Tuesday, October 30, 2012

Stop the insanity. Stop sensationalism of medical device security.

I am tired of hearing about medical device security "news" chuck full of sensationalism and hyperbole.  You don't have to shout that the sky is falling.  It's not.  Yes, there are real cybersecurity problems for medical devices that need innovative engineering and policy solutions.  But there is no reason to panic or run for the hills in fright.  Even though it's Halloween.  The latest example is an abstract at the Medical Device Connectivity Conference that I did not write.  I was aghast when I read what the conference had written as a placeholder for my talk on medical device security, as I have no intention to play the doom-and-gloom card about hacking medical devices.  Yes, medical devices can be hacked. Surprise. Yes, it's important to share the facts for science and engineering. But let's focus our attention on improving public health rather than what sells headlines.  Here's the revised abstract that will appear in a reprint.

Medical Device Cybersecurity: The First 164 Years
By Kevin Fu, 4th Annual Medical Device Connectivity Conference & Exhibition, Joseph B. Martin Conference Center at Harvard Medical School, Boston, MA, Nov 1, 2012. 
We've all seen the news stories about hacking implanted pacemakers and patient worn insulin pumps.  However, what keeps me up at night is a more mundane security problem: unavailability of patient care.  When conventional malware shuts down a cath lab, seriously ill patients can be subjected to unnecessary risk of transport.  When a medical system is not available for use, patients do not receive the quality of care they deserve.  This presentation will explore the risks, realities and countermeasures of medical device system security. Systems considered will range from purpose-built systems like pacemakers and programmers to embedded system medical devices interconnected on enterprise wide IT infrastructures. The effectiveness of current methods, tools and countermeasures will be discussed, with an emphasis on continuing gaps and vulnerabilities. Best practices for manufacturers and providers will be presented, as well as predictions on emerging risks.
If you can't wait until Thursday, then you can skim a related talk on regulatory responsibilities for medical device security that I gave yesterday at the Regulatory Affairs Professionals Society in Seattle.  There's no reason to panic.  Just be informed and commit to improving the cybersecurity of increasingly interconnected medical devices.

No comments:

Post a Comment

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.