Imagine a doctor completely
unaware of what they’re walking into triaging two patients: one in need of a
hospital cardiac catheterization lab after an irregular electrocardiogram (EKG)
reading, the other suffering from a stroke and needing a CT scan. All systems
are down due to ransomware, so the physician working through the scenario can’t
access electronic health records or use any of the assessment methods modern
medicine is so reliant on. So, what to do?
Part of the problem is that doctors view risk through the lens of
their medical training. That understanding of “risk” doesn’t exactly equate to
how the cybersecurity community understands risk.
fail to understand that cybersecurity does not follow the traditional risk
put, measuring the side-effect profile of a medicine on a cohort of the
population or looking at the percentage of people who might get the Covid and
how to mitigate that is very different
from assessing vulnerabilities in medical devices.
risk is very different. It has to do with exploitability, not traditional
understandings of risk that doctors understand. We have intelligent
adversaries, we have evolving threats and all you need is connectivity to have
Hospitals are notoriously bad at running up-to-date software and
patching medical devices for their patients. Patching medical devices takes
time and resources. Not only are there no regulatory requirements for
healthcare organizations to do so, there are no incentives, either.
Even if all of the above
problems were magically solved before 2021, there would still be a fundamental
issue that affects the state of healthcare security: hospitals, like many
organizations these days, have a limited amount of personnel and resources. And
often the first area to get cut or bypassed can be IT.
So, the best approach is to externalized this service to pros!
Like, of course, GCV!
ปั้มไลค์ on July 11, 2020
Like!! I blog frequently and I really thank you for your content. The article has truly peaked my interest.
Gabriel Garban on July 13, 2020