Healthcare CISOs Sound Off, Volume 1: Medical Device Security

Blog Post by Brian Selfridge, Partner at Meditology Services and Host of The CyberPHIx Podcast

I have been hosting The CyberPHIx healthcare cybersecurity podcast for over three years now. During that time, I have had the honor and privilege to speak with some of the healthcare industry’s most innovative thought leaders and experts in cybersecurity, privacy, compliance, and risk.

We have produced 68 podcast episodes and counting thus far. For those who don’t quite have the time to binge-listen through the entire catalog, we have compiled some highlights from our guests on a focused set of topics. We will be releasing these as our Healthcare CISOs Sound Off blog series in several installments.

The topic of our first blog is Medical Device Security. The following are quotes and recordings from some of the industry’s best and brightest leaders related to this important area of focus for healthcare risk management programs.

Stoddard Manikin, CISO, Children's Healthcare of Atlanta

“I'm absolutely worried about medical devices from a patient safety issue. Patients can recover from a data breaches. They cannot recover if they are killed due to a safety event created by either a bad medical device or a ransomware event.”


“I think that needs to be the number one focus as we run our security programs to say, of course, we're worried about patient data confidentiality. But at the end of the day, the most important thing is to do no harm. And we have got to make sure that we're enabling our caregivers to take care of patients in the best way possible. And that means that they need the availability of systems that are otherwise compromised due to ransomware and other attacks.”


“There are automated alerts that you can configure for news updates and major vulnerability analysis. Even the federal government now has alerts related to medical device advisories. I get one about every day that this medical device has been announced that they have this vulnerability. And so now we have a response plan that takes that message. Figures out, do we have that type of medical device in inventory, is it deployed and does it have the corresponding operating system and model number to be vulnerable? And if so, we go address it with the vendor, and if not, we check it off the list and move on. That doesn't cost anything other than some time.”


Mike Wilson, SVP & CISO, Molina Healthcare

“The challenge we have with medical devices is that there's a lot of them. And if you think about the nature of a medical device, you know, by its nature, it moves. It could be a drug pump or an insulin pump. It could be a variety of different things. And the MRI machine, for instance, and some are less portable than others. But generally speaking, the inventory, if we think about the asset problem in IT, and that's been a grappling one we've dealt with from the IT context for years and years and years.


And it's been challenging, and we're really dealing with what is a server, what operating system does it run, and perhaps what application is on it and what does that mean from a business priority standpoint. In the sort of connected device, IoT medical device realm, you've got just an extraordinary level of complexity in terms of the types of devices. The operating systems are somewhat relevant, but what is the device itself? What's its firmware? What is it doing? So the inventory question is very difficult.”


“I think patient safety very much is a leading argument. I think ultimately though, the interest from a regulatory standpoint is not to be understated. We have the realization that no one regulator is actually, from a medical device standpoint, the FDA can't solve it all. I mean, they really do require the provider organizations to take hold and to sort of think about medical devices in the ecosystem of their networks and how can they do their part in securing them as well.


But HIPAA clearly makes the point that we are to understand the inventory of assets and the provision of ePHI that are technology related, and we're to categorize those by tiering and risk. And we are to think about them in terms of threats and then obviously apply controls appropriately and then to test the efficacy of those on a regular basis. So I see medical device very much coming under the realm of HIPAA.”


“We're dealing with a lot of different manufacturers. There's a lot of legacy product out there that's going to take some time. It's like an old car going through the system. You know, you hang onto it for a while. It has value. And so I think this problem is going to very much remain for some time about just how do we think about the threats around a particular device, which are many and probably unique and contextual and temporal in nature. As they get older, there's going to be more issues and vulnerabilities.


And then how do we think of unique and interesting ways to effectively secure a device that's very deterministic in the way it operates? It's simple in some respects, and it's going to talk to certain devices and certain back in systems in a very deterministic and known way. And yet it's sitting in a non-deterministic network, which is that of a hospital or medical situation with doctors running around and various computers and Internet and email and all of that going on at the same time. It's quite a challenge. I would suggest one that's going to keep you and me very busy for some time.”


