Besides all that, they noted that the interests of multiple stakeholders – researchers, manufacturers, providers, patients and regulators like the Food and Drug Administration (FDA) are involved.
Amid all that bad news, Schmidt insisted that, “all hope is not lost,” because the problems with those devices are mostly the same and, at least from the technical standpoint, “they’re not hard to fix.”
The solution, he said, is to “build security in” – something his former boss, Gary McGraw, CTO of Cigital, has been preaching for more than a decade, and even wrote a book with that title 10 years ago.
That, he said, means making it part of the process from the beginning – the design phase. He noted that there are secure software development practices available, and that sites like GitHub have made peer review simple.
“Be transparent while you’re building, not after you’re on the market,” he said, noting that, “more eyes spot more bugs.”
Finally, he urged developers to, “hack yourself. Try to break the stuff you created,” before putting it on the market.
The message from Chase and Coley is that management of the risks of such devices requires, “a delicate balance of security, safety and privacy – they overlap.”
“Each can interfere with the other,” Chase said. “You don’t want the AV (antivirus) firing during surgery.”
And, for some patients, the availability of a device can trump the small risk that it could be compromised.
That, they said, has led to efforts to adapt the Common Vulnerability Scoring System (CVSS) to healthcare, by focusing on what the actual impact of a vulnerability is on patient safety, when put in the context of its value to the providers and patients.
The so-called “base score” can exaggerate the risk, they said, while undervaluing a device’s value to patients. They cited examples of a medical staff person being required to confirm the setting of a fusion pump before it is used, which presumably would catch an attempt by an attacker to change it remotely.
They said one effort to bring context to the ranking of risks is to use other frameworks like the Common Weakness Scoring System (CWSS) and the related Common Weakness Risk Assessment Framework (CWRAF).
“The goal is to take the environment into consideration along with the base score,” Coley said. “We don’t want FUD (fear, uncertainty and doubt) to make patients fearful of life-saving therapy.”
Sign up for CIO Asia eNewsletters.