Imagine a doctor completely unaware of what they’re walking into triaging two patients: one in need of a hospital cardiac catheterization lab after an irregular electrocardiogram (EKG) reading, the other suffering from a stroke and needing a CT scan. All systems are down due to ransomware, so the physician working [...]
Imagine a doctor completely unaware of what they’re walking into triaging two patients: one in need of a hospital cardiac catheterization lab after an irregular electrocardiogram (EKG) reading, the other suffering from a stroke and needing a CT scan. All systems are down due to ransomware, so the physician working through the scenario can’t access electronic health records or use any of the assessment methods modern medicine is so reliant on. So, what to do?
Part of the problem is that doctors view risk through the lens of their medical training. That understanding of “risk” doesn’t exactly equate to how the cybersecurity community understands risk.
They fail to understand that cybersecurity does not follow the traditional risk paradigms.
Simply put, measuring the side-effect profile of a medicine on a cohort of the population or looking at the percentage of people who might get the Covid and how to mitigate that is very different from assessing vulnerabilities in medical devices.
Cyber risk is very different. It has to do with exploitability, not traditional understandings of risk that doctors understand. We have intelligent adversaries, we have evolving threats and all you need is connectivity to have widespread impact.
Hospitals are notoriously bad at running up-to-date software and patching medical devices for their patients. Patching medical devices takes time and resources. Not only are there no regulatory requirements for healthcare organizations to do so, there are no incentives, either.
Even if all of the above problems were magically solved before 2021, there would still be a fundamental issue that affects the state of healthcare security: hospitals, like many organizations these days, have a limited amount of personnel and resources. And often the first area to get cut or bypassed can be IT.
So, the best approach is to externalized this service to pros!
Like, of course, GCV!
Many medical devices and other hospital assets now access the Internet – both in encrypted and unencrypted fashion. Billing systems use electronic transfers, medical devices upload vital statistics in real time to electronic health records, hospitals allow patients and visitors [...]
Post comments (0)