For years, I’ve ranted about the rebranding of information security to “cybersecurity”. This strategy is nothing more than a means to redirect attention – even create confusion – over what we do so that something shiny, new, and sexy can be sold to those who are buying. It’s bad for what we’re trying to accomplish in this field. We need less confusion rather than more.
Well, here’s a new set of ridiculousness that’s on par with all the “cyber” stuff from the past decade. As if healthcare doesn’t struggle with security enough as it is, it’s now being proposed to create the position of a medical device security officer.
MDSO…Really!?
Why not just treat medical devices like any other IoT system and bring them under the umbrella of existing controls. A CISO can do that. A CIO can do that. An IT Director can do that. A Network Admin can do that…no new position needed! Keep that money for something else – like performing a security assessment to acknowledge where your risks are instead of putting the cart before the horse. Otherwise, creating such a position is just going to lead to a continued splintering of information security and more complexity – something no business needs, especially healthcare providers!
You know what your security challenges are and what risks they pose to the business. The hard part is getting started and seeing things through. A new role is not what’s needed. You also don’t need more documentation and, quite likely, new technologies. What’s needed is discipline. HIPAA spelled it out in the Security Rule back in 2003. The compliance deadline was 2005. Yet, so many are still stuck in the same old rut.
Borrowing from a song from the great band, Black Country Communion, you can’t see the light until you open your eyes… Do the things that you know need to be done with what you already have in place – nothing more and nothing less.