7 min reading time

I have many thoughts on this.

But I’m not going to write them.

This is your conversation.

Has the Sony breach been mentioned at work?

At the watercooler or in the executive office?

Are you going to shuffle priorities at all? Are you going to spend money on cybersecurity in 2015?

Or is it business as usual for you?

++++++++++

Medical Device Cybersecurity is a major initiative at CDRH/FDA.

See http://medgroup.biz/CDRH-security and we invited FDA to cover this topic at the 10x Medical Device Conference in May.

++++++++++

Make it a great week.

Joe Hage
Medical Devices Group Leader

P.S. If Sony hasn’t scared you, this book certainly will: http://medgroup.biz/Future-Crimes

---

Denise Skidmore
Software Engineer at BioTel Research (Cardiocore & VirtualScopics)
Apparently there’s an author paying attention to our discussion: [http://www.qmed.com/mpmn/gallery/image/medtech-gets-serious-about-cybersecurity|leo://plh/http%3A*3*3www%2Eqmed%2Ecom*3mpmn*3gallery*3image*3medtech-gets-serious-about-cybersecurity/kTTq?_t=tracking_disc]

James (Jim) Dent
Manufacturing Validation Enginee at DePuy Synthes Companies
Johnny: in performing the risk analysis, did your company and/or your carrier analyze the risk of existing disgruntled employees hacking into the company’s confidential, private, or intellectual property data/information, including personal information, even email and phone number lists; or even deleting or altering existing data – before leaving the company?

Johnny Ross
CEO
We have performed all of the risk analysis that we know of and have even asked our carrier to assist us. We are always vulnerable and to think otherwise is naïve. I think about this daily, even though we are a start up. I did not see mention of it previously, but always make sure your cyber security policy is up to date.

Burrell (Bo) Clawson
I research patents & design products to get a patented competitive position: Over 30 patents.
Mr. Dent, you provide even more reason for companies to have independent security penetration and monitoring experts on your team: absolutely 100% needed.

James (Jim) Dent
Manufacturing Validation Enginee at DePuy Synthes Companies
Being that now the news is reporting that a private cybertechnology firm (hired by Sony) claims it was not N. Korea that hacked Sony, but a former employee who hacked Sony routing the hack thru a N. Korea ISP address – I believe we all need to wait and see what really happened.

There are even rumors this week (in the news) that it may have been an inside Sony publicity stunt (rumor only), to boost ticket sales based on the recent announcements by the movie awards agencies that all terrorist, sniper, and war-type movies were recently shunned in the recent movie awards.

Burrell (Bo) Clawson
I research patents & design products to get a patented competitive position: Over 30 patents.
Dave, I agree and want to add something to the “basic “why” training.”

For any medical company with proprietary products today, I think a high level security coding consultant or in house security employees who know and follow security issues at the code level must be a part of the company team. These people inhabit a different world than application coders and you can’t be good at both.

Dave Saunders
CTO | Surgical Robotics | Startups | Technology Integrated Medical Devices
As I consider this further, I think it’s important to develop a security plan for the general IT infrastructure as well as any embedded systems used by the medical devices. Both should be developed independently and then reviewed by an overlapping workgroup. The reason for this is to prevent the myopic thinking of one group developing two plans and to prevent the sort of poor/insular coordination that led to the Mars Climate Orbiter crash.

Additionally, any IT security training for the staff should always include some basic “why” training in addition to the training of the mechanics of how to follow the policies.

Narayanachar Murali
MD, FACP, FACG at WWW.DRMURALI.COM
[http://www.cnet.com/news/sony-to-release-interview/?tag=nl.e498&s_cid=e498&ttag=e498&ftag=CADf0e22bf|leo://plh/http%3A*3*3www%2Ecnet%2Ecom*3news*3sony-to-release-interview*3%3Ftag%3Dnl%2Ee498%26s_cid%3De498%26ttag%3De498%26ftag%3DCADf0e22bf/dEXX?_t=tracking_disc]

Bogdan Baudis
Prinicipal Software Engineer at Cambridge Consultants
@Burrel
“I am not a coder, but I have always wondered why a corporate network allows anyone who has admin access to copy a whole database, without a secondary “launch” approval from a 2nd person”

You must have missed that in the new brave world of Linux and Windows it is state-of-the-art to manage permissions by groups and simple inheritance and the only thing than “old” IT does is juts gunks up the business flow!

Old dinos who saw at least a little of the old mainframe system management know that the problem IS solvable. But it requires an effort and as we already have established: IT is just eating into profits… it is only going to be more interesting when even more managers will start bypassing IT and ordering on their own the new spanking clouds which are advertised to enable getting rid of old that musty IT junk. After all there is nothing better than outsourcing the problems, is there not?

Narayanachar Murali
MD, FACP, FACG at WWW.DRMURALI.COM
Mr Curt…read that link…Hats off to lawyers! My job as a physician doing medical Diagnosis and complex procedures seems like peanuts! How do you guys get your head around all those things you tell us should be done…or do you ! :-))
This sentence of yours terrifies me ” Corporations want to have records handy to enable quick sacrifice of selected employees and a “mea culpa” to the regulatory agency (equivalent to a district attorney) and move on.”
When I read that stuff you have referenced and think of administrators, It reminds me of that harrowing images from movie Schindler’s list …of the alcoholic cirrhotic Nazi guard who shoots a few people after early morning breakfast and takes a pee through the window to celebrate a job well done!
If employees are not happy or repeatedly treated unfairly, they can bring down an organization with so little effort.
I always educate people not to challenge others to test them or their defenses, especially challenging hackers to prove their worth or worse accusing them of things they might not have done.

