There is no debate among security experts that the security of Internet-enabled medical devices is woefully inadequate.But there is considerable disagreement about how risky that is for patients. Some say the benefits of connected devices far outweigh what they consider minute risks of a catastrophic attack; while others say even a relatively low likelihood of an attack is too much. Life and health are, after all, much more significant than a credit card number being stolen.[Federal regulators address rising security risk to medical devices]And it is clear that medical devices are made with just one kind of security built in \u2013 to function flawlessly, possibly for years at a time, so as not to jeopardize the life or health of the patients they serve.The other kind \u2013 security from malicious online attacks \u2013 not so much.Until recently, that was largely irrelevant. Medical devices weren\u2019t Internet enabled. But that has all changed, with an explosive increase in medical devices connected to the Web plus Electronic Health Records (EHR), driven by incentives in the Affordable Care Act (ACA \u2013 commonly known as Obamacare) to improve health care while controlling costs.And that has led to reports from people like Scott Erven, head of information security at Essentia Health, which operates about 100 clinics, hospitals and pharmacies in Minnesota, North Dakota, Wisconsin and Idaho. Erven recently completed a two-year audit of the chain\u2019s equipment, and said the security problems he found were even worse than he expected.He told\u00a0Wired magazine that many of the devices had, \u201ccommon security holes, including lack of authentication \u2026; weak passwords or default and hardcoded vendor passwords like \u2018admin\u2019 or \u20181234\u2019; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.\u201dHe listed a number of examples of what could happen. Among them: Bluetooth-enabled defibrillators that an attacker could control to deliver random shocks to a patient\u2019s heart or prevent a medically needed shock; or the possibility that an attacker could \u201ctake critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.\u201dThere is also general agreement that there are multiple reasons for those vulnerabilities, starting with both a skill and culture gap. Developers of medical device software are very skilled at making it reliable but not in securing it for use with networked applications.As Carl Wright, general manager of North America for TrapX Security, puts it, \u201cIT is not their core competency. There are a lot of vertical industries where that\u2019s the case. It\u2019s almost like operating in the previous decade.\u201d(Medical device manufacturers) have the best profit margin in the market. So they can take 10% and put it back into security.That gap is not likely to be closed anytime soon. There is an acute shortage in the medical device field of workers who can conduct cyber security assessments of devices.Then there is the culture gap, which Jon Heimerl, senior security strategist at Solutionary, said is seen in resistance to more security. Since the goal has always been to make medical devices, \u201cas easy to set up and connect as possible,\u201d adding security controls, \u201coften goes against the very nature (of medical professionals). Adding security that potentially interferes with device connectivity, and limits medical functionality seems counterintuitive,\u201d he said.[Consumer ignorance drives big jump in medical ID fraud]Gary McGraw, CTO of Cigital, in a post\u00a0for TechTarget co-authored with Chandu Ketkar, noted that, \u201crequiring doctors to log in to a medical device just before starting a medical procedure is a bad idea because they simply won't do it regularly.\u201dThe good news is that very good people are working on it.And many medical professionals don\u2019t even see the need for major concern about security. Ken Hoyme,\u00a0distinguished scientist at Adventium Labs, speaking at the NIST ISPAB discussion, said medical device developers and those who use them in hospitals don\u2019t understand why hackers would want to harm patients. \u201cThe view of hospitals is, \u2018Why would anybody want to do that?\u2019\u201d he said.\u201cTheir view is that if somebody\u2019s out there, they\u2019re trying to get information to sell it, but \u2026 a targeted attack against a patient is outside their thought process. It leads to something I call faith-based mismanagement: \u2018I don\u2019t believe anybody would do that, therefore my likelihood is zero and I don\u2019t need to mitigate it.