Healthcare cybersecurity 2022: Learning from the cutting edge

January 07, 2022

Mike Kijewski

By Mike Kijewski

To be successful in the medical device space, you must be innovative, quick to market, and secure by design - yet, competition is tougher than ever. And we need to do so with high efficacy and efficiency to stay in customer, regulator, and patient good graces.

The underlying requirement is the assurance of secure connectivity and operation, which according to most security professionals, is not guaranteed. Instead, it's a persistent challenge and continual effort to keep up with ever-maturing adversaries.

Training and education based on your needs

Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money

As an industry, security practitioners have issued frameworks and standards to guide security best practices that, when employed, can reduce the risks and consequences of a security incident. But what happens when today's best practices become outdated?

There was a recent device vulnerability disclosed that focused on plaintext in radio communication. The affected device was sold from 1999 - 2019, which means the design of the device began a couple of years prior. But back then, security best practices barely existed and there was little concern about the usage of plaintext communications. Yet in 2021, this practice is considered high risk and required a vulnerability disclosure, release of a patch, and notification of patients.

This leads to the question: What are we doing wrong today that could lead to recalls in 2030?

It’s easy to gravitate toward the latest cutting-edge technologies, like quantum computing, artificial intelligence, or blockchain as potential disruptors of today’s security strategy. But an adversary mindset might lead to a different conclusion. Perhaps the reason plaintext was acceptable in 1999, no expectation that someone would even want to break this type of communication. And more importantly, technology at the time did not make it easy to implement more secure communication - and neither did it support concerns about breaking it.

What could be motivating attacks in 2030 that aren’t visible today? Will it continue to be supply chain driven, focusing on pervasive, low-level vulnerabilities? Perhaps it will evolve into operational technology attacks, which we’re already witnessing with increasing frequency. Or instead of attempting to extract data from organizations, attackers may seek to interrupt availability, the impact of which was felt in a recent AWS outage.



You Must Be Logged In To Post A Comment Sign In If you've already created an account, use your email address and password to sign in using the form below. Login Problems: Click here if you are having login issues. Email address: Password: Forgot your password? Login Problems? View our Legal Notice and Privacy Notice Register Registration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now!