Medical cyber-security threats (history)
Why do medical systems seem so unprepared for cyber threats?
It sometimes feels odd that the medical community appears to be unprepared for all the cyber threats. Medical systems have been working on cyber security for decades, so why do ransomware, etc. continue to run rampant? Have medical systems developers been wasting time and accomplishing nothing?
The cyber-security threat model for medical devices started in a very different place than current concerns. My experience with real threats, as opposed to the entertaining hypothetical threats, started about 30 years ago. The big real threats when I started were very different. The big three threats were:
Corrupt Actors
These were the first threat that I experienced for real. This was almost 30 years ago. I was dealing with a hospital that took the X-rays, CT, and MR for professional athletes. Organized crime targeted the hospital employees with threats and bribes to get these images before the official medical announcements by the teams. There is a lot of money to be made by having inside information for betting.
The corrupt actors were employees, cleaning staff, etc. who had access to the imaging equipment or image archives.
Criminal/Violent Actors
These were also real and more common than organized crime. I merely ran into them a little bit later. This activity could be a continuation of street crime violence, a domestic abuser tracking down a victim, or a criminal tracking down and threatening a witness. I was dealing with computer systems and fortunately the threat from a gang fight continuing inside the ER was not a computer problem. We were dealing on-going computer-based efforts to identify and find patients so that the patient could be threatened or harmed.
Unethical management
This was hospitals and companies behaving very badly. Some unethical MBAs at a hospital chain had discussions with pharmacy and drug companies to make money by selling access to patient medical records so that advertising and other forms of sales pressure could be efficiently targeted to the right patients. At the time it was legal, although unethical. These real world cases were described to legislators as part of the lobbying effort to get the HIPAA privacy regulations approved.
These threats explain why medical cyber-security concentrated on application level logging and access controls. The real threats could not be prevented by software alone.
Corrupt Actors can be caught by logging. Access control might keep some corrupt actors out, but a staffer with legitimate access can be bribed or threatened. The logging detects the problem and then HR or law enforcement has to be used to remove the corrupt actor.
Criminal/Violent Actors are like Corrupt Actors. Access control is much more likely to work at keeping them out, and if you do the logging properly law enforcement might be able to find and remove the criminal actor before they can do harm.
Unethical Management is requires legal changes, and then access control and logging can be used to deal with the outliers. If the management is willing to ignore the laws there is not much that can be done. Access control and logging can provide documentation sometimes, but it is easy for a seriously unethical management to bypass.
These threats are still active, and one reason that they don't show up as a big cyber-security problem is that medical systems have been working on them for three decades. The access controls and logging systems that mitigate these threats are just minor speed bumps for the kind of cyber-security attacks that dominate the news today.