Black Hat 2014 had a roundtable on “Medical Devices Roundtable: Is There a Doctor in the House? Security and Privacy in the Medical World”. Rapid 7’s Jay Radcliffe presented the major issues facing the healthcare industry as it moves in the direction of increasing automation both of information and devices, an expanding surface for all sorts of potential problems.
Though the roundtable was well-attended, Forbes’ Dan Munro pointed out that it was more incredible that medical care was surprisingly not present at the conference. Healthcare is becoming increasingly more automated, and rightly so — bioanalytics and cloud-based monitoring are helping to save lives by giving doctors up-to-date information on patients and remote oversight of their health. As he pointed out, this is not a bad thing: lives are not only being saved by wirelessly controlled pacemakers and insulin pumps; the lives of sick patients are often being improved by the ability to monitor and control processes that were previously invisible to patients. In addition, medical research is infinitely easier when the information from thousands of people — all willing participants, of course — can instantly be aggregated.
Radcliffe was quick to point out the main issues: lack of regulatory oversight, lack of understanding even within regulatory organizations, and lack of knowledge within the industry. As it exists, he pointed, security is under no domain. The FDA gives cybersecurity “guidance”, a tricky word that lacks the emphasis of retail’s PCI regulations and fines. They rightly point out that cybersecurity is a shared responsibility, which is simultaneously a problem and an opportunity, if the industry rises to the challenge.
Unfortunately, the industry is already behind. A DEF CON talk by Scott Ervin and Shawn Merdinger further explored just how lacking in security many medical device currently are, with another Munro article noting that over 90% of cloud services used by healthcare could pose a major security risk. New devices being marketed as health monitors also have the potential to be extremely detrimental, as information gathered from the devices could be used to collect sensitive data.
Meanwhile, data breaches at hospitals and health centers are already occurring, as the recent CHS incident attests. Data breaches, surprisingly enough, are a portion of the healthcare industry that is regulated under HIPAA (the Health Insurance Portability and Accountability Act), a Health and Human Services Act that protects Personally Identifiable Information (PII). Even with HIPAA and the guidance of the FDA, more has to be done in this field.
And with the potential implications of a hack or breach being human life, the stakes could not be higher.