FUD 101: How not to report healthcare cybersecurity issues

FUD 101: How not to report healthcare cybersecurity issues

I was asked to review a report from Forescout about healthcare security by a journalist, as they were suspicious of the headlines.

Here are the headlines, which got my spidey senses tingling:

“The server (SMB) protocol is left open in 85% of connected devices in healthcare organisations, giving bad actors an easy and unprotected entry point into their networks”

This is misleading. Reading the report, it doesn’t state that those 85% have poorly configured SMB, just that they offer SMB. Not outdated SMB (v1) or anonymous login via SMB, just ‘SMB’

“The large majority of connected medical devices are patient tracking/identification systems (38%) and infusion pumps (32%) – giving bad actors the ability to manipulate the administration of drugs, with potential lethal outcomes”

This misdirects readers: it implies that all tracking/identification systems and infusion pumps are vulnerable. That’s not the case. Some are vulnerable, but the report gives no useful stats about this. It just creates fear in readers

“Financially, the average cost of a security breach in healthcare is $7.3 million

I have no problem with the above statistic

“Legacy Windows operating systems are still a major vulnerability, with 71% of devices running unsupported Windows OS by January 14, 2020”

More misdirection – yes, Window 7 goes end of life in January. But that’s 8 months away. Many healthcare organisations will be in the middle of upgrades, so to call them out now is misleading and scaremongering.

That statistic would be useful and interesting in February next year, but not now! Reading the report, it shows that only 0.4% of devices are running currently unsupported operating systems, e.g. XP.

That’s actually GOOD news

This report is unhelpful, spreading fear, uncertainty and doubt in an effort to gain coverage.

To the report authors I say this: you found some interesting and useful information that had value to the industry, then let your marketing and PR department spoil it in the quest for coverage.

Guess what, the journalist decided not to run the story as they didn’t have time to pick apart the facts from the FUD.

FUD 101: How not to report healthcare cybersecurity issues
Pen Test Partners
Source link

Share This


Wordpress (0)
Disqus ( )