Writing for SemiconductorEngineering, Ernest Worthman describes the health care industry as “woefully ill-prepared” for a digital Cyber Age.
“This is a rather dismal assessment, considering that the volume of personal health-related data is an order of magnitude greater than the equivalent data in the financial segment and growing rapidly,” he opines.
“Within the past couple of years, millions of personal health care records have been leaked. Yet the health care industry is still behind other critical industries in security spending.”
Indeed, ABI Research confirms that security spending in the health care segment is only expected to total $10 billion by 2020 in the United States; approximately 10% of what other critical segments will be dedicating to digital security.
“Cyber security for health care is still a small, fragmented market and security is lacking,” says Michela Menting, practice director for the digital security service at ABI Research.
As Worthman notes, most of today’s medical devices integrate reconfigurable embedded systems, many of which are known to be vulnerable to various cybersecurity breaches.
“As interconnected medical devices proliferate and connect via hospital networks, the Internet, other medical, and smart devices, the risk of cybersecurity breaches that could affect how a medical device functions rises dramatically,” he confirms.
Paul Kocher, president and chief scientist of the Rambus Cryptography Research division, concurs with Worthman’s assessment.
“Medical devices with processors have bugs in the same way that other kinds of devices do. So there really isn’t any fundamental difference in addressing that, but there is a big difference in that the consequences can be life threatening,” Kocher told Semiconductor Engineering.
“What I see as a major concern is the case where devices have direct, or indirect connections to the broader network. For example, if a patient is connected to a device that talks to a system that is connected to the Internet, or the cloud, that tunnel of connectivity completely changes the risk profile.”
Moreover, the steps administrators can take to manage security risks in other devices – including frequent security updates – do not tend to work very well in a medical environment due to FDA regulations.
“[Nevertheless], at the end of the day I would rather have a life-saving remedy with security risks than to have no remedy at all,” Kocher concludes.
From an engineering perspective, adds Kocher, there are at least several avenues that can be explored, including developing more secure operating systems, designing processors with hardware-based security options, improving detection of anomalous activity and deploying multiple processors that check their answers against one another.
Interested in learning more about the challenges of cyber security in the medical sphere? You can check out the full text of Ernest Worthman’s “Red tape and health care security” on Semiconductor Engineering here, “Building a foundation for secure RPMs” on the Rambus blog here and “Medical devices probed for possible cyber flaws” on the Rambus blog here.