I attended the San Francisco Electronic Crimes Task Force Medical Device Security Conference. If they didn't continue to repeat the words "medical device", the conference could have been an electric, water, chemical, mass transit, manufacturing, etc control system cyber security conference. The issues presented were:
- Culture (engineers not addressing security)
- Legacy vs future devices (old devices are not secure - not clear new devices are)
- Organizational hand-off (silos)
- System of systems (more than just looking at an individual device)
- Lack of reportable incidents (what don't we know)
- Safety was the most important consideration
There was also an acknowledged lack of federal regulatory authority for requiring medical device cyber security. As medical devices are a form of industrial control systems, I made a plea to have the medical device industry work with ISA99 on developing appropriate control system cyber security standards.
As Walt Boyes said after seeing this, the more things change, the more they stay the same.
Joe Weiss
