Thursday, September 15, 2016

Commentary: Hospitals need better cybersecurity, not more fear

By Kevin Fu, Dr. John Halamka, Jack Kufahl and Mary Logan | September 14, 2016

We've seen unprecedented attention to medical-device security after an unorthodox report was recently released by short-selling investment research firm Muddy Waters Capital and MedSec, which alleged security vulnerabilities in St. Jude Medical's pacemakers. An independent research team subsequently raised doubts about some of the clinical claims made by the report. St. Jude Medical, meanwhile, has filed a lawsuit disputing the allegations in the same report.

Cybersecurity risks associated with medical devices must be weighed against the often life-saving benefits of these devices. Hospitals struggle in assessing those risks: They may not know which medical-device assets are exposed to cybersecurity threats or get meaningful responses from vendors, and there is no national testing facility for medical-device security. There are different schools of thought on how to safely and effectively share information regarding medical-device security vulnerabilities. However, we should agree that vulnerability reporting should not be done in a manner that causes people to make decisions based on fear, rather than on clinically relevant data.


Read the complete article, which originally posted on Modern Healthcare.