EP53 – WTM Medical Devices, Hospitals, and Cybersecurity (final 3)
medical device, devices, hospital, security, patient, cybersecurity, manufacturer, priya, update, vulnerability, stephanie, physician, medical device manufacturer, monitor, happening, ventilator, fda, evolving, data, starting
ANNOUNCER, Priyanka Upendra, Camille Morhardt, Matt Russo, Stephanie Domas
Welcome to What that Means with Camille, where we take the confusion out of tech jargon and encourage more meaningful conversation about cybersecurity. Here’s your host, Camille Morhardt.
Camille Morhardt 00:17
Hi, and welcome to this episode of what that means. Today we’re going to focus on securing medical devices and hospitals, bit of a different topic for us. With us today, we actually have three people so that we can come at this from every angle. We have Matt Russo, who is Senior Director of Product security at Medtronic, and Medtronic is a major medical device manufacturer. We have Priyanka pendra, who is Senior Director for customer success at a simile, which is a medical device cybersecurity risk management company. And she’s kind of a twofer, one because prior to that, she actually worked as Compliance Program Director at banner health. Banner health is a large nonprofit health system with 29 hospitals. And they operate across six states in the United States. And we also have Stephanie damas, who’s director of security communications in Intel’s product assurance division. She was previously focused on medical device cybersecurity, specifically with a consulting firm. And she can talk to us all about the different kinds of standards bodies and government work that’s happening in this field of securing medical devices. Welcome, Matt, Priyanka and Stephanie. For those of you who listened to what that means, we usually kick off by asking for a pretty simple, casual definition of the topic at hand. So I think we’re going to go to Matt, since he works at a medical device manufacturer and asked him in a couple of minutes, Matt, can you help us understand what is a medical device and where might we find them, including inside of ourselves that we maybe don’t think about?
Matt Russo 02:07
And actually, I think people think about those devices in a hospital setting. And certainly, you see those there, whether it’s an MRI machine, an X ray machine, even a thermometer or a tongue depressor. There’s different classes of medical devices, which gets a little bit more technical, those medical devices, they are regulated by a government agency, the FDA, we see those not only in the hospital setting, but we’ll see them in home settings and outside clinic settings. And as you mentioned, things that are even implanted in people’s bodies. So things like pacemakers, neuro stimulators, even certain wearables are starting to edge into the medical device space, whether it’s a certain kind of fitness tracker, or heart rate monitor can still be considered a medical device. They’ve been around for a long time, really, since hospitals have been in existence here. And we’ve seen a lot of those devices become much more technology enabled over time as we start to think about different types of therapies that those products are providing, whether that’s diagnostic, just trying to monitor something, or trying to improve a patient’s condition, that the managing someone’s pain, infusing a drug into their body that they need to get better, or even regulating their heart rate.
Camille Morhardt 03:25
So when I think back to kind of the early stage medical devices, I think of this intersection between biology and technology, we’re using technology and mechanics, actually, to help improve biology or monitor biology. And more recently, I guess, over the last, maybe couple of decades, we’ve started to see the introduction of information technology into this, which then adds connectivity element, I think, as well over the last decade or so. So to me, I think coming from the security world, it’s like, well, we’ve just increased the surface area for attack, to include things that are inside of our bodies. How is security evolving with this new kind of conductivity intersection with biology and technology?
Priyanka Upendra 04:17
Let me take a first stab at that. medical devices that were just mere electromechanical components are a combination of that. Now we have a set of hardware and software components that go into building a medical device. And what that’s doing is taking in a lot of the physiological data at the patient bedside, and then making it available in a very seamless manner to the provider to make decisions about diagnosis, treatment, and also monitoring the patient’s condition and well being. So with that a lot of the security risks that we have is a lot of these medical devices are built on proprietary software’s and even hardware to some extent. So hospitals have the chat. Where we have all this interconnectivity, but we don’t have the right infrastructure or the right security controls, to make sure that there are no backdoors into those legacy systems or those proprietary systems from a creative hacker. So as much as with hospital automation, and, you know, focus on making it a better experience for the patient and the provider, we’re dealing with new cybersecurity challenges, where we need to bolt on security onto these devices, so that care is delivered in a very reliable and safe manner, and that no patient data is compromised, that is trustworthy, and that the operation of the device is also trustworthy.
