reality is that vulnerabilities are part and parcel of any type of system that has a programming component. If we expand the search beyond internet-connected devices into the realm of just devices, the problem is even greater. Connected medical devices just have extra considerations because they can be accessed remotely as part of a greater ecosystem, whereas before they were a disconnected box.
Some of this stems from the continuous software development process. IoMT manufacturers are continually making improvements and upgrades to their devices—even adding new features. If a device is certified at a specific point in time, even if it is perfectly secure, there is no guarantee that the device will be secure after one or more updates. Over a few years the original software can vary greatly—especially if you consider a life span that may be up to 15 years.
Another reality facing manufacturers is stiff competition. The timing of the release of a device (often any product) is absolutely critical. Security is a known way of slowing down the release of a product because it takes time and money to make sure that things are evaluated in a mature way—not to mention the resolution time to remediate any findings security assessments may find. If you are a CEO and are dealing with the pains of the market versus the pains around a device, sometimes a cost benefit analysis means things may not be perfect—especially if patches can fix the problems later. From an advertising perspective, sometimes the negative press is also seen as a positive—especially for non–life critical systems.
In Summary
All this said, as we have seen with Spectre and Meltdown in the previous chapter, vulnerabilities exist that nobody would have predicted. Even if a company is extremely diligent with its security, vulnerabilities can be found. They are inevitable even in the best of situations. That does not mean we should not strive for better. Too often, IoMT manufacturers use the excuse of ever-present vulnerabilities to not focus on the security of their products as much as they should. Again, this does not apply to every company, but unfortunately it applies to too many companies. As hospitals adopt IoMT technology in greater quantities, there will be a tipping point for security to become of greater importance than it currently is from a manufacturer's perspective.
In the end, both lives and data are important to protect. So far, we have been focusing on the technology. The data that comes out of that technology is also extremely important. The cost of a breach is heavily linked to the amount of data. All of these IoMT vulnerabilities inevitably lead to a loss of data. IoMT is causing a data explosion, and thus the risks for hospitals are greater than they ever have been—not just from IoMT devices, but also from the data they produce. We'll explore the data side of the equation in the next chapter.
Notes
1 1 Trevor Harwood, “Internet of Things (IoT) History: A closer look at who coined the term and the background evolution into today's trending topic.” November 12, 2019, https://www.postscapes.com/iot-history/.
2 2 Alison DeNisco Rayome, “How the term ‘Internet of Things’ was invented,” 2018, https://www.techrepublic.com/article/how-the-term-internet-of-things-was-invented/.
3 3 “How to Determine if Your Product Is a Medical Device,” https://www.fda.gov/medical-devices/classify-your-medical-device/how-determine-if-your-product-medical-device.
4 4 OWASP Internet of Things Project 2018 https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project.
5 5 Ibid.
6 6 Ibid.
7 7 Ibid.
8 8 Ibid.
9 9 Ibid.
10 10 Ibid.
11 11 Ibid.
12 12 Ibid.
13 13 Ibid.
14 14 Ibid.
15 15 Josh Fruhlinger, “The Mirai botnet explained: How teen scammers and CCTV cameras almost brough down the internet,” 2018, https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html.
16 16 “Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication,” https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-identified-st-jude-medicals-implantable-cardiac-devices-and-merlinhome.
17 17 “Securing the Internet of Medical Things (IoMT),” https://802secure.com/wp-content/themes/802secure/pdf/AIRSHIELD-Health-Data-Sheet.pdf.
18 18 “Clearwater Medical Device Security and CIO Insomnia,” https://clearwatercompliance.com/blog/medical-device-security-and-cio-insomnia/.
19 19 Ibid.
20 20 “CVE Detail,” https://www.cvedetails.com/product/739/Microsoft-Windows-Xp.html?vendor_id=26.
21 21 Matthew Humphries, “FBI Warns Against Using Hotel Wi-Fi for Work: The FBI says hotels in cities across the US have lax security allowing for easy exploitation
