Lorenz Kustosch, Carlos Gañán, Michel van Eeten, and Simon Parkin, TU Delft
Medical devices become increasingly connected and thus require security measures to ensure patient safety and data protection. However, such connected medical devices are often reported to lack basic security and to run on unpatched and outdated software. Thus, there is an increasing push to deliver security patches faster and more regularly to devices in the field. In this work, we empirically study current practices of patching connected medical devices by conducting 23 semi-structured interviews with participants from nine healthcare delivery organizations (HDOs) and three medical device manufacturers, also capturing data on actual updating practices for 25 specific medical devices. We find that delivering software updates to medical devices is an laborious and costly process for HDOs and manufacturers, as operational demands for medical use and an increasing need for infrastructure management put significant strain on involved stakeholders, thus rendering it questionable if conventional security patching will actually work in the healthcare sector without overwhelming it operationally and financially.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
