Posted in Medical Computing by Jamie Hartford on June 10, 2014
Some medical device makers are doing a good job of addressing security risks to their products, while others are lagging, says one consultant.
Medical device security has been a hot button topic ever since Jay Radcliffe hacked his insulin pump on stage at the Black Hat Security conference nearly three years ago. But are medical device companies really taking the issue seriously?
A recent MD+DI reader poll on the subject after news of the Heartbleed internet security bug went public showed that it’s a mixed bag. Less than 10% of respondents said Heartbleed would spur the industry to take the issue of cyber security seriously, while around one-third said it would likely take an even bigger security breach to bring about change. Two-in five respondents said it’s about time the industry sees the light when it comes to cyber threats.
Geoffrey Pascoe, a specialist master with Deloitte, echoed those results today at MD&M East in New York City.
“Some vendors are taking it very seriously, but it’s very uneven” Pascoe said, adding that companies such as GE Healthcare and Philips Healthcare have had very active medical device security programs in place since at least the early 2000s. Other firms, however, haven’t been as diligent.
Pascoe laid out seven elements that comprise a good medical device security program:
- Security Risk Assessment
- Security Event Handling
- External Communications
- Metrics and Monitoring
- Audits and Assessment
- Education and Training
- Strategy, Charter Governance, and Policy
And though he said many medical device makers have implemented some sort of a security program, their efforts probably aren’t as comprehensive as they should be.
“I would be surprised if all [medical device companies] had every one of these elements in place,” Pascoe said.
As a result, medical device security is compromised more often than many of us think.
“Breaches are happening all the time,” Pascoe said.
As yet, he said he has no firsthand knowledge of a patient being harmed as a result of a cyberattack but added that entire hospitals were affected by network worms that shut down platforms running on Windows in the early to mid-2000s.
“Entire swaths of medical devices were failing within a day,” he said. “That has absolutely happened.”
As governments, regulators, and customers are taking a closer look at the issue, he suspects device companies, too, will start paying more attention to the issue of cyber security.
—Jamie Hartford, managing editor, MD+DI