Official blog of the Discussion summary: The lack of meaningful data on medical device cybersecurity leads to cybersecurity unpreparedness. Today, though, there is an economic disincentive for reporting of vulnerabilities and incidents. For instance, a hospital would incur liability by reporting a problem. The economic factors self-reinforce a cycle of not reporting cybersecurity problems, which increases the false impression of preparedness from lack of reported incidents. The lack of reported incidents is more likely a result of lack of incentives for reporting and a lack of effective reporting mechanisms designed to collect cybersecurity threat indicators from the clinical setting.
Panelists:
- Brian Fitzgerald
Deputy Director, Division of Electrical and Software Engineering, FDA CDRH OSEL - Kevin Fu
Associate Professor, Computer Science, UMass Amherst (moderator) - Louis Jacques
Director, Coverage and Analysis Group, Centers for Medicare and Medicaid Services - James Keller
Vice President, Health Technology Evaluation and Safety, ECRI Institute - George Mills
Director, Department of Engineering, The Joint Commission - Erich P. Murrell
Lt. Col., CISO, Medical Devices, Office of the Air Force Surgeon General
Past ISPAB meetings with panels on medical device cybersecurity:
Economic incentives? You would think the potential death of patients should be incentive enough. Typical corporate thinking. They wont spend a dollar until some poor sob's ICD gets hacked and they realize they turned god knows how many people into sitting ducks.
ReplyDeleteIt amazes me how engineers and programmers lack the awareness to address these issues during the design phase... great blog by the way wish for more updates on your current research!