In the world of medical device security, success comes down to having the capability to fail gracefully.
This is not as oxymoronic as it might seem, Kevin Fu told an audience at the Security of Things Forum in Cambridge, Mass., on Thursday. What is more important than bulletproof security, he said, is the ability to contain or “localize” breaches or infections so they don’t disrupt the continuity of operations.
Fu, CEO and cofounder of Virta Laboratories. whose opening keynote was titled, “Your Fly is Down: Managing Medical Device Security Risk,” was just one of multiple experts who said the security of those devices could be drastically improved just by practicing basic security hygiene.
But even without that, the reality in the medical field is different from that of most other sectors of the Internet of Things (IoT): The risks of vulnerabilities in connected medical devices are frequently outweighed by the benefits offered to patients by those devices.
Just one example, he said, is pacemakers, which used to require the use of a needle to adjust or maintain them. “That created an infection risk, which in some cases was fatal,” he said, “so there are great benefits to wireless devices because they increase the sterile field.”
In general, he said, “patients prescribed an implant are far safer with those devices than without, even though we have found major security problems with them.”
This, he said, is not to imply that improving security is unimportant. He said a major risk to health care organizations, which has exploded in the past year, is ransomware, which in general is not aimed at specific devices, but the entire operation.
“That can result in shutting down operations, and disrupting the clinical workflow,” he said.
But when it comes to individual medical devices, he and others said the majority of flaws fall into the “low-hanging fruit” category – they could be addressed with the digital version of zipping up your fly.
Part of the problem, which has been widely reported, is that the industry is still early in the transition to connected devices. Many are legacy systems or devices, designed without any expectation that they would be connected, and therefore without any security built in.
Dr. Julian Goldman, a physician at Massachusetts General Hospital, made that point during a panel discussion following Fu’s keynote titled, “Securing Connected Health Devices and Networks.”
He said a major obstacle to security is, ”the age of the equipment – a lot of it is 10 or 15 years old. The developers may have left the company. Those aren’t excuses, they’re just the facts. It’s very complex.”
Sign up for CIO Asia eNewsletters.