We should not go down the ‘Security Theater’ path… That is not to say that this pacemaker problem is ‘security theater’, but rather to stress that ‘risk management’ is the right approach for security overall. Meaning that for any threat the likelihood and impact is used to determine appropriate reaction to that threat. An additional benefit of the risk management path is that security threats can be evaluated together with patient safety threats. Often times a security threat does introduce a patient safety threat, but an important thing to avoid is mitigating an unlikely security threat with a technology that introduces a patient safety threat. As with any risk management there is never zero risk.
*** NIST SP 800-30 Risk Management Guide for. Information Technology.Communicating with ultrasound could help make implantable medical devices safe from attack. Manufacturers have started adding wireless capabilities to many implantable medical devices, including pacemakers and cardioverter defibrillators. This allows doctors to access vital information and send commands to these devices quickly, but security researchers have raised concerns that it could also make them vulnerable to attack. More
Today at a joint DoD, FDA, NEMA (vendors of medical devices); the FDA reacted to a directed question on this thread. John Murry (FDA) indicated that they are aware of the press threads and do not see this as a legitimate threat to public health. They then reminded us that their CyberSecurity guidelines is still the FDA recommendations. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm
ReplyDelete