devices are connected to an Internet facing network in the first place. No doubt somewhere in the small print for these devices there's words suggesting the lack of wisdom in doing so.
Regulators
And actually, where are the regulators in all this? If a device like this is merely one component of a medical network, then why does the regulatory obligation seemingly stop at the Ethernet port? Shouldn't the entire network have to be developed to the same standards as the devices? After all the whole point of the Ethernet port is to provide functionality beyond the device, and presumably that functionality is seen as important otherwise no one would bother wiring it up. And if it is important then the network design and maintenance is as important as the device's design and maintenance.
Sounds like ineffective and misplaced regulatory oversight, and it's allowed a bad situation to develop that is going to be very expensive and difficult to rectify.
Biting the hand that feeds IT
