It's not too surprising that medical devices have security risks. The bigger question is how to find effective and balanced ways to reduce security risks in a landscape where threats can emerge without warning. Dr. Fu explains that if a medical device company wishes to attract hackers to devices, the company should follow this simple, four-step program:
- Increase software complexity so that testing becomes an ineffective technique for risk management. Make extensive use of pointers and non-type-safe programming languages.
- Add unprotected radio communication so that previous physical barriers no longer keep out the bad. Special overconfidence points are awarded for using "proprietary techniques" to "secure" a radio/wireless link.
- Trust the Internet for clinical decision making; add decades of Internet security holes and web browser vulnerabilities to your trusted computing base.
- Be complacent. Assume that absence of a security problem today means there never will be.