May 17, 2020

The FDA launches new guidance surrounding the development of new health-tech

medical devices
Health technology
FDA
Catherine Sturman
2 min
medical devices
The Food and Drug Administration (FDA) has recently launched several pieces of guidance to support both the development and implementation of innovative...

The Food and Drug Administration (FDA) has recently launched several pieces of guidance to support both the development and implementation of innovative healthcare tools and technologies.

Following from the release of the FDA’s Digital Health Action Plan, FDA Commissioner Scott Gottlieb has released a statement highlighting how it will continue to support regulatory authorities on a global scale.

“We know that consumers and health care providers are increasingly embracing digital health technologies to inform everyday decisions.  From fitness trackers to mobile applications tracking insulin administration, these digital tools can provide consumers with a wealth of valuable health information.

Further, clinical evidence demonstrates that consumers who are better informed about health make better and more efficient decisions, take steps to improve their lifestyles and their health choices, and often experience better outcomes.”

Adapting its policies to foster innovation, the FDA will provide increased clarity on its role to support the growth of the digital health industry and support healthcare providers and professionals in the delivery of exceptional patient care and improve decision making across the board.

Related stories

“The first draft guidance, “Clinical and Patient Decision Support Software,” outlines our approach to clinical decision support software (CDS). CDS has many uses, including helping providers, and ultimately patients, identify the most appropriate treatment plan for their disease or condition,” explains Gottlieb.

“However, the FDA will continue to enforce oversight of software programs that are intended to process or analyse medical images, signals from in vitro diagnostic devices or patterns acquired from a processor like an electrocardiogram that use analytical functionalities to make treatment recommendations, as these remain medical devices under the Cures Act.” 

The second draft guidance, titled Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act, outlines the FDA’s stance of the types of software which they consider to no longer be viable medical devices. It will become a significant document for providers who could be utilising outdated technologies and processes, or for the implementation of new applications which are outside of the FDA’s domain, such as mobile technologies, which bring a multitude of benefits to its users.

Through collaborating with health authorities on a global scale through the International Medical Device Regulators Forum (IMDRF), the FDA has additionally released its final guidance, Software as a Medical Device: Clinical Evaluation, establishing the areas in which regulators will need to address in evaluating the safety, effectiveness and performance of Software as a Medical Device (SaMD) and the potential risks surrounding such technologies.

Share article

Jun 17, 2021

Peloton vulnerable to cyber attacks, McAfee research finds

cyberattack
fitness
Cybersecurity
verification
2 min
​​​​​​​Software security experts McAfee discovered exercise bikes by Peloton are vulnerable to cyber attacks, which the company have since resolved 

Peloton, the popular exercise bikes, were found to be vulnerable to cyber attacks in the latest research from McAfee. 

Peloton is a brand of electric bikes that combines high end exercise equipment with cutting-edge technology. Its products use wi fi to connect to a large tablet that interfaces with the components of the exercise device, and provides an easy way for physical activity enthusiasts to attend virtual workout classes over the internet several times a week.

Peloton has garnered attention recently around the privacy and security of its products. So McAfee decided to take a look for themselves and purchased a Peloton Bike+.

The problem

Researchers looked at the Android devices and uncovered a vulnerability  that could allow an attacker with either physical access to the Bike+ or access during any point in the supply chain to gain to hack into the bike’s tablet, including the camera, microphone and personal data. 

For the person using it there would be no indication the Bike+ has been tampered with, potentially putting Peloton’s 16.7 million users at risk.  

The flaw was found in the Android Verified Boot (AVB) process. McAfee researchers were able to bypass the Android Verified Boot process, which normally verifies all code and data before booting. They were then able to get the device to boot bypassing this step. 

This could potentially lead to the Android OS being compromised by an attacker who is physically present. Even worse, the attacker could boot up the Peloton with a modified credential to gain privileges, granting them access to the bike remotely. 

As the attacker never has to unlock the device to boot it up, there would be no trace of their access on the device. This type of attack could also happen at any point from construction to warehouse to delivery, by installing a backdoor into the Android tablet without the user ever knowing. 

The solution

Given the simplicity and criticality of the flaw, McAfee informed Peloton while auditing was ongoing. The vendor was sent full details,  and shortly after, Peloton confirmed the issue and released a fix for it. 

Further conversations between McAfee and  Peloton confirmed that this vulnerability had also been present on the Peloton Tread exercise equipment. 

Peloton’s Head of Global Information Security Adrian Stone, commented on the research: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important.

"To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

Share article