Government // Leadership
Commentary
8/2/2013
02:02 PM
50%
50%

Death By Hacking: Tomorrow's IT Worry?

Medical device software vulnerabilities and cyber threats raise important new liability questions for CIOs and CISOs.

There is another issue that is problematic. When organizations test patches in their respective environments, oftentimes they find out that the patch causes problems with custom developed software and other applications that they use. Once that issue is identified, the problem must be diagnosed, remediated, tested and then migrated into the production environment. All of that takes time -- and we are not taking minutes or hours but days, weeks, months and maybe even years.

The big question is, do we have that time? Could someone exploit a disclosed vulnerability, one in software that is commonly used in medical devices and systems, due to the inherent delays of updating and revalidating the software? The answer is yes.

Additional measures must be taken to ensure the integrity of these systems until the patch can be safely applied with a high degree of confidence in the operation of the device or system. This is what DHS was referring to as a "robust security program" to be sure.

Software bugs and security vulnerabilities are inevitable. Missing patches and updates are a reality -- and one that has implications far beyond the healthcare industry. Organizations across many industries are now struggling with vulnerability management and the problem of patching specialized devices in the face of increasingly sophisticated cyber attacks.

Interestingly, I could not find any guidance from Occupational Safety and Health Administration addressing software safety risks for industrial SCADA (supervisory control and data acquisition) systems, but it is likely they will arrive very soon.

Similarly, the National Highway Traffic Safety Administration will probably have to weigh in on software vulnerabilities for transportation vehicles, especially after Richard Clarke's recent comments. The former U.S. national coordinator for security infrastructure protection and counter-terrorism said that university researchers have now shown "it's relatively easy to hack your way into the control system of a car."

There are those skeptics who believe this is not really an issue and that current cybersecurity experts are up to the challenge of addressing these problems. I would suggest that they read "The Seven Deadly Myths of Software Security."

What many also don't see coming is the increasing legal risks executives face from the threat of cyber attacks. While researching this article, I had a couple of discussions with lawyers. What started out as a product liability conversation turned into a discussion about the risks of civil negligence charges. Could a manufacturer, CIO or CISO be charged with criminal negligence if they fail to apply patches and properly secure and maintain their systems, in the event a cyber attack that exploits those factors results in the death of an individual or individuals?

That is one hell of a question and a glimpse of what lies ahead for those who don't take the new world of cyber threats seriously.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/13/2013 | 4:29:03 AM
re: Death By Hacking: Tomorrow's IT Worry?
ItGs interesting to read about this other aspect of hacking and not only about the protection of patient health information and patient demographic information. I really hadnGt given it much thought before but this is actually kind of scary. The thought that a hacker, or anyone wishing harm upon somebody else, could essentially remotely hack into a machine and provide lethal doses is very scary. It makes you skeptical of the machines that are there to supposedly save your life.

Jay Simmons
Information Week Contributor
WKash
50%
50%
WKash,
User Rank: Author
8/7/2013 | 8:53:35 PM
re: Death By Hacking: Tomorrow's IT Worry?
Should get interesting a few years from now when car thieves discover how to pirate driverless cars with little more than a savvy mobile app.
Gadgety
50%
50%
Gadgety,
User Rank: Apprentice
8/5/2013 | 3:28:50 PM
re: Death By Hacking: Tomorrow's IT Worry?
An acquaintance of mine went through a heart transplant. Post surgery there was trouble with the technology in an external box and after weeks of hassles, with untrained nurses who had no idea of what was wrong, finally this guy opened up the electronics and rewired them when no one was around! Who knows what would have happened had he not hacked it...
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.