Camille Morhardt 05:43
I’m going to jump to Stephanie for just a moment, and I want to come back to that thought of how we have to work on cybersecurity in hospitals and in through these, I guess, mobile, medical device carriers, even our own selves, right, that could potentially be a threat. But I want to ask Stephanie, you I think had been even talking to the FDA, about a focus that they now have on cybersecurity, can you say a little bit more about how even some government regulations are having to integrate cybersecurity with health?
Stephanie Domas 06:17
Kind of building on previous response, there’s been this evolution of this increased connectivity, so the data is going further, it’s affecting patients further out, the pandemic kind of shed a light on sort of an evolution of telemedicine was a big thing that got a real force multiplier this year, where you now have the ability to have medical devices in your home, that completely from a security perspective changes the threat of that medical device. And so the FDA, his original guiding purpose was really to focus on the safety of medical devices. Their goal was to be that regulating body that made sure that any medical device that treated a patient in the United States was safe. And what we’ve seen over the last several years is evolution and the acceptance that security is innately intertwined with safety, that you cannot have a safe medical device if you do not also have a reasonably secure medical device. And so the regulations both here in the United States, with the FDA, and in numerous countries across the world is evolving to represent that risk that you cannot have a safe medical device if there is not sufficient cybersecurity scrutiny in cybersecurity is tricky, because its approach to the risk based decision, as are all things in the medical device space, it’s always a risk based decision. So there’s no checklist of things you can do on a medical device and say it’s secure now. And so the regulations are tricky, because they can’t just give you a prescriptive approach to security, they really have to and what they are doing is outlining, here’s a risk based approach to assessing the risk of that medical device. And here’s a risk based approach to how you determine whether or not you accept that risk to the United States to the FDA. What you’ve seen is this evolving guidance where they’re really trying to lead the industry through that risk based decision process without stifling creativity. So it is a maturity journey, you couldn’t start out by setting the bar extremely up here, or you would have lost innovation in the medical device space. So I credit the busy FDA with really working with the community to build that maturity. And as you look at the regulations that have come out, the original pre market cybersecurity guidance actually came out in 2014. between then and now we’ve seen iterations of new guidance, we’ve seen post market guidance, that are continuously helping mature and evolve the industry, keeping that focus on security, risk management, but also trying to make sure the industry is kind of coming along for that maturity journey.
Camille Morhardt 08:51
I assume in medical devices, just like any other device, occasionally we discover a vulnerability or it’s brought to our attention. So walk me through how we deal with that. Let’s assume even that the device may be used in and outside of a hospital by a patient. I mean, Matt, what’s the what’s the beginning of that? And then maybe Priyanka can help us understand how hospitals work with medical device companies.
Matt Russo 09:19
As we think about development of a medical device. We’re always building threat models and updating threat models, which is kind of a fancy way of saying, Are you assessing what could go wrong with that product. From a security standpoint, if you do a thorough job of doing that as you’re building a product, then you do a better job of mapping security controls or security mechanisms, to those different threats scenarios that help manage those risks as you ultimately are looking to get that product approved and get that to market so they can provide therapies. Over time the security landscape evolves and something that was once Secure product or have a vulnerability in it ages. And ultimately there may be vulnerabilities that are identified with that, whether that’s through something proprietary that a medical device manufacturer built in themselves, or Priyanka was mentioning earlier, if we’re using something from a third party or something that would be off the shelf, whether it be a software or hardware component. And there may be vulnerabilities identified through those components as well. So it’s really kind of a living thing. We talk about securing products for their full lifecycle from development through approval, used by patients, physicians, clinicians in general, regardless of effects in the hospital environment, or in a patient’s home environment or anywhere in between. and then ultimately, through the retirement of that device. Right, once you know, somebody deems that that medical device really doesn’t serve a purpose, or there might be a better one. How do you make sure that you know, the retirement of that device is also done in a secure fashion. When we identify vulnerabilities, those come through any number of different channels, device manufacturers do their own internal security testing. We also work with third party security testing firms, you know, many big consulting companies, companies that help do what we’ll call penetration testing, or they’ll take an attacker like approach to testing medical devices to ultimately come up with the recommendations or findings that should be addressed to make that product more secure or more resilient. Medtronic specifically has a coordinated vulnerability disclosure program, we have an inbox that people can reach out to if they think they found something anonymously, then we work through evaluating what that issue is trying to identify the specific technical components of that vulnerability. And I sit within a centralized function within the organization that then reaches out to the individual operating units across Medtronic to make sure we have our most specific experts on those products, really triage and what that issue is, and trying to identify what the vulnerability is, how do we mitigate that risk? How do we close that risk or patch that device. And then once we have some of that basic information, we start this process that is called coordinated disclosure, where we draft communications, we work with a number of different stakeholders to finalize those, because the goal is to be very transparent with the folks that are using those products. And then ultimately, we’ll provide updates once we have timely updates on how we fix or how we address those.
