LukaszOlejnik, 8 months ago

Excerpt from the book. The ugly truth that is nonetheless reasonable. Cybersecurity is not healthcare’s or hospital priority. I

mportant, sure. But the priority is the provision of health services. It’s crucial to maintain reasonable, sane expectations.

fuzztech, 8 months ago

@LukaszOlejnik Except the part of the security triad that says "Availability." You can "prioritize" all you like, but if the AED don't work, or if the surgeons can't log in, the centrality of "security" to the primary mission of "provision of health services" is the fuzzy end of that particular lollipop.

LukaszOlejnik, 8 months ago

@fuzztech that is true and reasonable, though so far pen and paper fallback always worked. At least so far. There are safety layers fortunately.

fuzztech, 8 months ago

@LukaszOlejnik I would push gently back on that. Consider this reporting from May by Farah Yousry of Side Effects Public Media about utter chaos at a hospital that refused to pay ransomware criminals (link below):

"Leaders decided to disconnect after the attack, assess, and then rebuild, which meant taking several critical systems offline. That upended normal operations in various departments.

"The emergency department had to divert ambulances with sick patients to other hospitals because the staff couldn't access patient medical records.

"In the obstetrics unit, newborns usually wear security bracelets around their tiny legs to prevent unauthorized adults from moving the infant or leaving the unit with them. When that tracking system went dark, staff members had to physically guard the unit doors."

I think that the centrality of information technology to contemporary healthcare is such that while pencils can fill in a gap of minutes, when it gets to hours, days, or months, loss of IT services (a breach of availability) kills. It also costs one hell of a lot of money more than was previously "saved" by deferring investment into reasonable security.

(https://www.npr.org/sections/health-shots/2023/05/08/1172569347/cyberattacks-on-health-care-are-increasing-inside-one-hospitals-fight-to-recover)

teixi, 8 months ago

@LukaszOlejnik @fuzztech

Mostly reasonable for most operations that could at least minimally work, even with some hightech medical devices operating without connectivity always on...

...nevertheless without planning for such eventualities, then the final resort still remains on retired employees – familiar with the old paper system – volunteering ;)

https://news.microsoft.com/source/features/digital-transformation/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/

LukaszOlejnik, 8 months ago

I’m quite happy with the scenarios-case studies in Philosophy of Cybersecurity. With conceptual details, of course. And obviously only for education purposes.

image/png

viq, 8 months ago

@LukaszOlejnik
To not look far, since I'm attached to one, AndroidAPS / OpenAPS are examples of personal systems that when attacked and subverted can result in death.