K
Kathleen Martin
Guest
Our cyber security columnist, Davey Winder, explains why security conversations surrounding connected medical devices are not over yet.
I’ve been warning about the Internet of Medical Things (IoT) from the threat-mapping perspective since I first started writing on cybersecurity for Digital Health six years ago.
A lot has changed since 2016 and, sadly, much has stayed the same. On the positive side of the connected-device security landscape fence sits the Product Security and Telecommunications Infrastructure (PSTI) Bill which, as of 23 March 2022, according to the parliamentary bill’s status site remains at the report stage. Assuming this passes into law before the end of the year, this would prohibit the use of factory set weak default passwords for IoT devices. That’s a really good move. Hop to the other side of the fence and you quickly learn that the PSTI Bill is consumer legislation and won’t cover medical devices. OK, let’s try and find some positives in that.
Is existing legislation enough?
At the end of last year, I interviewed David Rogers MBE for a Forbes article about the PSTI Bill. Rogers, as well as being CEO of IoT security outfit Copper Horse is also chair of the GSM Association (GSMA) Fraud and Security Group as well as sitting on the executive board of the Internet of Things Security Foundation. Most notably, however, he drafted a set of technical requirements that eventually became what is now the UK Code of Practice for Consumer IoT Security. In other words, he’s an IoT security expert of the highest calibre. So, why was he not too concerned about medical devices not being included in the proposed legislation? Rogers spoke to the clear “sectoral differences and already existing regulation,” particularly in the medical sector, which cover safety aspects and “go above and beyond where we are here, and it doesn’t seem to make sense to land grab those spaces”.
Indeed, the Medicines and Medical Devices Act 2021 was granted Royal Assent last year and built upon the Medical Devices Regulations 2002 to “update the regulatory system for medical devices as and when required”, according to the Department of Health and Social Care. Whether this actually does ensure an “effective system for regulating medical devices” remains to be seen. I’m skeptical not least because while the Medicines and Healthcare products Regulatory Agency (MHRA) has oversight when it comes to the safety, quality and performance of medical devices, there’s a world of difference between measuring clinical effectiveness and potential cybersecurity vulnerability. I’m inclined to think that excluding these devices from the PSTI Bill is, actually, regrettable.
Research found 75% of medical IoT devices had known security gaps
As we all know how vulnerable medial IoT devices can be.
Continue reading: https://www.digitalhealth.net/2022/04/the-security-conversation-on-connected-medical-devices-is-far-from-over/
I’ve been warning about the Internet of Medical Things (IoT) from the threat-mapping perspective since I first started writing on cybersecurity for Digital Health six years ago.
A lot has changed since 2016 and, sadly, much has stayed the same. On the positive side of the connected-device security landscape fence sits the Product Security and Telecommunications Infrastructure (PSTI) Bill which, as of 23 March 2022, according to the parliamentary bill’s status site remains at the report stage. Assuming this passes into law before the end of the year, this would prohibit the use of factory set weak default passwords for IoT devices. That’s a really good move. Hop to the other side of the fence and you quickly learn that the PSTI Bill is consumer legislation and won’t cover medical devices. OK, let’s try and find some positives in that.
Is existing legislation enough?
At the end of last year, I interviewed David Rogers MBE for a Forbes article about the PSTI Bill. Rogers, as well as being CEO of IoT security outfit Copper Horse is also chair of the GSM Association (GSMA) Fraud and Security Group as well as sitting on the executive board of the Internet of Things Security Foundation. Most notably, however, he drafted a set of technical requirements that eventually became what is now the UK Code of Practice for Consumer IoT Security. In other words, he’s an IoT security expert of the highest calibre. So, why was he not too concerned about medical devices not being included in the proposed legislation? Rogers spoke to the clear “sectoral differences and already existing regulation,” particularly in the medical sector, which cover safety aspects and “go above and beyond where we are here, and it doesn’t seem to make sense to land grab those spaces”.
Indeed, the Medicines and Medical Devices Act 2021 was granted Royal Assent last year and built upon the Medical Devices Regulations 2002 to “update the regulatory system for medical devices as and when required”, according to the Department of Health and Social Care. Whether this actually does ensure an “effective system for regulating medical devices” remains to be seen. I’m skeptical not least because while the Medicines and Healthcare products Regulatory Agency (MHRA) has oversight when it comes to the safety, quality and performance of medical devices, there’s a world of difference between measuring clinical effectiveness and potential cybersecurity vulnerability. I’m inclined to think that excluding these devices from the PSTI Bill is, actually, regrettable.
Research found 75% of medical IoT devices had known security gaps
As we all know how vulnerable medial IoT devices can be.
Continue reading: https://www.digitalhealth.net/2022/04/the-security-conversation-on-connected-medical-devices-is-far-from-over/