A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Don’t Confuse Threat with Risk

Over the past few days, much has been written in the DOC about Medical Devices Susceptible to Hackers (Read Kerri’s interview with Jay Radcliffe and Kelly has one of the great posts with a list of links to other great posts about it as well.  Oh and don’t miss the list over at Trials & Tribulations of Being a Type 1 Diabetic).

Various media outlets had sensationalized headlines such as the one mentioned above.  But if you read closely, you’ll notice something.  Radcliffe had the knowledge, skills and inside information (such as the pump serial number).  It took all three components to make the hack even possible.

In the computer industry, which the Black Hat Digital Security Conference deals with, vulnerabilities such as these are often presented in the exact matter that Mr. Radcliffe presented his.  Designed to get attention so the vulnerability will, hopefully, get enough of a spotlight put on it that the manufacturers will address the problem.  I really have no issue with how he presented the information, as a matter of fact similar vulnerabilities have been found in pacemakers, presented at this exact conference in 2008.   As far as I can tell, there has not been a single reported case of this actually happening.

So here is my take.  Please take a moment as you read it to consider what I mean about threat being a different thing from risk.

The threat is real, it is reproducible and has been demonstrated.

The risk is of this threat actually affecting any random individual is, for all intents and purposes, non-existent.

And that’s all I got to say about that.

©2011 Scott Strange, Strangely Diabetic and