Living With Malware: How to Become 'Intrusion-Tolerant'Security Expert Kevin Fu on Taking a Balanced Approach
As the threat of malware infections, especially those involving ransomware, grows, organizations need to balance their perimeter-based security practices with an "intrusion tolerance" strategy that helps ensure a quick recovery, says medical device cybersecurity expert Kevin Fu.
"You're never going to get rid of the malware; it's just like you're never going to be able to cleanse your body of all viruses and bacteria. Instead you learn to live with it," he says in an interview with Information Security Media Group. "So, hospitals need to switch their mindsets from perimeter-based security ... and complement it with the notion of intrusion tolerance."
The key, Fu, says, is to make sure all systems can survive a malware attack. "You want to make sure that if one clinician is accidentally tricked into clicking on a malicious link, that it doesn't bring down the entire ICU [intensive care unit]. That's why intrusion tolerance is hugely important. But you can't get there until you know your risk and you have the appropriate tools in place to measure the effectiveness of those controls."
Securing Medical Devices
Healthcare organizations also must be prepared to deal with potential security issues involving medical devices, says Fu, a specialist in this arena.
Although many medical devices makers have begun to more proactively design cybersecurity features into their products, "it's going to take a while for some of that security engineering to make its way into products in the marketplace," he says.
"In the meantime, hospitals will be struggling with devices where security wasn't included as part of the requirement, so they are going to need other compensating controls to manage those risks until they can procure devices that have any hope to be configured to be secure."
To move that process along, healthcare organizations need to apply pressure on their medical device vendors so that these manufacturers realize hospitals want better security as part of their offerings, he says.
"Security is not a product; it's more of a property. Just like you can't buy an ounce of safety, you can't buy an ounce of security to sprinkle onto your clinical systems," he explains.
In the interview (see audio player below photo), Fu also discusses:
- Steps that hospitals can take to bolster the security of legacy medical devices while they await new products to hit the marketplace that are built with improved security;
- Advice for improving prevention and detection of breaches involving medical devices and other clinical systems.
Fu is associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security. Previously, he served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts, Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab. He's also founder, CEO and chief scientist at malware-detection start-up firm Virta Laboratories.