CAMBRIDGE, Ma.—When it comes to managing medical device security risk, hospital administrators should focus on weathering the storm and not necessarily prevention, Dr. Kevin Fu, a noted medical device security expert, encouraged this week.
“How do you fail gracefully when things go wrong? Will your hospital close down or will you be able to mitigate those failures?” Fu, who is also CEO and cofounder of Virta Laboratories, asked attendees at the third annual Internet of Things Forum Thursday morning.
In the event’s opening keynote, “Your Fly is Down: Managing Medical Device Security Risk,” Fu said that hackers are going to keep breaking into medical devices – most of them are legacy after all. When it happens, administrators should hope for “graceful failure,” Fu said.
“Medical devices should be subjected to rigor so our patients can make clinically relevant decisions, they are making risk choices,” Fu said, adding in a traditional IT environment, eliminating the problem is a good outcome, but in a medical device environment, simply applying a mitigation can sometimes do more harm than good.
While it’s scary that hospitals can get taken offline by ransomware – something that’s happened multiple times this year – more concerning to Fu is the wide-scale unavailability of patient care.
The integrity of medical sensors, like blood pressure monitors, is paramount, Fu said. If those devices can’t be trusted, doctors can’t do diagnoses properly. While people can recognize anomalies, compromising devices that provide important information, like test results, removes the safety net, Fu said.
Fu said the medical device industry should look to avionics, people who craft the electronic systems used on aircraft, when it comes to designing devices, because safety is baked into their culture.
“When I want to know how to gracefully fail when something goes wrong, I talk to an airline contractor,” he said.
Fu only mentioned the ongoing debacle between investment research outlet Muddy Waters and security research firm MedSec, which reported a slew of vulnerabilities in St. Jude Medical devices last month, in passing, during a Q&A following the keynote.
“We’re scientists, we believe in scientific rigor,” Fu said, “We’ve found a huge number of problems in medical devices, including pacemakers, over the years but what we were surprised by [MedSec’s report] was something I call a null hypothesis.” In statistical science, a null hypothesis is derived when sample observations result purely from chance.
Fu, who’s looked into some of the vulnerabilities with his team at theUniversity of Michigan-based Archimedes Center for Medical Device Security, has claimed publicly that at least one experiment using a St. Jude programming machine they’ve carried out produced unconvincing results. Error messages on the monitoring unit suggests that the pacemaker isn’t connected to cardiac tissue.
While he didn’t outrightly debunk the report, he’s didn’t exactly endorse it either.
“We’re not saying the report is false but the evidence does not support the conclusions,” Fu said.