Whilst true, I can with 100% certainty, state that no-one in the medical profession, or the procurement people in the hospitals ever did that calculation.
NICE (the UK's no-you-cant-spend-ten-million-of-taxpayers-money-per-patient-on-a-drug-to-extend-their-life-by-six-weeks agency which gets it in the neck for such things) might be able to take on such a calculation - but I bet you anything even if they did that calculation every machine maker would treble their security departments anyway.
This is only possible because there was no pressure to deploy secure systems. Now there is, and after the first death from a hacked pacemaker, the outcry will be heard from the moon.
>after the first death from a hacked pacemaker, the outcry will be heard from the moon //
Isn't the problem that there will always be a way to kill people, even remotely without touching them (sniper, poison mail, gas bomb, massive microwave in a van that you park next to them, ...). You perhaps don't want to make it easy but it's also not necessarily sensible to waste money on an arms race that you'll never win.
Similarly we don't have enclosed station platforms (in the UK) despite people having been pushed in front of trains in the past.
I had not thought of the rise of microwave terrorism (perhaps with the skin-burning crowd disperser (citation not found) it's already on us).
But my basic tenant is that we / society has an acceptable balance of risk and benefit. Maybe not a rational one but one that is understood by most people. For cars it's pretty high on the risk tolerance. For medical drugs it's really low. For computer hacking it's low too - cf Aaron Schwartz. I would say that medical devices combine low risk tolerance of drugs and low risk tolerance of hacking - making the spectre of hacked implanted devices front page news.
I expect it will be pretty simple to defeat however - only allow networking of a device over near field radio (RFID style). that way there is no remote access in a body, and do a similar thing for any robots or monitors - the only way to connect a surgical robot to the Internet is with a doctors own personal RFID - tcpip convertor, that he takes away with him or is counts back into stores next to the nurses. Massively dropping the risk ratio with a few simple rules.
we can do this - we just need to be sensible about it
Ps
Westminster and canary wharf do have enclosed tube platforms so people cannot jump / be pushed. Because we cannot have bankers or politicians delayed by poverty stricken depressives ...
The difference being that it's tough to kill people at scale and covertly with a rifle or even poison mail. Exploiting a bug in networked pacemakers could give you the means to kill an entire userbase.
For the train comparison, it's the difference between pushing a guy on the rails and derailing a train remotely by accelerating it remotely through a curve and disabling the manual controls.
What's the value to the user of a networked pacemaker? Maybe a lower price? There would be better ways for it to 'speak' to a network to collect data, I should think.
That is just an (excellent) argument for medical devices to have some kind of connectivity to the outside world, but not for having the actual device ever connected to the Internet.
They don't need to do the calculation because their intuition already leads them to the right decision. This is just economics. What is the payoff for the evildoer hacking a pacemaker? Oh right, he's a contract killer? Too many movies for you. It's just more profitable to replace the payment processing app with your own payment skimming app at some big store.
I believe the point of exercises like this is to show that the risk of being hacked is higher than was previously thought. The easier it is to do, the more likely an attacker will pull it off when they attempt it, and for someone whose goal is to wreak havoc rather than defeat an interestingly difficult system, the more likely an attacker will make the attempt in the first place.
Certainly it could be the case that the benefit exceeds the risk, but if such calculations were made, they may need to be reevaluated.
What are the chances that someone would actually doing the hacking? I don't see any monetary reason to do so. Maybe that's one reason why we haven't seen many reports of people hacking medical devices?
It could be done as a murder for hire, or as a terrorist event. It's possible some hackers would do it 'for the lulz' or maybe they just want to test out a hack and accidentally go to far, though these are more unlikely. And there is also extortion, maybe you find everyone that has a vulnerable pacemaker, and demand they pay you or else you stop their heart. Criminals are clever, if they find a way to attack people they can often exploit it.
Bob is on a medical device. It take readings (which it hides from him) and provides medication at a rate which is set by someone else.
Every few weeks / months Bob needs to see a doctor w o enters a password, retrieves the data, and makes changes to the settings.
Bob feels that the $DISEASE community can help him interpret the data and tweak the settings and Bob could then reduce doctor visits to once every six months.
Ann is an undisclosed drug addict and wishes to hack her morphine pump to supply more than she is currently getting.
Collateral damage from a poorly designed worm would be one thing I'd worry about. We've seen multiple vector attacks, I could imagine one gaining a foothold within the network and another component of the attack interfering with medical devices.
(Risk of being hacked) x (severity of being hacked) << (Risk of software not delivered) x (severity of not delivered).
(Risk of being hacked): Small.
(Severity of being hacked): Very negative, but localised most likely to a single machine, set of machines, or hospital.
(Risk of Software not Delivered): Pretty high if we go super-security. We are on a budget. There is competition. Who is paying for it?
(Severity of not delivered): Failure to cure at every hospital for every machine.
So, yes, there is a cost, but the benefit of ignoring security, for some sets of numbers on the above, could conceivably exceed it.