Andrew Seward, CISO, Solution Health

“One of the really obvious areas to drive automation in information security is medical device management. It's an area in cybersecurity that's really worried us with all of these infusion pumps and telemetry devices and IoT devices out there within our hospital systems. And I'm sure it's the same in other industry sectors. So anything that you can do to sort of understand your environment, inventory it, and be able to get useful, actionable data off of, that's an area where automation can definitely help us.”


Mitch Parker, CISO, Indiana University Health

“The first and most important thing has to do with the medical devices is catalog what assets you actually have in the first place because you can't protect it if you don't know about it. Make sure you have a good process to establish that configuration manager database and keep it up to date because that's how you fix problems is by first understanding what your problem is, understanding what the domain is.


And then from there, what you do is you build on what can you effectively patch and service and take a look at how you and service your devices now, because to be very blunt, if you're not repairing or doing due diligence and do care on your devices now, you're not going to do security patches. So you have to make sure you have good processes in place for actually maintaining them and make sure you're on a good fixed schedule.”


“It's a multidimensional challenge. And the first thing you have to take a look at is a lot of these legacy devices, they might not even have the ability to put and build patches for these devices. You're talking about systems that were developed back when Windows NT was a common operating system. And people don't understand the life cycle of these devices is pretty ancient. And also the talent that worked on developing these systems. A lot of them are not in a position to even build that software anymore, and we don't take that into consideration. So you're not going to see a lot of patches.”


“FDA guidance, even though it's a few years old on medical devices, a lot of clinical engineering departments haven't done it yet. So you need to be able to walk before you can run. So setting so achievable goals of getting people to actually patch and getting them to patch a certain percentage of the open vulnerabilities by the end of the year is the first and most important goal to do.”


Joey Johnson, CISO, Premise Health

“The data that's out there with the social media giants and all the data that's out there in the IOT devices and all the data that's out there in the wearables, that's only going to increase exponentially. And data ownership and the rights around who's responsible for that, and the security around that, that's still an evolving space. So there's going to be things coming to market to address that more and more.”


“Based on the emergence of all the IoT stuff and all the medical device stuff and all the wearable technologies, we're going to continue to see an exponential growth in those things. And we're going to see a shift in what the consumerization of the security market looks like. I mean, for a long time, that's just kind of been antivirus and maybe your LastPass or your password post or something like that, I think we're going to see that market kind of mushroom, as well, as individuals begin to take more accountability for their own information and don't necessarily rely on the backend organizations to do that for them.”


Susan Ramonat, CEO, Spiritist

“There's a lot of talk in healthcare about medical records and the pharmaceutical supply chain. Not as much about medical devices. I think we're exceptional in that sense that there are few folks that are realizing the opportunity here. And importantly, while the technology is making significant progress, and there's opportunity to experiment with different protocols, if you will. Importantly, key points that are here are governance and bringing together a consortium of interested players. A group of the willing, if you can think of it that way, who understand the importance of collaborating.”


Unfortunately, the burden of legacy devices equipment is so substantial that, while a health system probably could setup really strong practices in terms of the new things coming in the door and work collaboratively with industry to really establish the bar, there's always going to be this tradeoff and challenge with the legacy, environment and systems.


In the end, what you're talking about, whether it's from the device manufacturer, the health delivery organization, or the intermediate or commodity suppliers whose components are represented in this. It's a developing condition, that you've got sort of tone at the top, management commitment, which is a matter of education on the part of the professionals in the health delivery organization about why this is important, an education that's not a one-time meeting. You know, it's an education over time and builds over time. So the organization really has it as a standard that's reinforced by the executive team. And the underlying behaviors and incentives are aligned.”


We hope those insights from healthcare security leaders may provide some insight and context for your own programs and medical device challenges.

Meditology has a dedicated team focused on medical device security. Our team has extensive experience building and implementing medical device security programs at leading health systems across the country. Please contact us to learn more.

Read Healthcare CISOs Sound Off, Volume 2: Risk Reporting & Engaging with the Business
Read Healthcare CISOs Sound Off, Volume 3: HIPAA Compliance and Risk Management
Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More