That gap is not likely to be closed anytime soon. There is an acute shortage in the medical device field of workers who can conduct cyber security assessments of devices.
Then there is the culture gap, which Jon Heimerl, senior security strategist at Solutionary, said is seen in resistance to more security. Since the goal has always been to make medical devices, "as easy to set up and connect as possible," adding security controls, "often goes against the very nature (of medical professionals). Adding security that potentially interferes with device connectivity, and limits medical functionality seems counterintuitive," he said.
Gary McGraw, CTO of Cigital, in a post for TechTarget co-authored with Chandu Ketkar, noted that, "requiring doctors to log in to a medical device just before starting a medical procedure is a bad idea because they simply won't do it regularly."
And many medical professionals don't even see the need for major concern about security. Ken Hoyme, distinguished scientist at Adventium Labs, speaking at the NIST ISPAB discussion, said medical device developers and those who use them in hospitals don't understand why hackers would want to harm patients. "The view of hospitals is, 'Why would anybody want to do that?'" he said.
"Their view is that if somebody's out there, they're trying to get information to sell it, but ... a targeted attack against a patient is outside their thought process. It leads to something I call faith-based mismanagement: 'I don't believe anybody would do that, therefore my likelihood is zero and I don't need to mitigate it.'"
Jay Radcliffe, a medical device security expert and Type-One diabetic, thinks the medical professionals are mostly correct. He declared during a round-table discussion at the recent Black Hat conference in Las Vegas that the benefits of connected devices are enormous, and the risks are miniscule.
He agreed that malicious hacks are technically possible, and could have catastrophic results —hence the now-famous decision by former vice-president Dick Cheney to have his pacemaker replaced with one that was not connected to the Web. But Radcliffe said, for the average person like himself, it would be much more likely for, "an attacker to sneak up behind him and deliver a fatal blow to his head with a baseball bat," than to be harmed by a cyber attack.
So far, he's correct. The Food and Drug Administration (FDA), which issued a "Safety Communication" in June 2013 titled, "Cybersecurity for Medical Devices and Hospital Networks," said in that memo that it, "is not aware of any patient injuries or deaths associated with these (vulnerabilities) nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time."
Sign up for CIO Asia eNewsletters.