Camille Morhardt 12:33
Let me just pause there for a second. If you do find out that there’s some kind of a vulnerability in something that’s actually inside of people like a pacemaker and insulin pump or something like that. How do you patch that?
Matt Russo 12:49
Pacemakers and implantable devices are not always connected. So that’s kind of an interesting nuance that a lot of folks kind of understand. It’s not like your cell phone. It’s not like your computer that always has like an active connection to the Internet. They’re very kind of brief windows that those devices are able to be interacted with. So we’ll either wake up, or we’ll be asked to wake up for purposes of what we call programming or interrogation of that device, meaning it’s either going to download data to a service, or we’re trying to adjust the settings to make that therapy better for that patient. In those settings, it’s always being overseen by a physician. There is no kind of automatic download, like your cell phone will ask you Hey, we’d like to make an update right now. pacemakers and diabetes pumps and medical devices don’t have that capability.
Camille Morhardt 13:43
You don’t do that overnight. while you’re sleeping. You don’t.
Matt Russo 13:45
Yeah, right. We don’t do that. Because the obviously there’s some, you know, some safety considerations with that. So those devices do have the ability to be patched and updated. In a physician’s office using a lot of times it will call a physician programmer, specifically for implantable cardiac devices. But other devices have, you know, similar ways to be updated as well in a controlled fashion so that we’re not putting any sort of safe in the minds of our patients.
Priyanka Upendra 14:12
Okay, makes sense. So Priya, our hospitals approaching this, what they’re seeing evolving in this space is all of the stakeholders starting with the manufacturer, the regulatory bodies, like the FDA and others, and then hospitals and different stakeholders within the hospital, as well as patients all of them communicating in a coordinated manner. The benefit of that, especially in vulnerability management is as soon as research has done at the manufacturer site, there are communications notices sent or advisories sent to the users which is the hospital’s whether that’s a medical device used in that hospital setting or if it is authorized by the physician for the patient to use in their home setting. You’re actually aware of what’s happening from a cyber risk perspective. different players are involved at that time starting with the physician to supply chain within the hospital, the healthcare technology management or the clinical engineering groups, as well as information technology, whether it’s implantable devices or non implantable devices, you’re making sure that you have accurate information that’s needed to manage that risk to mitigate that risk, and not let it affect the patient or the provider as well. So some things that hospitals do, they do invest in ground level resources, if it is a device that’s in the hospital setting, you have engineers that collect patch updates, or any other security controls that will help mitigate or manage that risk, apply those to the medical devices and appropriate downtime windows. If in the case of you not implanted devices, and you have some sort of a programmer, it’s not like you’re off to sleep, and you just have a random update. That’s done in a very coordinated manner, the patient is given that prior communication, notifying them that there is a certain security of data available, what the steps are to ensure that update is made onto that device. And that’s done in a very coordinated fashion. And I think all the processes ensuring that information flow is happening in an appropriate manner between the manufacturer, the provider, and the patient is also managed by the hospital, we ensure that any security updates that take place, do not obstruct the clinical workflow, that is the provider using the device, not the patient that you know, is also using the device in some way or the other.
Camille Morhardt 16:46
So part of the ability to do this is to be able to understand, like what all is inside of any one of these devices, it may be, like Matt said earlier may not just be components from the medical device manufacturer, they have their own supply chain, it’s just reading before this call that software in and of itself can be considered a medical device, if its intention is to be used in that kind of a way. So I’m also wondering, Stephanie, if you can help us understand kind of a recent executive order, and s bomb and how the medical device community is interacting with that what it is and how the medical device entity is affected by it.
