The Troublemaker CISO: How Much Profit Equals One Life?Security Director Ian Keller Rants About Hospital Networks Being Internet-Connected
Hold the press - and your coffee and doughnut.
See Also: 2023 Threat Horizons Report
I was due to write a follow-up to my previous rant on getting the organizational basics right, but this is more important.
Are Hospitals Soft Targets or Sacred Ground?
If you follow me on LinkedIn, you would have seen a post I made about the stupidity of attaching hospital networks - and in particular the patient care side, the bits that monitor your vitals and medication - to the "worldwide hack."
Yes, I think it's stupid and adds zero value, and it's up to you to convince me otherwise.
I have two questions for those who advocate having these networks connected to the net:
- What value do you get by having your patient care networks attached to the web?
- Is it due to the cost or complexity of configuring or managing the network, or do you have another value proposition for it?
Personally I don’t care if you chose to have your pacemaker or your CPAP machine or whatever online, but I do have a problem with putting patient care and life-sustaining networks online. Have you not been seeing that is happening worldwide? Hospitals and critical networks are being targeted because of their classification. Let’s face it: You will pay to make sure it remains online and viable, which makes it a great example of a soft target.
So given this knowledge, explain to me why the ICU and high-care wards and the systems that drive them must be connected to the internet, because it baffles my tiny mind that they are.
The media has been going nuts over the last few years about ransomware - to which hospitals are not immune, as much as I wish they were.
There is nothing off-limits to those with nefarious intent.
In my mind, patient care and life-sustaining networks should be the Holy Grail of networks - sacred ground that no one with bad intent should be allowed to touch - much like how vampires cannot go onto consecrated grounds for fear of bursting into flame. Sadly, this is not a work of fiction and there is nothing off-limits to those with nefarious intent. So the burden lies on us to keep them out, and yet we keep them connected.
Given what I know about the world and how business is run, it is all about profit and how one can squeeze out another percentage point for the investors.
Social Responsibility and Moral Obligation
How much profit equals one life?
We take for granted that those who are charged with protecting us are doing so with our best interest at heart.
There is no shaving off another few cents just to increase value to shareholders over the life of a person. Lucky for me, there is a shift in the boardrooms and governing bodies to see how socially responsible you are and whether you are acting in the best interest of the people and not just the investors.
If the members of the board and governing body are considering these topics when steering a business, isn't it time to relook at how and why we do things? Are we as CISOs not accountable to leadership to impress on them the risk that IOT/internet connectivity poses to critical networks - and especially to healthcare?
It is time to be firm in expressing the risk and saying we would rather spend a bit more money and time and do it the safe way. And this should be listed as the top risk in the company.
The other big issue I have with this type of network being connected is one of transparency.
I don’t want my oxygen cut off because the system is locked out or one of the connected systems gets compromised.
Doctors have a moral obligation to disclose to patients the risks associated with doing a procedure - any complications that might ensue as a result and your chances of dying on the table. This gives you the ability to gauge the risk and then accept or reject the procedure.
But what about the systems? It's all good and well that we do our due diligence on the doctor and get to understand the procedural risk, but now it's time to understand the other risks.
I for one would not want to go for a serious procedure in a hospital where the patient care network is accessible from the internet. I don’t want my oxygen cut off because the system is locked out or one of the connected systems gets compromised.
Add to this little conundrum every other critical network - and the fact that you have zero knowledge of how secure things are. We take for granted that those who are charged with protecting us are doing so with our best interest at heart.
Now tell me again why hospital networks are internet-accessible.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force's Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.