Close

Content Author


Jalal Bouhdada

Founder & CEO

Having led Applied Risk since he founded the company in 2012, Jalal is responsible for Applied Risk’s industrial security services and product development. Jalal has led many complex ICS cyber security projects for major global clients, including some of the world’s largest industrial companies and utilities. As a global thought-leader on industrial control systems security and critical infrastructure protection, Jalal is an active member of several professional security societies and has co-authored ICS security best practice guidelines for ENISA and the ISA 99. He also frequently lectures to private and public audiences around the world.

Afbeeldinghealth

Preventing the healthcare security headache

Jalal Bouhdada

Founder & CEO

Having led Applied Risk since he founded the company in 2012, Jalal is responsible for Applied Risk’s industrial security services and product development. Jalal has led many complex ICS cyber security projects for major global clients, including some of the world’s largest industrial companies and utilities. As a global thought-leader on industrial control systems security and critical infrastructure protection, Jalal is an active member of several professional security societies and has co-authored ICS security best practice guidelines for ENISA and the ISA 99. He also frequently lectures to private and public audiences around the world.

A proliferation of connected medical devices is causing a security headache for those in the healthcare industry. It has long been the stuff of fiction that technology developed to enhance our lives could in fact be turned against us to inflict catastrophic damage. In August of this year these fears were confirmed, as the US Federal Food and Drug Administration (FDA) ordered a recall of half a million pacemakers over fears that they could be hacked and turned against their user.

The warning signs of technology’s negative potential have been understood for a while. It was, in fact, back in 2014 that forensic medicine and security experts collaborated to develop software that would help identify if pacemakers had been hacked. In our quest to realise the benefits of rapidly evolving technology, security has become an after-thought. This, it would seem today, is a highly irresponsible approach that we must address, replacing it with better collaboration, lifecycle management, network monitoring and a “secure by design” product development ethos.

Connected healthcare: better outcomes or a threat to life?

Innovation in the healthcare industry is having a great impact on the quality of life for many people. For example, we’ve already seen low cost blood sugar monitoring implants which can synchronise with a smartphone to help diabetics manage their condition; and how networked X-ray and ultrasound machines that can deliver instant images to a practitioner’s desktop are speeding up diagnosis and treatments in emergency rooms across the world.

But what if the opposite is true? Could this often life-saving medical equipment be turned against us? There has been much speculation over potential scenarios in which devices such as insulin pumps are hijacked and held to ransom; or terrorists attack connected pacemakers en masse. Sadly, this is no longer the stuff of fiction. Medical device manufacturers must come to terms with the idea that the security of the healthcare equipment itself is also a life and death issue.

Relieving the headache

Following best practice will be key for medical device manufacturers. New data privacy laws and strict FDA requirements mean the responsibility is now with the developers to ensure the protection of networks and systems, or they will face the consequences. To help meet these obligations, the security industry and medical device manufacturers must develop a closer relationship, ensuring that new devices are developed with security defences baked in. The ethos of “secure by design” must become entrenched within all product developers.

This can be achieved using tried and tested means such as a thorough Systems Development Lifecycle (SDLC) programme to maintain and monitor products throughout the entire period that they are in use. We know that bad actors will always find new exploits and methods of attack, so vigilance for unexpected behaviours is critical. No system can ever be 100% secure, so layering defences to mitigate damage in the event of a breach is vital.

We must act now, as it won’t be long until a fresh set of headlines detail the latest attack on our healthcare systems and devices. Just as with a patient, it’s much better to prevent an illness than to cure one.

Visit our healthcare page to understand how Applied Risk can help secure medical devices.

Thank you for your submission!