It's an old question that we're dealing with in a new context, and that means we
can draw from old lessons and potentially work out the analogies to how they apply.
But that's sort of my starting point for thinking about cybersecurity questions.
And so let me be clear, your previous question was about how this
applies in a medical device hacking context, which is a good one.
Let me be clear that I think that medical devices that are connected
to an Internet or some network present new and
very challenging questions, cybersecurity questions.
But at their core, I'm not sure they're entirely new, right?
So if we're talking about a pacemaker that has a wireless signal, and that
wireless signal might make it easier for someone to collect that data, potentially,
an unauthorized user collecting that data, that's a very scary possibility.
And the scale of the problem might be new because so
many people might be able to collect that data, or
attributing who's the person who's stealing that data might be tricky, right?
But at its core, what we're dealing with is a question of securing medical data,
and that is not a new problem.
That's something that hospitals, medical institutions,
universities have been dealing with for many, many, many years.
So the scale of the problem is hard, right, it's huge, and
we might need new technological solutions to this problem.
But I'm not sure we need new core ethical principles, for example, right?
The ethical principle that the institution that gives you a medical device or
collects your data has a duty to safeguard it, that duty has been around for
a long time.
The fact that we're dealing with new technologies doesn't change that duty,
the rule ought to basically be the same.
How the rule is applied in this new context might be different.
So what does it mean for a medical institution to do due diligence?
In a world in which everything is collected on paper,
that due diligence, the principle is the same as it is today, right?
You still have to do due diligence, but what it means is going to be different.
So before, it might mean having your papers safely guarded, in one room.
And now it might mean having your digital records hidden in an encrypted form,
behind a firewall, in offsite locations.
I'm not a technical expert, but these are the kinds of things that one would need to
look into to figure out how to apply the old rule in a relatively new context.