Stephanie Domas 17:31
It’s a very timely question. There was a recent executive order that came out here in the United States that it had many parts to it. But one of the pieces that’s a particular interest was one that really shed light on this concept of a software bill of materials. So you can think of that as basically an ingredients list for what’s inside of a device. And so what’s kind of interesting is a lot of people may not look at the medical device industry as being maybe the most cutting edge with security approaches or solutions. And they’re definitely going on a maturity journey. But I want to actually take claim for the medical device space in the healthcare space has actually spent a number of the last several years actually focused on this concept of the software bill of material. And so there’s been a number of working groups the FDA has been very vocal about, there’s this desire to have this basic ingredients list inside of the medical device. So that software bill of materials is a really important piece, especially in the medical device space, because when you look at a medical device, there is a core component of every medical device that is probably proprietary and custom to that manufacturer. So they have written something to perform a very specific clinical function. And that is probably custom. But there’s a lot of pieces, sort of supporting that custom function that are probably third party components. And so when these vulnerabilities come out in very commodity pieces of software, whether it’s an operating systems, a communications library, you’re left with these if your user of any of these medical devices, you immediately have this question of Well, does that component happened to be in this medical device? Because at first glance, you can’t see the operating system, you can’t see what communications library it uses. So that software bill of materials would be a way for everyone to very quickly say, Actually, yeah, that vulnerability affects that device because I have an ingredients list of what’s in that medical device. And I had one more thing I wanted to add to the previous question, which was that vulnerability management piece. And so really helping paint a picture for everyone for the complexity of the problem. I think it’s often underappreciated. So when you look at a just a singular hospital system, so Mayo Clinic, which is they’ve offices worldwide, but they’re headquartered in Rochester, Minnesota, you know, they’ve put out a number of statistics around their medical devices and so they have over 6000 unique makes and models of digital medical devices. Is that when you start to talk about how you manage vulnerabilities or how you apply patches, sir, to keep in mind how large the scale of that problem is 6000 unique makes and models. So a lot of different processes, they all update differently. Some of them prompt you, some of them, you have to go to their website, some require USB drives, some require you call a technician, to have them common. So that scale of the problem is also a contributing factor in how complex it is to manage vulnerabilities and medical devices. Because even if a manufacturer puts out a patch very promptly, if hospitals can’t apply the patch, and an equally prompt manner, we still have a fleet of unprotected medical devices.
Camille Morhardt 20:42
Right, and that may require reaching out to patients. So another trend that I’m hearing about and I wonder your guys’s take on this trend to is our physicians starting to monitor patients remote. I know you mentioned Stephanie, like, since the pandemic, that there’s been an increased desire on the part of physicians and patients to do more and more remote monitoring, I could almost see this getting to the point where it’s almost a bad decision on the part of a physician or a hospital not to be a continual monitoring. And how do we deal with that when Matt, you’re talking about? Well, it’s intermittent connectivity, we’re sort of we’re trying to kind of minimize the attack surface by not having constant connectivity? How are those two things kind of in conflict with each other if we’re trying to get more and more constant information?
Matt Russo 21:37
And think I will take a little bit different direction on that question. And you know, about 16 or 17 months ago, we were all thrust into our home offices, and the global pandemic had a direct impact that medical devices and connectivity of those devices, but that was in a hospital setting more home setting. You know, we found ourselves and found a lot of products that were critical to providing therapies for you know, sick patients, you know, some being impacted by COVID-19. a scenario where a trach, manufacturers ventilators, we would configure that ventilator we would have to have nurse practitioner, they have to be in that room with the patient pushing buttons on the screen of that ventilator to be able to configure the settings of that we’re trying to do everything very remotely, we started getting requests to say we need to make sure that this device can be configured from the next room over or a nurse’s station versus right in that same room. So that pandemic created a different use case that we never really felt was going to be possible, we thought Geez, ventilator is going to be in the room with the patient, the clinician will have to be in there to be able to help, you know, get that device up and running, stretched a lot of different companies on what is that going to mean to the connectivity of their devices. And even after we get through some of those challenges with those devices, that what we call capital equipment or devices that will live their entire lifetime, within a hospital setting, you got another good point where you know, remote monitoring or remote data capture of devices becomes really important, so that people can get the best care that they can get. And I’ll certainly that’s been a use case that Medtronic and other companies have been working on for a long time. Because it makes a lot of sense to be able to monitor what’s happening with somebodies implanted pacemaker for the past six month period versus just a 30 minute office consultation they have with their physician, you know, that remote capability and ability to monitor devices, I think continues to expand, you know, particularly in you know, in the in the world today, where you know, we are doing things a lot more remotely, we’re doing a lot more telehealth and a lot more care of patients in facilities outside of what we thought of as traditional hospitals. And just two years or three years ago.
Camille Morhardt 23:49
I think you answered kind of or corrected me really in that sense of it doesn’t necessarily mean you have to be connected in a constant kind of a way. You can gather the data constantly, but offline, locally, and then you can connect or upload or create a copy and deal with that separately to help with the security aspect.
