systems could be compromised in ways that previously the hardware would have provided some protection. Ultimately, if an attacker had access to a system, data could be exposed by the combination of the two vulnerabilities (of which there are three variations). For Meltdown, an attacker gains access to data they normally shouldn't see by “melting” the division of protected memory normally enforced by hardware. Spectre, on the other hand, is about making a system reveal data that it should not reveal to the attacker.34
Both Spectre and Meltdown are examples of what were zero-day vulnerabilities—flaws that, at the time, were out but, as they are too new, do not have remediation. Hardware (such as motherboards), operating systems, and internet-connected medical devices are all prone to zero-day vulnerabilities. They are the bane of IT and security practitioners alike. They are the kind of situation, due to the severity of the vulnerability, that requires companies perform out of band patching (also called emergency patching), which can seriously disrupt the schedule of the IT department. While some zero-day vulnerabilities are of little consequence, many are much more serious—as Spectre and Meltdown were.
But why do we have these challenges with internet-connected medical devices to begin with? An incomplete and simplistic perspective might be to say that the dollar is king, security costs money, and therefore it is not done until companies are pushed into it. The reality is far more complex than that.
If we step back in time a decade for the purposes of looking at internet-connected medical device security, there were no regulations concerning their construction—very little regulatory oversight. In theory they had to meet HIPAA requirements, but many connected medical device companies did not always adhere to those—not by a longshot. Quite often these companies were not even striving to meet HIPAA requirements. The features and functions of the devices were the key capabilities they had to focus on—not security capabilities.
What makes matters worse is not every company is validating the security or making security the priority when purchasing a medical device when making a purchase. Think of it this way: If you are looking at a half-million-dollar piece of medical equipment and one company has a product that the doctors find far better than other pieces of equipment and has a better chance of saving lives, versus another product that may not save as many lives but may be a little more secure, which product do you buy? Many companies would want to purchase the product that would save more lives. It is almost common sense when weighing one concern verses another. Many hospitals would not give security a second look. Further, if you have only one or two devices that are connected, it is easy to overlook the one insecure exception in your environment. This is the way medical equipment was for decades as internet-connected medical devices first made their appearance. Keep in mind that when this started taking place, connected medical devices were not commonplace and security was not as large of a priority as it is today. Context is everything.
Another challenge that hospitals are sometimes faced with two products with poor security (or sometimes even one product with poor security). In these situations, hospitals need to choose a product and simultaneously make the hospital less secure. In those situations, you kind of have to live with the an imperfect decision of having an insecure device or decide not to help people. For most, not helping people is unthinkable for very good reasons.
Innovate or Die
Peter Drucker, considered the father of modern management techniques, popularized (or perhaps originated) the phrase “Innovate or die.”35 What he was referring to was that companies needed to stay ahead of the pace of change from a market perspective or face obsolescence. In business today that means continually changing and updating your products to ensure marketability. As a former salesperson myself, if a competitor has an innovation you lack, that could be enough to give them the competitive edge to stay in business. Innovation is here to stay.
Perhaps the most poignant example of this is Blockbuster Entertainment Inc., more commonly known as Blockbuster. It had a brilliant business model in the 1990s. It offered a very convenient way to rent movies, video games, and so on, but it did not innovate. Blockbuster held the philosophy that people enjoyed going to a store to rent movies. They did not anticipate that people would prefer the advantages that a modern streaming service offers people. That philosophy was its undoing, and now it is out of business. The world is full of examples where this is true. For instance, Polaroid, Compaq, Borders, Tower Records, Atari, Kodak, and Xerox were all big, recognizable names 20 years ago. But the reality is, they did not innovate with the times and thus suffered or went out of business as a result. So, too, is that true for medical device companies.
Numerous studies have been done on the companies that have survived for decades or longer. The number-one trait that all of the companies share in common is adaptability—a willingness to change with the times. What is interesting to note is that this “innovate or die” attitude has taken on another life in Silicon Valley. At this point it is well known for both its innovation and its technology disruption. Deloitte stated it best: “More than one-third of the 141 companies in the Americas, Europe, and Asia Pacific that grew to a valuation of greater than $1 billion between 2010 and 2015 were located in the Bay Area.”36 CEOs and entrepreneurs know this. While there are countless keys to success, part of the success criteria is to make companies more agile by shortening the time to market. Indeed, many companies have had to shift their overarching philosophy. Large companies used to take the time to create products that were fully ready for the market. Billions of dollars were lost this way as a result of smaller, more agile, more innovative companies creating something more quickly. The old ways of doing business simply do not apply anymore.
In short, innovation is not just a random concept that is haphazardly thrown into business. It is the basis for business models. Companies are shaped around this philosophy and quite often far more successful than they were as a result of the transformations that go along with the desire to innovate. As you can imagine, the pressure to innovate is a very strong driving force in companies today. If we look back at the CEOs who were responsible for the downturn (and sometimes demise) of companies, they were under very harsh criticism for not turning companies around or losing business due to lack of innovation. This kind of pressure leads people and thus companies to make decisions that do not always have security in mind.
This kind of pressure also affects medical device manufacturers—so much so that there is a new name for the medicine coming out of connected medical devices: Medicine 2.0. Medicine 2.0 utilizes digital diagnostic capabilities, including wireless devices, mobile health solutions, data, smartphone apps, wearable devices, and remote monitoring. Other technologies such as cloud and artificial intelligence allow for greater innovation and more rewards for both the medical industry and the patient. These technologies are only accelerating as the pace of innovation changes and grows.37
Imagine what kind of pressure CEOs, product marketers, etc., face when creating products. Where does security fit in in this kind of world? Is it surprising that there are as many vulnerabilities in products that we are seeing today? The sad answer is no, and this is for multiple reasons. If we sidestep to nonconnected devices for a brief minute, the Associated Press reported that since 2008, medical devices for pain have caused more than 80,000 deaths—and this is a 2018 statistic.38 The same Associated Press article talked about how little testing there is for those pain stimulators. That article was fair in that it pointed out that there are more than 190,000 devices on the market and very rarely do they need to pull devices. Yes, occasionally things get through that are bad, but the system is working remarkably well in the FDA's estimation.39 The central point here is that despite having processes in place, those processes are far
