This invitation-only event (which I was proudly invited to participate in) brought together 65 top security professionals, medical device manufacturers, health care system representatives, academics, doctors...and just about everyone else who has a stake in medical device security (except regulators and patients). I do not recall ever having been around so many PhD's in my life.
The purpose of this event was to have an open discussion of the challenges associated with securing medical devices, and what we might all do to help resolve the issues.
The key points that came out of the event are as follows:
- Health care organizations and medical device manufacturers are making assumptions about the issues without looking at the whole picture.
- We simply do not have enough data about what the real issues are and what everyone is doing to address the issues to determine how serious the problem may be...or how far along we are...or are not.
- Trying to come up with new ways to address security may not be as prudent as re-purposing what others have already done in other industries (particularly the Industrial Control System space).
- It is difficult to get anyone to take responsibility for the issues. Everyone hands it off to someone else (some more than others...some not at all...to be fair).
- Viewing security in terms of return on investment is pure folly...and will get nowhere.
- Vendors are not ready to provide what customers (health care providers) are not demanding, and health care providers are not ready to demand anything.
There were certainly others that came out, but most importantly the people at this event REALLY cared about talking about the issues...and were fully engaged. This is what I found most important, because I have been working on medical device security for nearly 6 years, and for at least 4 of those 6 years I was often the only person in the room who had anything to say about the subject, and had to deal with a lot of blank stares, or comments like "Oh yes, privacy is very important in health care." It is finally dawning on the health care community at large that we are NOT talking about privacy any more. We are talking about safety.
Did we solve any problems? Probably not...except for the problem of open and honest communication, which seems to have been resolved for at least this small event.
I'll take my baby steps and be quite content with them, and thank Dr. Kevin Fu (and company) for making something like this happen. Getting smart people who really care together in a room with a common goal is often not a bad thing, and can move things forward in untold ways.