Medical Device Security Is A Finger-Pointing Game

Sensors Insights by Mat Dirjish

Who Is Responsible For Securing Your Medical Devices?

Security, cybersecurity to be exact, has become both a critical and boring-via-redundancy topic. It is highly critical in that every day we hear of some cyberattack that affects systems that store our physical and financial lives and, in turn, impacts us psychologically. Security is a boring topic because we hear of these attacks over and over again.

Unfortunately, it appears these security events do not pack the kind of collective punch to mobilize people to take responsibility for their own protection. Equally unfortunate, EOEMS in every market are on such strict deadlines to get their devices on the market that effective security features are either an afterthought or nonexistent. The “hold your breath and cross your fingers until disaster strikes” approach does not always work, if at all.

Free Newsletter

Like this article? Subscribe to FierceSensors!

The sensors industry is constantly changing as innovation runs the market’s trends. FierceSensors subscribers rely on our suite of newsletters as their must-read source for the latest news, developments and analysis impacting their world. Register today to get sensors news and updates delivered right to your inbox.
Medical-device security is an ongoing battle for all concerned.
Medical-device security is an ongoing battle for all concerned.


What it really boils down to is fault exists on both sides of the fence. Yes, medical device makers need to do more to keep their wares safe when connecting to the grand IoT and they need to stay up to date on current threats and potential future security infractions. And end users need to avoid distractions from their electronic toys and take even some simple measures to insure a modicum of cyber safety.


The Fault Lies In The Devices

Stated earlier, medical device makers need to be both active and proactive in securing their web-based products. They need to address current threats and put some strategies in place for coping with those coming down the pike.

Medical Device Security: An Industry Under Attack and Unprepared to Defend, a recent study conducted by software developer Synopsys, Inc. and research organization Ponemon Institute,

finds 67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months. The study also indicates that approximately one third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device. Not so surprisingly, the study shows that just 17% of device makers and 15% of HDOs are taking steps to prevent such attacks.

Medical devices do not always include adequate security features.
Medical devices do not always include adequate security features.


Few would disagree with, chairman and founder of the Ponemon Institute, Dr. Larry Ponemon when he states, “The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organizations. According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.” You can obtain a copy of the report by CLICKING HERE.


The Fault Lies Not Completely In Our Devices

Like any major issue that involves some negative event, the fault does not lie completely with any individual, singular conglomeration, and/or device. Yes, device makers are sometimes lax in the security department and need to wake up. But the end users are not so innocent as well.

How many times has this happened to you? You are engaged in a fairly serious conversation with someone and said conversation is interrupted more than a few times by your companion answering a smartphone or texting via same. Since this has become a way of life you are not upset, and probably do not even notice. Does this not also happen when doctors are engaged with patients, or medical device users are distracted from the use of their devices?

If you were to ask the majority of computer, smartphone, and wearable-device users what form of security they were using for their digital devices, the majority of responses would be one of two. “I don’t know” and/or “whatever the product maker employs.”

Then there are those users who do employ security software, yet place all their confidence in a single line of defense. They pay their $50 to $100 a year for whatever cybersecurity app and hope for the best. Rarely do they prepare for the worst, which requires a few simple, though slightly inconvenient actions.


Experts Address The Issues

There are numerous other studies on the topic of cybersecurity in every market from consumer to medical to military and beyond. Regardless of the study or research, or who conducts it, the results are always the same: security threats abound and little is being done about it. So what?

Where do we go from there?

Finger pointing never solves anything. Yeah, companies fall short in developing security strategies and solutions. Yes, consumers and end users are easily distracted, making them ripe targets for cybercriminals. How many more studies need to be done that say the same thing? Not one offers a solid solution to the problem, they just observe the problem.

There are exceptions to the norm. A panel of security experts with particular expertise in medical device security formed a panel and discussed the issue of medical-device security and offered a number of possible solutions and strategies. They reasoned together as a group at the Medical Sensors Design Conference, held back in May 2017 in Newton, MA.

The panel, exquisitely moderated by Bunny Ellerin, consisted of Doug Aamoth, Director of Technical Product Marketing at Sophos, Guido Gabrielle, Esq., General Counsel, Grassi & Co., and Mark Laich, President of Laich Advisory Associates. During the panel, they discussed what motivates cybercriminals in the medical arena and the impact they have on device makers and manufacturers. They also covered the legal implications and liabilities said companies need to address.

(left to right) Bunny Ellerin, Doug Aamoth, Guido Gabrielle, and Mark Laich
(left to right) Bunny Ellerin, Doug Aamoth, Guido Gabrielle, and Mark Laich


Most importantly, the panelists provided a number of solutions through best practices for medical device makers and their consumers. A brief video segment of the presentation can be viewed HERE. ~MD



Security Survey Uncovers Dangerous Flaws in Safety-Critical Device Design

Security Report, Research and Roundtable

Embedded Systems Security Survey Reveals Serious Vulnerabilities in the IoT, But Who’s Taking Note?

Are Americans Cyber Confused? Or just distracted!

Lip Password Uses Lip Motions to Create Password

Information Security Forum Launches Threat Horizon 2019

Security Systems Can Be Fooled By Aging Faces And Maybe Dried Fruit

DHS Investigates Dozens Of Medical Device Cybersecurity Flaws


About the Author

Mat Dirjish is the Executive Editor of Sensors magazine. Before coming on board, he covered the test and measurement and embedded systems market for Electronic Products Magazine, after which he spent thirteen years covering the electronic components market for EE Product News and Electronic Design magazines. He also has an extensive background in high-end audio/video design, modification, servicing, and installation.

Suggested Articles

Critics are concerned about a false sense of public health safety when temperature scanning is used in hospitals and other settings

Machine learning challenge will look for vocal communication between elephants and other behaviors

Iowa State University researchers are working with NSF grant