[ezoe]

This situation is even funnier(and sadly very seriously flawed) in Japan.

Medical equipment require an authorization to use. Any change to the medical equipment requires another authorization or it's prohibited.

By "any change" , it includes Windows Update(it changes the system obviously).

The result: they use anti-malware software to protect(or rather, believed to protect) unpatched Windows.

At least one anti-malware software company(Trend Micro), marketing that their software can protect the medical equipment in such situation.

[exhilaration]

But... what about AV/malware definition updates? Doesn't that fall under "any change"?

[symtos]

and what about security updates to the snakeoil they sell, eg. https://bugs.chromium.org/p/project-zero/issues/detail?id=69...

[Blackthorn]

> Any change to the medical equipment requires another authorization or it's prohibited.

Honestly, this isn't a bad decision. If the device was tested and certified with specific software, a software upgrade is not guaranteed to not cause a problem.

[symtos]

using software with known problems in order to avoid potential problems from an upgrade does not seem like a non-bad decision

[Blackthorn]

Is the medical device working right now? Yes. Could, upon upgrading, the device stop working, possibly in a subtle way that might kill somebody? Yes.

The approval process for medical devices is rightfully difficult. Software upgrades, even if they seem trivial, should not be a backdoor process of bypassing testing and approval.

[symtos]

...and could software deployed to the device by some random who just exploited some well-known security flaw that never got patched, kill people?

[Blackthorn]

This whole discussion has been about stuff air-gapped. That's not a guarantee when you have USB ports, but it does help.