M. Eric Johnson discusses "A Brief Chronology of Medical Device Security" (cacm.acm.org/magazines/2016/10/207766), a Review Article in the October 2016 Communications of the ACM.
00:00 They steal your identity, empty your bank account... and now they can even stop your heart.
00:09 Terror from malicious hackers reaches deep into your body as medical devices grow more common and more connected, and as medical data leave the realm of locked file drawers. In an all-connected world, how real are these dangers today?
00:25 Join us as Eric Johnson balances risks and rewards for this new horizon, in "A Brief Chronology of Medical Device Security".
00:37 [Intro graphics/music]
00:45 Eric Johnson's degrees in industrial engineering make him an unusual choice to head the Owen Graduate School of Management at Vanderbilt University. But he found that the field of security ties management and engineering together -- and led him to discover an emerging crisis.
01:04 DR. M. ERIC JOHNSON: I've been studying security for over a decade now, really started studying security in the financial services industry, which invests the most in security and has in many ways some of the best and most-secure systems out there. But I began to grow really interested in health care about five or six years ago because health care was so far behind, relative to the financial services industry.
01:29 That was around the time that hackers demonstrated that they can eavesdrop on, and control, certain models of pacemakers and insulin pumps.
01:37 DR. JOHNSON: Patients begin to imagine themselves in the plot of a movie where maybe someone assassinates them based on a hack in their pacemaker.
01:47 In 2013, the U.S. goverment took notice.
01:51 DR. JOHNSON: So my co-authors and I are all involved in an NSF-funded project called THAW: Trustworthy Health and Wellness. A.J. Burns at the University of Texas, Peter Honeyman and I really got interested in the medical device side and the history of medical devices, and how security has become increasingly important for medical devices.
02:14 They found that device hackers aren't the only danger. Bad software has caused harm for over thirty years, such as when bugs in the Therac-25 radiation therapy machine killed six people. And there's more.
02:28 DR. JOHNSON: When we think about healthcare security, we're really thinking about the entire stack. That is, everything from enterprise systems in hospitals, that operate the hospitals; and all the kinds of breaches that we're reading about in newspapers; and how those breaches affect patients, how they affect hospitals themselves; down to the individual devices that might be implanted in a patient. And everything in between.
02:58 That's a big surface vulnerable to attack. But Dr. Johnson warns that our reactions to these threats may be worse than the threats themselves.
03:06 DR. JOHNSON: Some of these big headline stories, of course, capture peoples' imaginations. But they really expose a much broader issue, and that is that: Health care in general was never designed for security. Many other industries -- for example financial services -- they've been worrying about security for a long time and investing heavily in security for a long time. Only recently have hospitals begun to really consider security as an important element. Their main focus is treating whatever's wrong with you, and doing that quickly and efficiently, with high quality.
03:43 Get all the details in the October 2016 issue of Communications of the ACM, in the review article, "A Brief Chronology of Medical Device Security".
03:53 [Outro and credits]