Fu, who was also on the panel, agreed. “Of course everything is hackable,” he said, “so the key is how do you fail gracefully? How can you localize the problem so it doesn’t interrupt the continuity of operations?”
Security risks come from multiple directions, he said. They include:
- Vendors using infected USB drives.
- Vendors repairing infected machines.
- Vulnerabilities on the product assembly line.
- Software updates.
- Outdated operating systems.
Fu gave the example of a pharmaceutical compounder running with Windows XP, for which Microsoft no longer supports with security updates.
“When it was brought in for repair, the malware on it spread to others in the shop,” he said. "It was like Typhoid Mary.”
The risks of porous security can have serious medical consequences, he said, noting that if medical sensors have been compromised, then they become unreliable for medical staff to use to make a proper diagnosis.
He said it is crucial for designers and developers to start “building security in from the get go, because it is very difficult to bolt on after the fact.”
But, he said it is even more crucial not to sow panic among patients. “They are making risk choices,” he said. “In the medical world, it is not always true that it is best to eliminate the security problem, because it may introduce new risks that would harm the patient more.”
A more rigorous authentication protocol for a pacemaker would improve security, he said, “but if the patient is unconscious or can’t remember the password, the safety problem outweighs the security risk.”
That was the message from the panel as well. “Authentication, blindly applied, doesn’t work,” said Steve Christy Coley, principal information security engineer at Mitre.
As Fu emphasized, however, there are ways to improve before a new generation of devices with better security become part of the infrastructure.
“One thing is just to have a better inventory,” he said. “A large number of hospitals don’t even know what devices they have, what software they’re using. If we don’t know what we have, we can’t secure or manage risk.”
Audra Hatch, systems analyst at a regional New England medical center, said things would improve with better communication among different stakeholders and departments. “We’re very siloed,” she said. “There is finance, clinicians, administration. Do these groups talk? Are we all on the same page? Do the people doing acquisition understand the clinicians?”
Goldman said he is encouraged by more involvement in medical device security by the federal Food and Drug Administration, which has issued security guidance aimed at manufacturers. “The FDA is now deeply engaged,” he said.
Christy Coley said he sees progress, “but it is slower than any of us would prefer.”
Hatch agreed. “I’m an optimist,” she said, “but an impatient optimist.”
Sign up for CIO Asia eNewsletters.