Curt Harrington PATENTAX.COM
State Bar Certified Tax Specialist & Chemical & Electrical Engineering Patent Practitioner
Mr. Murali, you bring up the company fraud investigation (referred to in [http://patentax.com/library/LOSPRIV5.pdf|leo://plh/http%3A*3*3patentax%2Ecom*3library*3LOSPRIV5%2Epdf/knEX?_t=tracking_disc] ) in which corporations perform investigations into wrongdoing. As most commentators note, the purpose of these types of investigations is to toss employees to the wolves, to bow down to regulators, and allow the organization to get by with as little loss as possible. In both tax and corporate fraud, the individuals “turned over” for prosecution may face 10 years imprisonment, a life-crushing restitution assessment, fines, and family destruction. But this really identifies the conflict. Corporations want to have records handy to enable quick sacrifice of selected employees and a “mea culpa” to the regulatory agency (equivalent to a district attorney) and move on. Since my focus is primarily on benefiting the individual, I opt for the more-isolated protection.

Joe Hage
🔥 Find me at MedicalDevicesGroup.net 🔥
A 28-minute podcast from Knowledge @ Wharton on this topic.
[http://knowledge.wharton.upenn.edu/article/lessons-from-the-sony-hack/|leo://plh/http%3A*3*3knowledge%2Ewharton%2Eupenn%2Eedu*3article*3lessons-from-the-sony-hack*3/0VAz?_t=tracking_disc]

Narayanachar Murali
MD, FACP, FACG at WWW.DRMURALI.COM
Mr. Curt Harrington.. While I agree that the safer way is to disconnect and encrypt local drive, create self destructing drives …from an accountability angle creating an e.mail trail of communications is vital in fraud prevention and fraud investigation. In medical field lot of meetings actually ought to be done through E.mail and trails recorded so that fraud investigation is easier. This should apply to hospital committees to pharma-insurance company-Hospital-physician interactions.
Looks like Sony officials had too much time on their creative hands and were using the email like school kids use snapchat…to trash one another.
What makes me suspicious about their story is the degree and depth of invasion in such a short time ( less than a year) is hard to pull off without local help. More than Lil’ Kim …the “Un” inside their fold must be giving the bosses sleepless nights. Remember, previously their PS4 system was totally laid bare and “hackers” even got into the firmware.

Burrell (Bo) Clawson
I research patents & design products to get a patented competitive position: Over 30 patents.
Joe, how about a corporate policy that addresses, the core issues.

I am not a coder, but I have always wondered why a corporate network allows anyone who has admin access to copy a whole database, without a secondary “launch” approval from a 2nd person. If your whole livelyhood is dependent on one Oracle, IBM or FileMakerPro database, then why should it not be like the ICBM missile silos where it takes 2 people to execute life threatening operations.

Compartmentalized, 2 factor user access on company computers for business use only with real time network monitoring overseen by competently trained IT people/consultants, disconnected/isolated networks for critical items, mandatory user education and triple sets of both timed backups and clones of all computer partitions for fast recovery with the mandatory off site physical storage of hard drives.

Denise Skidmore
Software Engineer at BioTel Research (Cardiocore & VirtualScopics)
Absolutely not what I’m saying. Yes it is a huge problem, and there will always be holes, but we need to plug as many of them as we can. There’s a difference between a bucket with a pinhole in it and a sieve.

Joe Hage
🔥 Find me at MedicalDevicesGroup.net 🔥
I’m interpreting some of your notes to say, “There are too many things that can go wrong. It’s impossible to protect against since any one human in our organization can undermine it.”

And I think the underlying message is, “No, it’s too big a problem and it’s unlikely to hit us. A cost-benefit analysis says take no action, which is our unspoken plan.”

Am I hearing you correctly?

Arundhati Parmar
VP and Editor-in-Chief, MedCity News
Very timely post Joe. In fact you sent this email and brought up Sony just as I wrote this for our website MD+DI –

[http://www.mddionline.com/blog/devicetalk/when-smart-may-also-mean-vulnerable-12-23-14|leo://plh/http%3A*3*3www%2Emddionline%2Ecom*3blog*3devicetalk*3when-smart-may-also-mean-vulnerable-12-23-14/xCLC?_t=tracking_disc]

We are moving towards an unprecedented and amazing smart future but then means that the industry has to think of cybersecurity more than it ever has.

Curt Harrington PATENTAX.COM
State Bar Certified Tax Specialist & Chemical & Electrical Engineering Patent Practitioner
As an M.S.E.E., M.S.Ch.E., chemistry, MBA, JD, LL.M.-Tax, high tech patent and tax attorney I have maintained one computer with no internet access upon which I keep my most confidential files. Most people don’t realize that “the cloud” files can be handed over with just one summons (a higher threshold judges signature on a search warrant is not necessarily needed). I also have warnings about sending materials over the web, and prefer that sensitive information be provided to me in person. Follow @PATENTAX on twitter

Burrell (Bo) Clawson
I research patents & design products to get a patented competitive position: Over 30 patents.
Denise noted; “one rogue user can do a lot of damage if given too many keys.”

I would modify that and say that in small businesses, one untrained user can lose their entire customer DB with just one key that is lost.

I watched a person in a very successful business with extremely high end clients do an admin access to allow a sales person access to a function in front of 4 other people. It was easy to watch her 6 character PW entry.

There are competitors in the same field who would love to steal that PW. But, they would probably be more likely to PAY FOR IT.

Denise Skidmore
Software Engineer at BioTel Research (Cardiocore & VirtualScopics)
There is no security system in the world that can withstand the guy with all the keys opening all the doors. That’s why one of the major aspects of security is limiting the number of things accessed by each key, and the number of keys handed out. It’s very frustrating as a user to have to ask for a key for each task on my to-do list, but the larger the group the larger the risk that one rogue user can do a lot of damage if given too many keys.