Matthew Webster - Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States

1. Chapter 6
2. Chapter 14

1. Chapter 1
2. Chapter 2
3. Chapter 3
4. Chapter 5
5. Chapter 6
6. Chapter 7
7. Chapter 8
8. Chapter 10

Matthew Webster

Copyright 2021 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

ISBN: 978-1-119-79402-8

ISBN: 978-1-119-79404-2 (ebk)

ISBN: 978-1-119-79403-5 (ebk)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021938272

Trademarks: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover image: Getty Images/LeoWolfert

Cover design: Wiley/Michael E. Trent

To Katherine

Matthew Webster is the Chief Information Security Officer at Galway Holdings. He has more than 25 years of experience in IT and cybersecurityincluding multiple cybersecurity officer positions. Matthew clearly has a passion for cybersecurity, which is evidenced by the fact he has earned more than 20 IT and cybersecurity certifications including the coveted Certified Information Systems Security Professional (CISSP).

Matthew has worked in and around many companies throughout the northeast in a variety of capacities, and he has built many cybersecurity programs from the ground up. As a skilled professional, Matthew has spoken in a range of contexts, including in person and at online events.

If there is one adage that best describes writing a book of this nature it is that Rome was not built in a day. I could not begin to thank each person who helped me lay the foundation for this book. The hundreds if not thousands of conversations around cybersecurity and leadership have influenced my thinking in both large and small ways.

Many of the people are probably completely unaware of how they have helped me over the years. I have learned from others at numerous conferences and webinars and from cybersecurity tool vendors. Each technology, each person, has helped to provide me with greater background and knowledge in order to gain a better context and understanding.

In terms of writing this book I would like to thank Peter Gregory, a very experienced author, who introduced me to Carole Jelen, the vice president of Waterside Productions, who helped to mentor me through the ABCs of writing a book of this magnitude. Without their help, I never would have had the opportunity to write such a book.

I also want to thank both Wiley and my editors who have been very patient making corrections, asking questions, and making recommendations throughout the whole process. Their patience and understanding has been greatly appreciated.

Finally, I want to thank my lovely wife, Sumiko, who has been extremely patient with me as I spent an enormous number of hours writing this book. Without her patience this would have been a much more difficult endeavor.

Matthew Webster

This is a book specifically focused on the cybersecurity of internet-connected medical devices written by a cybersecurity professional for the general public. It looks at the problem from a broad spectrum of angles, from education, technical, the legal landscape, the threat landscape, through the very management of these devices. It covers why the devices are made the way they are and why not enough attention has been placed on their security. It then goes into possible solutions and directions that we as members of a global society need to take in the wake of a powerful technology like the internet.

This book does not focus on the specific medical challenges from a medical perspective related to internet-connected medical devices. There are already a number of books that talk about the medical challenges related to various types of implants. This was a conscious choice not to focus on challenges that I am simply not qualified to talk about nor provide interesting insights about.

Where I can provide interesting insights is in the realm of cybersecurity, where I have a great deal of experiencean area that I have been involved in and have loved for many years. Through that experience, I hope to show you a bit behind the scenes of what it takes to truly protect those devicessometimes from a technical angle. I have striven to make these technical concepts more accessible to the average reader so almost everyone can enjoy this book.

It has been very challenging to determine the right amount of content to reach every reader. Each topic in this book can easily be a book unto itself. The book could have been a thousand pages, but it would not have succinctly driven home the important points. Readers within many of the professions could point out obvious shortcomings, which would have taken chapters to explore. In the end, cybersecurity is a complex topic, and I tried to strike the right balance in choosing what to discuss.