It's a wonderful thing that a doctor can wirelessly reprogram a pacemaker for a patient to deliver better care. It seems quite odd to me, however, that no one thought to protect the connection with authentication and encryption. That being said, vulnerability is not new.

This paper not only discusses the potential vulnerability of Implantable Cardiac Defibrillators (ICDs), but also presents some very interesting ideas around authentication.

Basically, the problem is as follows: any authentication mechanism requires power consumption, and these devices are resource constrained (i.e. battery operated), so adding a repeatable activity that could be engaged to consume power amounts to a denial of service attack. Now, we can solve this problem in the InfoSec world with account lockout policies. You can't, however, have a situation where a doctor is locked out the pacemaker, I imagine. Instead, you need to prevent the DoS by developing a "zero power authentication" mechanism. They also talk about harvesting entrophy from patient movement and vibration, as well as some considerations of patient notification of security events. It's not a long paper, and is a pretty interesting read.

The concept of implantable medical devices isn't new, but the extension of interaction with these devices to outside the patient is just beginning. I can imagine the development of a Medical Device Industry Data Security Standard that dictates the requirements for in-patient connectivity. The stakes here are as high as they get.

Sometimes we all need a reminder of the obvious.

This article from Infoworld reminded me of something I'd learned a while back and recently forgotten: Information Security is not about technology.

"Ultimately, the most significant point of disconnect between security pros and the business people they work with is the struggle to balance issues of protection and compliance with efforts aimed at growing sales and revenue, which the panelists characterized as a near constant 'tug-of-war.'"

Does this sound familiar? If I can quote a popular Internet meme here: "You're doing it wrong."

This tug of war is what happens when information security and executives fail to understand that they're supposed to be pulling in the same direction: towards revenue. This is actually quite fundamental, but traditionally really hard to manage.

CFO says: "I think in terms of risk -- sometimes that's about dollars and sometimes it's about reputation, but you need to tell me, what's the real risk that could actually hurt the business? It's all about getting the language and communication right"

And this is the crux of the problem. Infosec needs to assess and articulate risk in terms that the organization can understand. It's not our jobs to protect the company from things it doesn't know about, but to inform the company about risks, possible solutions, and impact of those solutions. The decision of whether to accept risk or not should be based on the impact to revenue.

Maybe every information security team needs to hire a communications person, someone who specializes in information presentation, rather than information assimilation. In every InfoSec group, we should be asking ourselves who provides the guidance about how to deliver data to other parts of the organization.

We're often so focused on who is getting into our infrastructure that we forget about who or what might be getting out. It's a natural tendency, of course, given the focus that InfoSec has traditionally had, and given that we still have the problem of people getting in. There's a quote at the end of this article about the Hannaford breach:

"Clearly, there was a pathway back out of the network that Hannaford should have closed,"

How many organizations implicitly trust outbound connections from their own servers? How many organizations inspect the content and patterns of outbound connections? In this case, Hannaford might have seen correlation between credit cards being processed and a connection out to "an overseas destination," or at least an unexplained outbound connection to that destination on a regular basis.

Having just watched Ocean's 11 last night, I'm reminded that overcoming the challenge of getting into the vault is worthless if you can't manage to get out with the cash.