What Is Good SecurityWhat Is Good Security?

It is fascinating to read about the challenges facing places such at St. Jude’s when, from a technical security perspective, there is really nothing criminally negligent about St. Jude’s approach.  For those unaware, the core of the problem is that St. Jude was placing wireless pacemakers and ICD devices in patients and those devices had a known hack going back to 2012.  In 2014 Dick Cheney made a stink when he got his removed but, in almost 5 years, nobody has acted upon what turns out to be a really hard hack to pull off.

For St. Jude – whose stock prices dropped 10% and is now facing a massive cybersecurity/HIPAA review by the FDA and Homeland – the damage was done the second they said “sure there is an exploit, no we have no countermeasures in place but, really, nobody has hacked these devices…yet”.

At the same time, some of the award-winning mHealth products are, from a highly technical perspective, really simple systems with not a lot going on under the covers.  These facts do not preclude the usefulness of these devices, it just again points out an emerging premise.

Technology is just not that important.

For mHealth, within this context, do this mean that the dumbest system that meets the bottom line measure wins?  Obviously, at Bear, we hope that is not the case but it seems that the appearance of security is as, or more, important than actually having protection in place.  This would readily explain all of those IoT “security” vendors that just provide encryption – nevermind the fact that no exploit in IoT has EVER cracked encryption as part of its attack success.

If the truth is that the technical perspective is just too complicated, then how does one sell an evolutionary security product?  Do we tout how we are invisible and cause no business disruptions in response to a new attack?  Maybe nobody cares.  Do we focus on our ability to extend to medical devices – even those in the home?  Or is that too techy?

It is an intriguing problem to contemplate and it has major ramifications not just for Bear but for security efforts in general.  If true security is just too complex for the average person to want to deal with then how can truly effective products ever succeed in this space?

What do you think?