Monday, September 24, 2012

Your medical device is secure as long as you don't plug it in. To use it, first plug it in.

Mark Olson, the Chief Information Security Officer (CISO) at the Beth Israel Deaconess Medical Center, offers an interesting analogy to summarize how hospitals feel they are being treated when it comes to security of medical devices they purchase:

"I equate this to buying a high-end automobile - such as a Mercedes Benz - and having it delivered with old-style drum brakes and no power brake system, and the salesman advising, "Keep it under 20 mph and you should be able to stop with no problem." The risks presented by this would simply not be accepted by the customer base; no one would purchase the vehicle, and it would soon no longer be offered."   
-Mark Olson
It's an interesting analogy to ponder as hospitals and manufacturers struggle to reach consensus over (1) what exactly are the problems facing medical device security, and (2) what are the most effective approaches to systematically improve security.  No more wack-a-mole approaches, please.  These security issues are really hard to solve because of both technical and managerial reasons, among others.

The good news is that some manufacturers (especially in the cardiac rhythm management and diabetes management markets) are beginning to integrate security thinking earlier in the medical device manufacturing processes.  I've met some really smart medical device engineers who are excited about improving security and privacy.  Manufacturers playing catch up should take a page from the companies who are succeeding at integration of security processes into manufacturing, but a danger is that it's often hard to distinguish good security from bad.  Beware of snake oil.  We owe it to patients to improve security of connected medical devices.  Security is an important public good!

The full article by Mark Olson appears at Healthcare Info Security.

No comments:

Post a Comment

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.