When we read the words ‘security’ and ‘medical’ in the same sentence, if your mind works like mine, we race immediately to the plethora of data breaches caused by carelessness, poorly configured data storage devices, malicious competitors, or malware/ransomware. Rarely does our mind travel to the security of the medical devices themselves, which are meant to keep us alive and well.
This is not a new topic for those in the cybersecurity world. This author has been proselytizing on the need and benefits of securing our medical devices and infrastructure for years. We can no longer afford to continue to bifurcate the topic of medical information and medical devices/infrastructure; we must think of securing data associated with health care in a holistic sense.
Why do We Care About Medical Devices?
These devices contain and retain highly sensitive personal data of those to whom the device is attached, be it temporarily (Electrocardiogram – EKG) or more permanently (pacemaker). As you can imagine, your Protected Health Information (PHI) is being collected by the devices and either retained or shared in real time for interrogation and analysis.
Abbott’s (formerly St. Jude Medical) found itself the center of attention of both the Food and Drug Administration (FDA) and patient furor over their pacemakers, defibrillator, and other medical devices being vulnerable to a third party man-in-the-middle access via cybersecurity vulnerabilities, which could affect how the device operates, to include “rapid depletion of battery and/or inappropriate pacing or shocks.” In late August, the FDA approved a firmware update which addressed the cybersecurity vulnerabilities.
As did German electronics company, Siemens, who issued a customer alert in July 2017 warning of the highly critical vulnerabilities in a variety of their scanners. Pending a solution, which Siemens expects to push out soon (fall of 2017), Siemens has directed (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Christopher Burgess. Read the original post at: Cylance Blog