The Dangers of Unsecured Medical DevicesAnura Fernando of UL on Mitigating the Risks
Mitigating medical device cybersecurity risks can be a matter of life and death, warns federal adviser and security expert Anura Fernando of UL. UL, formerly known as Underwriters Laboratories, is a safety certification and consulting firm that provides testing services for medical devices and a wide range of other equipment.
"There is an issue with the medical device capability to cause harm that is of concern," Fernando says in an interview with Information Security Media Group.
For instance, some sophisticated medical equipment is designed to destroy cancerous tumors, "to hopefully save the patient's life," he notes. "The purpose of the device is to do a specific type of tissue damage. ... And so, if you leave that type of equipment unfettered and connected to a network where anyone can access it, it's comparable to leaving a loaded gun on a picnic table out in a park."
That's why applying basic security hygiene to medical devices is extremely important, he stresses. Ensuring that medical device network connections are properly managed, monitored and secured is "much like keeping a weapon in a safe with the safety on," he says.
In the interview (see audio link below photo), Fernando also discusses:
- Recent findings by security researchers in two separate studies about medical imaging vulnerabilities that pose potential risks, including impacting data integrity, security, privacy and patient safety;
- Medical device cybersecurity recommendations by the Department of Health and Human Services' cybersecurity task force on which Fernando serves;
- Other cybersecurity advice for healthcare entities and device manufacturers.
Fernando is chief innovation architect of medical systems interoperability and security at safety certification and consulting firm UL. In addition to serving on the HHS cybersecurity task force, he has also served as a member of several other federal advisory panels, including the Food and Drug Administration's Safety and Innovation Act working group and the FDA's Medical Device Interoperability Coordinating Council.