Death By Hacking: Tomorrow's IT Worry? - InformationWeek
Government // Leadership
02:02 PM

Death By Hacking: Tomorrow's IT Worry?

Medical device software vulnerabilities and cyber threats raise important new liability questions for CIOs and CISOs.

There is another issue that is problematic. When organizations test patches in their respective environments, oftentimes they find out that the patch causes problems with custom developed software and other applications that they use. Once that issue is identified, the problem must be diagnosed, remediated, tested and then migrated into the production environment. All of that takes time -- and we are not taking minutes or hours but days, weeks, months and maybe even years.

The big question is, do we have that time? Could someone exploit a disclosed vulnerability, one in software that is commonly used in medical devices and systems, due to the inherent delays of updating and revalidating the software? The answer is yes.

Additional measures must be taken to ensure the integrity of these systems until the patch can be safely applied with a high degree of confidence in the operation of the device or system. This is what DHS was referring to as a "robust security program" to be sure.

Software bugs and security vulnerabilities are inevitable. Missing patches and updates are a reality -- and one that has implications far beyond the healthcare industry. Organizations across many industries are now struggling with vulnerability management and the problem of patching specialized devices in the face of increasingly sophisticated cyber attacks.

Interestingly, I could not find any guidance from Occupational Safety and Health Administration addressing software safety risks for industrial SCADA (supervisory control and data acquisition) systems, but it is likely they will arrive very soon.

Similarly, the National Highway Traffic Safety Administration will probably have to weigh in on software vulnerabilities for transportation vehicles, especially after Richard Clarke's recent comments. The former U.S. national coordinator for security infrastructure protection and counter-terrorism said that university researchers have now shown "it's relatively easy to hack your way into the control system of a car."

There are those skeptics who believe this is not really an issue and that current cybersecurity experts are up to the challenge of addressing these problems. I would suggest that they read "The Seven Deadly Myths of Software Security."

What many also don't see coming is the increasing legal risks executives face from the threat of cyber attacks. While researching this article, I had a couple of discussions with lawyers. What started out as a product liability conversation turned into a discussion about the risks of civil negligence charges. Could a manufacturer, CIO or CISO be charged with criminal negligence if they fail to apply patches and properly secure and maintain their systems, in the event a cyber attack that exploits those factors results in the death of an individual or individuals?

That is one hell of a question and a glimpse of what lies ahead for those who don't take the new world of cyber threats seriously.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/13/2013 | 4:29:03 AM
re: Death By Hacking: Tomorrow's IT Worry?
ItGs interesting to read about this other aspect of hacking and not only about the protection of patient health information and patient demographic information. I really hadnGt given it much thought before but this is actually kind of scary. The thought that a hacker, or anyone wishing harm upon somebody else, could essentially remotely hack into a machine and provide lethal doses is very scary. It makes you skeptical of the machines that are there to supposedly save your life.

Jay Simmons
Information Week Contributor
User Rank: Author
8/7/2013 | 8:53:35 PM
re: Death By Hacking: Tomorrow's IT Worry?
Should get interesting a few years from now when car thieves discover how to pirate driverless cars with little more than a savvy mobile app.
User Rank: Apprentice
8/5/2013 | 3:28:50 PM
re: Death By Hacking: Tomorrow's IT Worry?
An acquaintance of mine went through a heart transplant. Post surgery there was trouble with the technology in an external box and after weeks of hassles, with untrained nurses who had no idea of what was wrong, finally this guy opened up the electronics and rewired them when no one was around! Who knows what would have happened had he not hacked it...
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll