Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up

Jelena Milosevic says what we're all thinking

By John Leyden

Posted in Internet of Things, 5th October 2017 16:35 GMT

VB2017 A children's nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security.

Jelena Milosevic, who developed an interest in cybersecurity over the last three years, told attendees that the healthcare sector needs to work with infosec experts and manufacturers to sort out the emerging problem of the security risk posed by internet-connected medical kit.

For one thing there is no medical need for such devices to be connected to the net 24/7, she said.

More fundamentally, government regulation is needed to mandate baseline security standards. Milosevic advocated coordinated vulnerability disclosure, a process that would mean security researchers would work with manufacturers to fix issues before going public. IoT vendors have a reputation for being slow to both acknowledge and remediate security problems.

"You can't just buy security, you have to build it," she said.

Milosevic's thinking on this parallels that of infosec luminaries such as Bruce Schneier.

Security and privacy issues have become increasingly important for hospitals. Ageing systems host troves of personal, medical and financial information that the unscrupulous might easily be able to monetise.

Privacy and the protection of computer records is sometimes put on the back-burner, and caring for the devices used in hospitals is an afterthought, meaning computers and other devices are seldom patched and frequently exposed to vulnerabilities, Milosevic argued. Criminal behaviour can go unnoticed for long periods and – without proper security controls – patient records might be manipulated. Security needs to be built from the ground up and supplemented with awareness programmes. Milosevic argued that hospitals need processes and procedures for infosec in much the same way that they need protocols for patient treatment.

Ransomware attacks against hospitals have featured prominently in national news stories on both sides of the Atlantic with the devastating effects on the operations of many NHS trusts as a result of WannaCry just the most high-profile example. There's no confirmed loss of life from WannaCry, Milosevic said, but added that the "biggest problems are those we don't yet know about".

Milosevic has worked for various hospitals in the Netherlands since 1995 and before that spent 10 years on the intensive care unit at the University Children's Hospital in Belgrade.

For the last three years Milosevic has been a member of the I Am The Cavalry and Women in Cyber security organisations. ®

Sign up to our NewsletterGet IT in your inbox daily

33 Comments

More from The Register

US Homeland Security breach compromised personal info of 200,000+ staff

DHS 'fesses up 8 months after finding ex-staffer had copy of investigations database

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

Shut the front door: Jewson 'fesses up to data breach

Builder's merchant tells punters their privates might be out in the cold

Customers cheesed off after card details nicked in Pizza Hut data breach

Victims reporting fraudulent transactions

Canuck privacy commissioner to dig into Uber data breach

Formal investigation launched. Not the first, won't be the last

Bazinga! Social network Taringa 'fesses up to data breach

Que pasó?

Rattled toymaker VTech's data breach case exiting legal pram

Motion to dismiss case of 6.4m leaked kids' accounts looks likely to succeed

EU's data protection bods join the party to investigate Uber breach

UK.gov told to sever ties with 'grubby, unethical' company

Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

The strange case of the data breach that stayed online for a month

Your security is only as good as your partners' ability to fix messes and flush caches