As if the possibility of harm from illness or disease were not enough to worry about, unsecure medical devices designed to help could kill us too.

Last week, Check Point Software Technologies Ltd. posted the results of a study that warned that internet of medical things, or IoMT, devices, such as MRI or X-ray machines and ultrasound monitors, were vulnerable to attack. It’s an area of security weakness that is beginning to receive more scrutiny in the aftermath of major breaches such as the WannaCry ransomware attack in 2017 that caused hospitals in the United Kingdom to cancel medical appointments and delay surgeries.

“The implications of an attack against an MRI machine or an infusion pump could be devastating to an actual person connected to it,” said Russell L. Jones (pictured), partner for cyber risk services at Deloitte Touche Tohmatsu Ltd. “The life-saving, life-extending attributes of these medical technologies and devices far outweighs the risk of cybersecurity. However, we’ve got to be smart about managing that risk.”

Jones spoke with Jeff Frick, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during last week’s RSA Conference in San Francisco. They discussed the impact of medical device vulnerabilities on patients and the importance of maintaining data integrity. (* Disclosure below.)

Risks to patient treatment

The vulnerability of humans tied to IoMT devices doesn’t merely extend to the hardware. There is also risk in the handling of patient data as well.

If hackers gain access to patient data, that information could be altered to adversely affect treatment. That’s why Jones and other security consultants are working to ensure data integrity as well.

“The focus is on integrity and availability, those things together equal patient safety,” Jones said. “The information in there, which is being used by doctors to make decisions about treatment, surgical procedures, and medicines, it’s crucial that the integrity of that information is maintained.”

Managing the cyber risk related to clinical technology has also been complicated by tougher laws governing data privacy. In the European Union, the General Data Protection Regulation provides users with the right to have their personal data erased forever.

“In Europe, if they ask to do that, you have to be able to comply,” Jones said, although the European regulation does provide a “public interest” exception that includes public health or scientific reasons not to remove patient information.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference. (* Disclosure: Forescout Technologies Inc. sponsors theCUBE’s coverage of the RSA Conference. Neither Forescout nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE