Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

A Pattern of Complacency


A recent story which ran on CBS News entitled “How medical devices like pacemakers and insulin pumps can be hacked” highlighted deficient plans and processes by the US Food and Drug Administration for addressing medical device cybersecurity compromises. The report issued by the Inspector General has been disputed by the FDA which says that it has worked proactively on the issue with security researchers and ethical hackers to identity and fix many of the problems.

This may be the case, but the fact remains that the industry as a whole has been largely in a state of denial over the breadth of depth of cybersecurity vulnerabilities in medical devices and has been very slow to inventory and remediate risks – even when researchers have shown evidence that many security vulnerabilities pose a significant patient safety risk.

The FDAs close working relationship with manufacturers and its preference for constructive ‘guidance’ rather than ‘enforcement’ has been criticized many times before. Despite a growing body of evidence of medical devices being hacked in research lab environments and live on stage at security conferences around the world dating back nearly 10 years, it is only within the last couple of years that new devices were forced to undergo any sort of cybersecurity risk assessment prior to being approved for use on patients. Some say the FDA acted too slowly to bring about change and that nobody yet has really dealt with the legacy device problem. Medical devices have long expected life-cycles and more expensive systems like X-ray, CT and PET scanners are often depreciated over 15+ years, meaning that near-term replacement of insecure legacy devices is not a feasible option.


Whatever the case, the fact remains that most manufacturers have not taken any sort of proactive role to risk assess the security of their legacy devices in use today, even when informed of security vulnerabilities long before public disclosure. The onus for risk assessment of these devices seems to be currently placed squarely on the shoulders of providers, who in turn are ill-equipped to assess or remediate problems. Solving this problem will take a strong and concerted effort on all sides with robust leadership and oversight provided by the FDA.

The case highlighted in the CBS report is remarkably similar to another one that I wrote about – in 2016 on St Jude Medical, (now owned by Abbott Labs) who despite being informed of major patient safety risks to its implanted Cardiac Rhythm Devices (pacemakers) chose not to do anything about these risks till Muddy Waters Capital made an example of St Jude by trading on futures while engaging a security firm to hack and disclose significant weaknesses in the St Jude devices, thus gaining from a downward adjustment of the St Jude stock price.

The St Jude disclosure caused the first ever FDA intervention in medical device security after mass public concern. The fact however remains that security vulnerabilities in medical devices are likely not limited to only a few manufacturers, but common across the thousands of vendors and hundreds of thousands of medical devices that are in circulation globally, and in many cases keeping patients alive. The trouble is that we don’t really know.

Manufacturers do not have programs to risk-assess and penetration test their legacy devices and only the most recently approved devices were even tested at all from a cyber risk perspective – all other testing being primarily functional in nature in order to obtain FDA approval.

Hospitals and other healthcare delivery organizations that use or surgically implant medical devices in people’s chests rarely if ever test medical devices either. Even devices that remain in hospitals like network attached morphine and insulin pumps, X-Ray and CT scanners are rarely tested for their cybersecurity vulnerabilities, let alone devices that leave with patients and may not be seen again.

Without testing and without performing a thorough and bone-fide risk assessment in line with HIPAA, OCR and NIST standards, we will probably never really know just how big a problem this is across the entire industry.

Until such times as a full forensic examination of implanted medical device takes place, rather than simply being burned or buried with the patient, we will probably never know the true number of deaths caused by device failure, how these devices failed exactly and whether a cyber-attack against the device caused its failure.

The United States does a great job of evaluating and under-writing all kinds of risks – everything from crop yields, to natural disasters, to the likelihood of flood, fire or theft, yet as a country we really are rolling the dice when it comes to medical risk, and particularly medical device risk. In short, we as a nation, are gambling on the security of the medical devices that keep many of our citizens alive each day.

To learn about how you can evaluate medical device risks in your hospital environment ask Clearwater about its leading Medical Device Security Program or contact us to schedule a conversation.

VAHIMSS18

Richard Staynings addresses the need for better Third Party Risk Management @VAHIMSS18
Thanks to everyone who attended my presentation today on the need for improved Third Party Vendor Risk Management. Thanks also to the many other great speakers and sponsors of the VA HIMSS Annual Conference in Williamsburg, and the VAHIMSS Chapter leadership for putting on such a well run event.

As promised my slides can be found here.