Blueborne malware: impact on Omnipod Dash?

What do you think will be the impact of this finding [BlueBorne Android malware] on the OmniPod Dash system? They are using the Android platform.

They have done clinical trials already, but if they were doing their clinical trials on an un-patched version of Android, do they have to restart with clinical trials? Anyone have a guess on the FDA requirements?

I would think any change to the OS would require a restart, but I do not know.

Any opinions?

1 Like

The Dexcom G5 is FDA-approved with Android. It is limited to specific phones and Android major/minor versions, but I have not seen any limitations on build numbers:

So, imho, this means no impact to the Dash.

It doesn’t have anything to do with Dexcom. I am specifically talking about the omnipod Dash system, and delivering insulin.

If Dexcom has already been approved, this finding would not reverse the approval for them.

But Dash has not been FDA approved.

If Dash is build on a vulnerable version of Android, would they actually approve it?

I am saying that, by analogy to the Dexcom FDA approval, the FDA does not care about the build number, so, if the Dash qualifies/ ships with a patched build number, the FDA won’t care. Ergo no impact to Dash.

The FDA needs to approve the whole thing, including the hardware and the OS version the system uses.

If they have done their clinical trials on Android version 7.1, and then it is found vulnerable, but they did not get their FDA approval yet, of course when it gets to FDA approval they care what version of Android it is on. They can’t release it on a vulnerable version.

I don’t think they can’t just put their system on a completely different OS version and skip trials. I would think they need to go back through their clinical trials.

They can’t just put it on a completely different OS version and think the FDA won’t care.

For instance, if they did clinical trials on Android, they could not put their system on Apple and think the FDA would simply approve it. It is an entirely different system.

A different version of Android is just…different. I don’t see how they would overlook that.

Per the Dexcom listing, the FDA does not care about the build number within the same version number. A new patch does not increment the version number, it only increments the build number (called versionCode in Android): it is the way the release system works with Android.

So no FDA impact, sorry!

You don’t know what version number they built it on. So it may require more than a patch.

And you don’t know if they will patch older versions or require updates.

So I don’t know how you could be certain.

I just read an article about FDA and security and patching. The gist as I recall was the FDA does not require re-approval for patching. (Which for a change is entirely reasonable and practical.)

I can probably find the article again and link it in. It was interesting.

Edit: Document found as described below:

Postmarket Management of Cybersecurity in Medical Devices
December 28, 2016

Note that this is non-binding. I can only assume in FDA terms that means:
“Follow this or suffer the consequences.”

“21 CFR part 806 requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as “cybersecurity routine updates and patches,” are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR part 806. For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency.”

I just found another little “FDA Fact Sheet” that appears to give nice summaries around some of these issues. Would have been nice to stamp a date on this somewhere.

1 Like

So the question remains if the Android fix for this vulnerability will be a patch or if a new version will be released to fix it.

We don’t know what version Dash was built on, and we don’t yet know for what build versions a fix will be implemented by Android. So that’s why I was wondering the impact.

All true, so you are right that we can’t be sure. But I would say it is quite unlikely that FDA issues will impact Dash about this patch. I do think that they Insulet (Omnipod maker) want to patch quickly: that may delay them some.