Matt Russo 24:10
We’ve tried to do that to you know, maintain, you know, a very controlled timeframe of or the timing of when things do connect them. And exactly, as you mentioned, manage the security and those windows, a lot of time for implantable devices to there’s a battery in those devices, staying constantly connected, puts a strain on that system on that battery, because it’s trying to send data which is important. That’s important for physicians to be able to monitor that data. But as that battery drains, it can’t provide that therapy if that means it’s facing someone’s heart. It can’t provide that therapy for the length of time that maybe it was intended to do.
Camille Morhardt 24:46
Changing a battery might be even harder than having a software update, I suppose if you have an implanted device. So Priya, what else should we be thinking about in this space, especially from kind of a health system provider perspective.
Priyanka Upendra 25:00
I think the executive order that Stephanie talked about really in reinforces what hospitals are already doing. What hospitals are also doing now is assessing medical devices even before they are purchased. So there’s pre procurement assessments going on, not just to look at the clinical efficiency of the devices, but also the cybersecurity management piece of it. So starting with procurement to installation, how is that clinical workflow is it in a way that is manageable by it and healthcare technology management to apply security controls in a timely manner is that is that clinical workflow, allowing that cyber security management from there on to you know, continuous support and maintenance and even to disposal? Before we weren’t that cognizant of when we’re disposing devices, we weren’t really aware about data sanitization. Now with a lot of not just patient information, but other business sensitive information on those devices as well. Even decommissioning or disposing devices, or even donating them has become a concern, we need to make sure that we’re following the you know, best of best data sanitization practices, even before we’re taking that medical device out of the health system, or even transferring it to another entity within that health systems chain. So it’s really hard to do active scans or push updates. So what tools like assembly is doing is in a very passive manner. They’re sniffing network traffic, parsing data from that, and giving meaningful information to hospital staff to make decisions throughout that cybersecurity, risk management ecosystem. At the same time, organizations like Mayo, banner, Stanford, Intermountain all of these, they’re also investing heavily in medical device cybersecurity, that landscape has changed in the last several years, you know, we probably did not have dedicated FTS for medical device cybersecurity. Now that’s changing. We have dedicated budgets and resources to manage the cybersecurity portion of medical devices. Along with what’s happening, the improvements happening in the regulatory or the pre regulatory space, as well as with the manufacturers. Hospitals are also evolving. So as in when devices are becoming more interconnected, I no longer operate in a standalone fashion, you have a bedside physiological monitor talking to an anesthesia machine or to a ventilator, or to an infusion pump. So care is happening in a very coordinated manner. So what we supporters of Mayhem medical devices need to do is also coordinate better with manufacturers, with regulatory bodies with security researchers, and then make sure that we’re managing risks in a very holistic manner.
Stephanie Domas 27:59
One of the things pre a hit on which I think for people not familiar with the medical device space, I want to just add a little more color to was some of the difficulty around some of just like General Security approaches of medical devices. SuPriyanka mentioned things like active scanning. So one of the just common toolkits that any enterprise would deploy when doing security on their network is active scanners to actually throwing potential security vulnerabilities that are benign, right through a vulnerability scanner at systems to see if they’re vulnerable. And so there are a number of legacy medical devices out there that have been demonstrated by security researchers to actually miss behave if they’re hit with some of this malformed traffic. So it’s become almost a too high of a risk to even perform active scanning against any of these older medical devices. Now, all modern medical devices, most of them have been tested and are robust to that. But it’s hard to know which IP addresses are which. So there’s some struggles with using some of the just industry standard things like vulnerability scanners against medical devices. And then because they’re regulated system, there’s some difficulty with installing any kind of other endpoint agent on them. So a traditional antivirus, any of your traditional IT agents that might get deployed on your other systems. You can with a lot of effort and a lot of testing and coordination with the manufacturers, there are opportunities to put things like that on medical devices. But it’s not without its own risks. The manufacturer has not tested it in that precise configuration. And so some of those struggles in the medical device space, I guess I wanted to highlight for people who maybe weren’t as familiar with the space that some of those traditional solutions are just really hard to use, or too high risk to use against medical devices.
Camille Morhardt 29:44
Yeah, it’s interesting. It’s like we had it and then we talk about ot when we talk about the Internet of Things Space Operations technology, and then now it’s kind of like med device T. got moved into another space. Thanks, all of you for Joining me today, Matt, Priyanka and Stephanie really appreciate your time and definitions and thoughtfulness around medical devices and hospital security and keeping people healthy and safe. Thank you.
Never miss an episode of what that means with Camille by following us here on YouTube. You can also find episodes wherever you get your podcasts.
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.