I met Jing Wang from Kaiser Permanente (KP) yesterday. She works in Information Security at KP. She is a women on a mission.
Some biomedical devices being installed in hospitals and doctors offices may be inherently insecure – sometimes held to a lower standard of virus protection and intrusion prevention. Why? speed to market, security by obscurity, lack of awareness of IT best practices.
Jing’s mission is to rally buyers to hold vendors accountable. How?
- Have customers share information of breaches and device failures. There is a serious lack of this being done today, and vendor replies to an incident are usually “wow – that’s the first time we have heard of this happening”. It’s time for independent reporting and tracking of medical device breaches.
- Collaborate on holding vendors accountable to fix software vulnerabilities and improving security design. This can only be down when customers are clear on their expectations, and use their buying power to make it happen.
That’s Jing’s mission. She speaks to providers, hospitals, and doctors about the need, and the plan.
At Gartner we call this border between IT and biomedical/clinical devices the boundary between Information Technology (IT) and Operational Technology (OT). In many industries we’re finding we can’t ignore that IT/OT dichotomy anymore – and OT (increasingly using IT-based devices and software). Stuxnet was the poster child – a breach of industrial control equipment by yet to be determined (and probably government supported) hackers. At one of the facilities I was a CIO at, our PACS (imaging) system was compromised when the vendor upgrade software was virus infected. Luckily the radiologist PACS support person caught it.
IT/OT has always been an issue in healthcare. It’s great to see people like Jing (and KP) take a lead in addressing the security of clinical devices that plug into our all-encompassing IT infrastructure.