Emergent Tech

Internet of Things

Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up

Jelena Milosevic says what we're all thinking

By John Leyden


VB2017 A children's nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security.

Jelena Milosevic, who developed an interest in cybersecurity over the last three years, told attendees that the healthcare sector needs to work with infosec experts and manufacturers to sort out the emerging problem of the security risk posed by internet-connected medical kit.

For one thing there is no medical need for such devices to be connected to the net 24/7, she said.

More fundamentally, government regulation is needed to mandate baseline security standards. Milosevic advocated coordinated vulnerability disclosure, a process that would mean security researchers would work with manufacturers to fix issues before going public. IoT vendors have a reputation for being slow to both acknowledge and remediate security problems.

"You can't just buy security, you have to build it," she said.

Milosevic's thinking on this parallels that of infosec luminaries such as Bruce Schneier.

Security and privacy issues have become increasingly important for hospitals. Ageing systems host troves of personal, medical and financial information that the unscrupulous might easily be able to monetise.

Privacy and the protection of computer records is sometimes put on the back-burner, and caring for the devices used in hospitals is an afterthought, meaning computers and other devices are seldom patched and frequently exposed to vulnerabilities, Milosevic argued. Criminal behaviour can go unnoticed for long periods and – without proper security controls – patient records might be manipulated. Security needs to be built from the ground up and supplemented with awareness programmes. Milosevic argued that hospitals need processes and procedures for infosec in much the same way that they need protocols for patient treatment.

Ransomware attacks against hospitals have featured prominently in national news stories on both sides of the Atlantic with the devastating effects on the operations of many NHS trusts as a result of WannaCry just the most high-profile example. There's no confirmed loss of life from WannaCry, Milosevic said, but added that the "biggest problems are those we don't yet know about".

Milosevic has worked for various hospitals in the Netherlands since 1995 and before that spent 10 years on the intensive care unit at the University Children's Hospital in Belgrade.

For the last three years Milosevic has been a member of the I Am The Cavalry and Women in Cyber security organisations. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Healthcare billing biz AccuDoc 'fesses up to breach that blabbed 2.65m people's data

Names, addresses, social security numbers exposed

Princeton research team hunting down IoT security blunders

Taming Things leaky, sneaky, or creepy

Biz! Formerly! Known! As! Yahoo! Settles! Data! Breach! Cases! To! The! Tune! Of! $47m!

Didja think we'd get rid of the exclaims just 'cos you're Altaba now?

Hands up if you didn't lose data in the Typeform breach

And keep your hands up if you knew the lost data was – eek! – unencrypted

SaaSy HR outfit PageUp reports ‘unauthorised activity’ and data breach

Supermarket chain warns job-seekers from last 18 months. Bank, telco also worry

Don't make us pay compensation for employee data breach, Morrisons begs UK court

Appeal beaks ponder first-of-a-kind data protection case

US Homeland Security breach compromised personal info of 200,000+ staff

DHS 'fesses up 8 months after finding ex-staffer had copy of investigations database

Hi-de-Hack! Redcoats red-faced as Butlin's holiday camp admits data breach hit 34,000

Updated Staff opened phishing email

Financial Conduct Authority fines Tesco Bank £16.4m over 2016 security breach

Every little helps: Penalty slashed with 60% discount

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials