Medical Device Cybersecurity for Engineers and Manufacturers (2020) Book reviewed by Ben Rothke

Bottom Line Statement

I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.

 

Medical Device Cybersecurity for Engineers and Manufacturers

Review 

A voodoo doll plays a role in the rock crusher fight scene in the classic movie Indiana Jones and the Temple of Doom. In this scene, Indiana Jones is fighting with a guard on a conveyor belt that leads to a rock crusher. And if Jones does not quickly get off the conveyor belt, he will be crushed to death.

But anytime Jones would be up in the fight, he would be paralyzed by a voodoo doll held by Zalim Singh. Singh is defeated, the dart is taken out of the back of the voodoo doll, and Indiana Jones emerges victorious.

For those that did not see the movie, a voodoo doll is an effigy into which pins are inserted. The person being attacked or an intended far away victim will be the target of those pins. 

It used to be a fantasy that you could attack someone far away. Nevertheless, with the advent of implantable medical devices, it is no longer science fiction where one can attack (and also heal) someone on the other side of the world. 

I have been a big fan of the book Medical Device Cybersecurity for Engineers and Manufacturers (Artech House) by Axel Wirth, Christopher Gates, and Jason Smith since it was published. I even had it as The Best Information Security Book of 2020. With that, it is undoubtedly a candidate for the Security Canon. 

In September 2020, it was reported that a patient in Germany died when ransomware disrupted emergency care at the hospital. After an investigation, it was determined that the patient was in such poor health that she would have died anyway and that the ransomware attack was not ultimately responsible for her death.

While ransomware did not kill the patient in this case, it highlights the importance of security around hospitals and medical devices. 

In Medical Device Cybersecurity for Engineers and Manufacturers, the authors have written an essential information security reference. With medical devices now ubiquitous, it is not always the case that the device is securely designed or that the designers and manufacturers have put the device through adequate security design analysis and testing. 

For those working with medical devices, are involved in any capacity with medical device product development, or just plain care about what might go into their body or the body of a loved one; this is a must-read book. 

T.J. Hooper was a precedent-setting tort case in 1932. The specifics of the case are that two tugboats, one of which was the T.J. Hooper, were towing barges. During a storm, the barges sunk, and their cargoes were lost. The owners of the cargo sued the barge owners, who in turn sued the tugboat owners. They claimed that the tug operators were negligent because they failed to equip their tugs with radios that would have warned them of the bad weather. 

The tugboat companies defended under the prevailing practice theory. They claimed that because no other tugboat operators in the area were using radios, this constituted the standard of care for the industry. Judge Learned Hand found the tugboat companies liable because they did not use readily available technology, the radio receivers, to listen for broadcast weather reports, even though the use of radios was not yet standard industry practice. 

Hand astutely observed that "in most cases, reasonable prudence is, in fact, common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. Courts must, in the end, say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission."

The T.J. Hooper is a clarion call for implantable medical device makers to ensure adequate security controls are built into their devices, and thoroughly tested and secured before making their way into a person.

I would imagine that when a T.J. Hooper-like case comes to the courts, the plaintiff's lawyer will certainly invoke Medical Device Cybersecurity for Engineers and Manufacturers and want to know if the staff of the implantable medical device manufacturer were conversant in the book's topics. 

The future is now, and implantable medical devices are no longer science fiction. The notion that we are all connected is no longer an advertising tagline, rather a technology reality. When it comes to implantable medical devices, both doctors and hackers can be connected. This book shows how to keep one of those parties out.