03 Dec Medical device security? Forget hackers, think ‘hand-washing’
‘This is not rocket science; this is basic hygiene’
Simply put, security control considerations were “not really part of some of these early medical devices,” said Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan.
But many of those very medical devices are still in wide use at hospitals across the U.S.
Fu has been a longtime researcher into device security. He routinely sees potentially dangerous faults in implants and bedside devices, he said Wednesday at Healthcare IT News’ Privacy & Security Forum in Boston,
By way of example, he pointed to one local hospital that had “600 Windows XP boxes in deployment.” To his astonishment, he was told by one hospital staffer that they were unpatched.
“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years,” said Fu.
“This is not rocket science; this is basic hygiene,” he said. “This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”
When it comes to device security, the “media tends to focus on the sensational,” he added. That causes the public – and even some in the (hospital) boardrooms – to misunderstand where the most significant risk is.
“In my opinion, it boils down to much more basic stuff,” said Fu. “Hackers do exist. But again, it boils down to something much more basic: ‘hand-washing.'”