Symantec speaks out on GAO medical device security report

Axel Wirth of Symantec has written an article about the recent GAO medical device security recommendations.  While praises the execution of the study, he points out that the problems identified in the report represent just the tip of the iceberg.  Here's a snippet from Symantec:

However, there is another set of risks to consider. As discussed above, the GAO report analyses the security risks of these compact, resource-restrained implantable devices. This is, of course, critical given the device’s impact on patient health and potentially, life or death. But the medical device infrastructure of healthcare systems and hospitals is far more complex. It includes a wide range of medical devices from simple to complex, from small to large, built on proprietary platforms or based on commercial, off-the-shelf software (COTS). The latter introduces its own set of risks through a “PC under the hood” design approach since the commercial operating systems or other software can easily become an entry point for malware, whether it targets the specific device or generally exploits a vulnerability specific to the chosen platform with the device then becoming “collateral damage”.

In effect, Symantec is asking whether the scope of the GAO report was too narrow to capture a generalizable set of lessons about the ecosystem of medical device security risks.  The implication?  The medical device security iceberg is much bigger that the GAO report would indicate.