"Things like delivery of pharmaceuticals and oxygen, and implanted devices are all fantastic for patient care," Fisher said. "But they are sort of the biomed equivalent of SCADA (Supervisory Control and Data Acquisition). They have a long shelf life and a slow turnaround [for updates]. So we have to assume they are vulnerable, and anywhere a computer is attached to a human, we're doing our best to protect it."
Hudock told CSO Online on Wednesday that he agreed with much of what Fisher said, but he noted that his recommendation was for segregation "if possible," adding: "I don't disagree that EHR needs to be available."
Hudock said segregation may be complicated in some cases but that it does work when properly implemented to safeguard systems. He said if it is not practical, it is important to understand the risks of the EHR systems and the other software that you're purchasing. "Sometimes, you can't patch it."
Fisher agrees purchases are critical. "We are influencing vendors," he said. "Ten years ago, [vendors] were not interested in solving the security problem, because it was not seen as the problem. Now they realize they have to become more operational and more secure."
Sign up for CIO Asia eNewsletters.