Article originally published in IEDP.
Whether Russian hackers influenced the US presidential election or not, there is no escaping the fact that cybercrime has gone beyond the random activity of a few adolescents to become the focus of skilled, hi-tech, criminal networks that can steal billions, seriously damage businesses, and potentially shut down vital infrastructure.
Clearly organizations must prepare to defend themselves from cyber-breaches, but this needs to be proportionate. It is important to balance the level of cybersecurity required with the potential threat and not to be overly influence by scare stories.
It is instructive to see how one vulnerable sector, healthcare, is addressing the problem. A recent article, from professors Eric Johnson, Dean of Vanderbilt University, A.J. Burns of the University of Texas and Peter Honeyman of the University of Michigan, looks specifically at medical device security. In it the authors say, “We must resist the temptation to sensationalize the issues related to cybersecurity in the health sector, and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”
The health care industry relies increasingly on systems that collect and share data between one another. Modern medical devices are also radically transforming the treatment of acute conditions as well as the management of chronic long-term disease. Unfortunately, as the technologies evolve, so too do the potential cybersecurity threats. At one extreme, with the implantation of software-driven devices, come potential threats to the human body – hackers gaining access to a network of interconnected medical devices perhaps linking to an unsuspecting victim’s pacemaker.
This is the stuff of nightmares or cheap fiction and so potentially the cause for defensive action based on fear and panic rather than sober strategy. “While we strongly affirm the necessity of public awareness of these issues, we believe that hyperbole and/or mischaracterizations may lead to panic, desensitization, or perhaps worse, exploitation.” say the authors.
This article looks back to see how the sector got to where it is today, in order to provide context for the current state of medical device security. The authors then highlight the good practice that is taking hold across the industry with the FDA recommending NIST’s cybersecurity framework:
- Identify processes and assets needing protection;
- Define available safeguards;
- Devise incident detection techniques;
- Formulate a response plan; and
- Formalize a recovery plan.
The cybersecurity threats to medical device security are not unlike those that threaten other software-controlled network enabled devices – a category of equipment that is set to grow as we move into the era of the ‘Internet of Things’.
The core message from these authors is that all security-focused decisions involve trade-offs, and that to fully understand these security trade-offs it is critical to pause and take stock of what is at stake.
Asked the questions: What should be the appropriate course of action for health care professionals and their patients? And is there one risk they should be concerned about above all others? Johnson and his co-authors offer a clear answer: “It is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security.”
In other words, the biggest danger to patients’ health is not the security threats themselves but rather the irrational decisions that might result from these perceived threats. While users of medical devices may be vulnerable to hackers in theory, there is not enough of a risk, according to the authors, to discourage use of the devices altogether.