‘This won’t hurt… much.’
A children’s nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security.
Jelena Milosevic, who developed an interest in cybersecurity over the last three years, told attendees that the healthcare sector needs to work with infosec experts and manufacturers to sort out the emerging problem of the security risk posed by internet-connected medical kit.
For one thing there is no medical need for such devices to be connected to the net 24/7, she said.
More fundamentally, government regulation is needed to mandate baseline security standards. Milosevic advocated coordinated vulnerability disclosure, a process that would mean security researchers would work with manufacturers to fix issues before going public. IoT vendors have a reputation for being slow to both acknowledge and remediate security problems.
“You can’t just buy security, you have to build it,” she said.
Milosevic’s thinking on this parallels that of infosec luminaries such as Bruce Schneier.
Security and privacy issues have become increasingly important for hospitals. Ageing systems host troves of personal, medical and financial information that the unscrupulous might easily be able to monetise.
Privacy and the protection of computer records is sometimes put on the back-burner, and caring for the devices used in hospitals is an afterthought, meaning computers and other devices are seldom patched and frequently exposed to vulnerabilities, Milosevic argued. Criminal behaviour can go unnoticed for long periods and – without proper security controls – patient records might be manipulated. Security needs to be built from the ground up and supplemented with awareness programmes. Milosevic argued that hospitals need processes and procedures for infosec in much the same way that they need protocols for patient treatment.
Ransomware attacks against hospitals have featured prominently in national news stories on both sides of the Atlantic with the devastating effects on the operations of many NHS trusts as a result of WannaCry just the most high-profile example. There’s no confirmed loss of life from WannaCry, Milosevic said, but added that the “biggest problems are those we don’t yet know about”.