The chief deception officer at Attivo Networks Carolyn Crandall has suggested that industry could be more proactive when it comes to the cybersecurity of medical devices.
In an interview with Digital Health Age web content editor Ian Bolland, Crandall explained the issues that are affecting medical devices when it comes to cybersecurity, including being built on operating systems that were designed to be in networks that are not interconnected. While things are getting connected, the devices that are going onto networks were never designed to be secure in such a way, and the ownership of security is a contentious issue.
She said: “It’s causing a little bit of friction between the device manufacturers and the healthcare providers that pay.
“If a business buys the equipment they know that they have to manage the security and have made investments. They’ve accepted they’ve got to build defences and a strategy to try and protect their networks.
“This is an investment that healthcare providers have not sufficiently made so there’s a lot of friction going on: who owns them? Is it the device manufacturers that need to provide them with secure systems? Even if everything going forward was more secure, what do you do with the millions of pieces of equipment out there that maybe are not even patchable?”
Crandall has encouraged organisations to be more proactive when it comes to combatting hackers, though does highlight that security infrastructure at large means the industry’s defences are constructed to be more reactive.
She alluded to a prospect of setting various traps for a potential hacker to combat, making it easier to identify a hack and to track down whoever is behind it.
“The really interesting thing with Deception is the ability to build a pre-emptive defence. Through machine learning of the network we start to understand all of the characteristics and attributes of the network so we can set up the deception.
“By understanding how an attacker would move through the network to get to their target, you can start to build a pre-emptive defence. You can set up decoys throughout the network, you can set up the credential lures and bait to misdirect them.”
There is also the aspect of responsibility for security, whether that comes down to the manufacturers or regulators, and Crandall questions whether legislation is going to be put into place when it comes to driving standards – and the costs associated with it.
“I think there are standards that are being put in place but they’re being put in place more as frameworks. I don’t recall anybody willing to make the decision that says either side must do anything of material consequence. What that means is it’s not that people don’t care but it’s complicated and there’s a real cost associated with changing out all of this legacy equipment.
“I think there’s regulation that is being put in place to say: ‘these are the frameworks that say these minimum things must happen,’ and then the healthcare providers are having to put in things like in-network detection mechanisms.
“They need to go to a security framework that includes in-network detection, especially around things which are less secure that are now getting interconnected. Healthcare device manufacturers need to step up and put some level of responsibility on themselves to add in the ability to be more secure.”