\u2019\u201dJay Radcliffe, a medical device security expert and Type-One diabetic, thinks the medical professionals are mostly correct. He declared during a round-table discussion\u00a0at the recent Black Hat conference in Las Vegas that the benefits of connected devices are enormous, and the risks are miniscule.He agreed that malicious hacks are technically possible, and could have catastrophic results \u2013 hence the now-famous decision by former vice-president Dick Cheney to have his pacemaker replaced with one that was not connected to the Web. But Radcliffe said, for the average person like himself, it would be much more likely for, \u201can attacker to sneak up behind him and deliver a fatal blow to his head with a baseball bat,\u201d than to be harmed by a cyber attack.So far, he\u2019s correct. The Food and Drug Administration (FDA), which issued a "Safety Communication"\u00a0in June 2013 titled, \u201cCybersecurity for Medical Devices and Hospital Networks,\u201d said in that memo that it, \u201cis not aware of any patient injuries or deaths associated with these (vulnerabilities) nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time.\u201d[Blue Cross: 840,000 healthcare records at risk after laptop theft]FDA press spokeswoman Jennifer Rodriguez said that remains true more than a year later.But Greg Martin, CTO of ThreatStream, said just because something hasn\u2019t happened yet doesn\u2019t mean it won\u2019t. \u201cThese days, hackers span a range of motivations from criminal, activist to potential terrorist,\u201d he said. \u201cThe risk cannot be ignored on a hunch. If the vulnerability exists, it will be exploited in the wild.\u201dIf the vulnerability exists, it will be exploited in the wild.McGraw comes down somewhere in the middle of that debate \u2013 he agrees that the risks are likely very small for those other than possible targets of assassination \u2013 but he said that doesn\u2019t mean security shouldn\u2019t be a primary concern.As connected medical devices proliferate, he said, the risks to average people may increase. The average person has a bank account, he noted, and if malicious hackers could gain control of a person\u2019s pacemaker, they could threaten to do him harm if he didn\u2019t send the money in his account to them.Wright agrees that the trend is toward more danger for even the average patient. With medical devices becoming part of the Internet of Things (IoT), the risks are rising, he said, noting that cyber terrorists are attracted more by ways to harm people than they are to stealing information to make a profit.Solving the security problem by hardening the devices will not be easy, however, since they are expensive, they are made to last for years without being updated, and if manufacturers modify them, they have to seek recertification from the FDA.Wright argued that while it may be expensive to do security modifications, manufacturers can afford it, without passing the increase along to providers or patients. \u201cThey have the best profit margin in the market,\u201d he said. \u201cSo they can take 10% and put it back into security.\u201dKevin McAleavey, cofounder and chief architect of the KNOS Project and a malware expert, said he believes the devices should only be connected to, \u201ca local, private network that doesn't connect outside of that network without at least something in between that can copy and paste any necessary information and then pass it across an air gap."[Can the new HIPAA rule cut PHI breaches?]He also recommended that the devices have very low power, so their signal can't travel more than a few feet. \u201cMost pacemakers are like this and use Bluetooth, so anyone who can access them pretty much has to be in the same room as the patient.\u201dHeimerl said authentication doesn\u2019t need to be time consuming. He said he heard of a hospital that added passwords to all of its terminals and applications, and then gave an RFI badge reader with a built-in profile to each medical staff member.Adding security that potentially interferes with device connectivity, and limits medical functionality seems counterintuitive.\u201cAs the staff approached the workstation, the application would log them on and preload the applications that the person put in their profile. They added great security, and the caregiver was required to enter only a three- or four-letter\/digit PIN to finish the logon process \u2013 so it was simple,\u201d he said.Several experts said they think government needs to play a more explicit role. Heimerl wondered aloud about the FDA Safety Communication. Is it a mandate? Is it a regulatory requirement?\u201dMcGraw said there is progress being made, however. \u201cThe good news is that very good people are working on it,\u201d he said, citing Kevin Fu,\u00a0associate professor at the University of Michigan and director of the Archimedes Center for Medical Device Security, who moderated the recent NIST ISPAB discussion.\u201cManufacturers want to do it,\u201d he added. \u201cWe don\u2019t have to convince them that there are issues.\u201dBut, he agreed that improving device security will be time consuming, costly and will never be perfect.\u201cA lot of people think security is a thing. It\u2019s a property,\u201d he said, and must be designed with expected threats in mind. Deciding on those threats is, \u201ca trade off that every day the manufacturers and patients need to think about. Which one would you pick, and how much would you pay?\u201cThere is no right answer,\u201d he said.