Ben's Book of the Month: Review of "Do No Harm"

Posted on by Ben Rothke

In my review of Medical Device Cybersecurity for Engineers and Manufacturers, I wrote that doing medical device security correctly is a massive undertaking and critical for patient safety. That book has since become the de facto reference on the topic.


In Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States (Wiley), author Matthew Webster has written a guide that focuses not on the medical devices specifically but on the Internet of Medical Things (IoMT). He defines IoMT as any Internet-connected medical device. With that, the security around IoMT devices is critical.


It is hard to walk a few feet in a modern doctor’s office or hospital without seeing IoMT devices in action. In their report, Medtech and the Internet of Medical Things How connected medical devices are transforming health care, the Deloitte Centre for Health Solutions writes that medical technology companies manufacture more than 500,000 different types of medical devices, including wearable external medical devices (skin patches, insulin pumps and blood glucose monitors), implanted medical devices (pacemakers and implantable cardioverter-defibrillator devices) and stationary medical devices (home monitoring devices, connected imaging devices and scanning machines). And most patient interactions with the health care system involve the use of medical equipment and devices.


But as IoMT devices are finding more significant usage, it is not always clear that appropriate security controls have been implemented. In this book, Webster lays out all of the security and privacy issues involved with IoMT. While much of the book is an overview of the security issues, he always provides recommendations on what patients and businesses can do to use these devices safely.


From the patients’ and users’ perspectives—given they are often the recipients of these medical devices—there is not a lot they can do. They often may have little to no choice regarding options around implantable medical devices since the individual is not considered when device selection is made.


Where the individual has more options is around the use of smartphone-based medical and monitoring applications. And the book provides valuable advice on how not to put your medical information and PII at risk. 


The use of IoMT technology is increasing at a quick and, some would say, alarming rate. While the health benefits of these devices are pretty compelling, the security and privacy risks are equally disconcerting. The book provides a comprehensive overview of the topic and much practical advice.


Security has long been behind the curve in general and significantly so in medical device security. It’s hoped that medical device researchers and device manufacturers heed the advice detailed in this informative book.


If nothing else, after reading this book, when an inevitable IoMT breach occurs and it makes its way to the news, you will have a really good understanding of why it happened and how it likely could have been avoided in the first place had the medical device manufacturers taken security seriously in the first place.

Ben Rothke

Senior Information Security Manager, Tapad

Hackers & Threats

hackers & threats

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community