"It relies on a bunch of different communities coming together - the doctors, the patients, the developers of the devices and the people writing the software and building the hardware. They all need to come together to talk about what are the issues, and how we can build more secure devices," says Kastner, a professor in department of computer science and engineering at the University of California, San Diego.
For starters, healthcare organizations need to make it clear to medical device makers that "we want a secure device and are willing to pay more for a device that is more secure," he says in an interview with Information Security Media Group at the 2014 HIMSS Conference in Orlando.
Those kinds of conversations are just now beginning to occur, he notes, after many years when security of medical devices was not a top priority of healthcare organizations or patients. The emergence of networked medical devices that connect to the Internet is building awareness and concern about potential cyberthreats and vulnerabilities, he adds.
Medical devices manufacturers must take the initiative to enhance security testing, including coming up with new threat models that reflect emerging cybersecurity concerns for the various scenarios in which the products are used, he says.
"There are tools out there that can do that, but even if you have the perfect tools, you need to come up with the right scenarios in order to know the sort of threats there are," he says.
In the interview, Kastner also discusses:
- Why the security of medical devices is a growing concern;
- Why some devices are more vulnerable than others;
- Suggestions for how government regulators can help bolster medical device security.
At University of California, San Diego, Kastner researches embedded system design, in particular, the use of reconfigurable computing devices for digital signal processing as well as hardware security. He is the co-director of UCSD's Wireless Embedded Systems Master of Advanced Studies Program. He holds a PhD in computer science from University of California, Los Angeles.