From light bulbs to automobiles, our interaction with even mundane elements of life increasingly involves software. Unfortunately, along with the added convenience and utility we enjoy, more software also means more opportunities for errors and malicious actors to wreak havoc. While the thought of a hacked light bulb may not instill fear in our hearts, devices that perform critical, life-sustaining functions carry many of the same vulnerabilities (with new weaknesses and attack vectors being identified on a regular basis). In an age where convenience demands the ability to constantly patch and upgrade, will we survive our own innovation?
Nowhere is the need for attention to software (and hardware) security more urgent than in the manufacturing of wireless medical devices. While improvements in battery technology and wireless communications have led to major quality-of-life benefits for patients dependent on devices like insulin pumps and pacemakers, serious security vulnerabilities allow for the frightening possibility of a bad actor injuring or killing someone wirelessly, remotely, and invisibly. Just last fall, security researchers uncovered a vulnerability with wireless insulin pumps manufactured by Johnson and Johnson. The researchers were able to demonstrate an attack that resulted in the pumps administering unauthorized doses of insulin. This case serves as a wake-up call to an industry that can and should benefit from collaborative efforts to protect patients.
ARE YOU AND YOUR USERS ADEQUATELY PROTECTED?
LEARN WHY SECURITY IS A STATE OF MIND HERE.
In healthcare software, much of today’s focus is on protecting the privacy of patient information. The regulatory environment has prioritized privacy for decades, and this made sense when the primary risks of running software in a healthcare system included improper disclosure of private data. However, as Professor Ross Anderson (University of Cambridge) suggests, future ethics and policy decisions regarding software will necessarily shift from a focus on privacy to safety. The primary danger of running software in the coming decades will not be data disclosure, but actual harm to life and property.
“Although [the ability to upgrade a car’s software] brings us the possibility of steady growth in vehicle safety, it also brings a terrible cost with it which is that we have got to maintain the capability to patch that software not just for years, but for decades.” – Ross Anderson
In a world where entire operating systems are often obsolete in a single decade, software creators must begin having serious conversations about a future where software lives securely for as long as we do – a future in which a software crash or bug doesn’t result in real injury or death. Because, while we will likely see companies come and go, people will continue to depend on software they created for critical aspects of life, such as transportation and medical treatment. What ethical standards and policy decisions will enable us to continue down the path of amazing innovation, while limiting the potential for real damage a generation from now?
What are we to do as we usher in the age of real-life cyborgs? When our machines must operate correctly in order to sustain life, who is responsible when things go wrong? In the automotive industry, the direction appears to be toward holding manufacturers responsible for the damage caused by their autonomous vehicles. That may end up being the way forward for a time, but – across all industries, especially automotive and healthcare – we must challenge ourselves to look years and even decades into the future, when any specific manufacturer could go out of business. Then we must ask: “What can we be doing now to ensure security and stability over the long term?” Are the keys longevity planning, open source software, and code escrow? As new threats emerge, some ability to modify software will be required to protect consumers.
The problems faced by software creators in these fields are not new. Authentication, encryption, networking protocols, and similar subjects are addressed every day and have established solutions. What is new is the need for solutions with unprecedented longevity. Even now, denial-of-service attacks and identity theft are almost daily headlines. Data breaches produce real economic damage along with inconvenience and, in some cases, social costs. As the damage from these activities moves from economic and social to physical, we are seeing a renewed sense of urgency to provide solutions for today and a path for tomorrow.
Michael Atkins is Vice President of Technical Services at PointClear Solutions, a leading technology consulting company that specializes in software strategy, design, development, and management services for the healthcare industry.
TALK with US
Digital Health Expertise to Support Your Success.
PointClear Solutions’ strategy, design, development, and management services can help elevate your brand reputation, grow your market share, and boost your revenues — all in record time. Connect with us to learn more.
Complete the form below, so that we can connect you with the right person. You’ll hear from a member of our team shortly.