Shankar Somasundaram and Jeremy Linden discuss cybersecurity awareness and encouraging health systems to focus on the key areas of IoMT risk management.
Jeremy Linden:
Good morning everyone. I’m Jeremy Linden and I’m Senior Director of Product Management here at Asimily and I’ll be your host for today’s podcast. We have a special podcast today. Episode four brings our own CEO and founder, Shankar Somasundaram, to talk about cyber security awareness and encouraging health systems to focus on the key areas of IoMT risk management. Shankar is the CEO and founder of Asimily. We are a healthcare-focused company driving IoMT risk management with health systems of different kinds all around the country. Prior to Asimily, Shankar ran the connected devices business at Symantec healthcare division and produced innovative solutions for small businesses and Fortune 500 companies. Shankar has spearheaded numerous medical device cybersecurity initiatives in the last decade and contributed to regulatory frameworks and guidelines including the NIST cybersecurity framework, the FDA premarket and postmarket guidances, and the AAMI Cybersecurity Practice Guide for HTM Professionals. Welcome, Shankar.
Shankar Somasundaram:
Thank you, Jeremy. Glad to be here.
Jeremy Linden:
Every year in October the National Cybersecurity Alliance focuses on specific areas to promote and create awareness on cybersecurity. This year we have four themes: to be cyber smart, fight the phish, explore experience and share awareness, and finally making cyber security a priority. Now with these themes in mind, let’s explore some key insights from Shankar.
First, as you know, our focus is on healthcare devices and ensuring that they’re cyber healthy. We come across, you know, many devices and systems that have unfortunately the potential there to really be a goldmine for threat actors. Can you share some security practices for these healthcare devices that keep the patient business and data safe without compromising clinical efficacy?
Shankar Somasundaram:
I would say you know the first thing to understand is cyber security is not some point in time that you practice today and you just stop practicing it tomorrow. It is actually something that you practice for the life of the device. And want that means is, you got to think about cyber security from the time you think of buying a device to the time you actually let it out of your environment and decommission it and you sell it out. That means if you got to think of cyber security and procurement as a first step. That is the right way to do it.
And how do you do it? There are a number of ways to solve that problem. The idea being that at procurement you got to look at what is the private security risk posture of the device, what kind of configuration hardening can I actually implement for the device, what mitigating control should apply, what kind of firewall policy should I should I set in my network so that the device is not going to call out to some external environment and infect my environment. Irrespective of how you do it, I think the key aspect here is doing it at procurement is the first right step. And that is an important practice to follow because it also actually helps you to meet some of the regulations in the industry – there are guidelines from the Joint Commission and OCR that actually require you to do some of this as well. So not only is it integrated compliance but it’s also an important and healthy practice to follow to start with risk assessment at procurement. That’s the first step when you actually look at cyber security for these devices.
The second step is really once you have the device in your environment, then you connect it, then you got to assess the risk of the device on a periodic basis. You’ve got to assess it from a vulnerability basis. You’ve got to assess it from anomaly detection..if there’s any attack event happening. You’ve got to track the activity on the network. You’ve got to see where it is moving around your network. You’ve got to understand all the parameters. There are a ton of aspects here. But the idea is when you have connected the device to the network, you really have to make sure you’re tracking it… you’re managing the risk and not just once every six months. We have seen certain, you know, environments and certain health systems who say I do a yearly risk assessment and then I will come back in the next year and I’ll do another risk assessment. Cybersecurity is not a snapshot in time – while the risk assessment is good to do, you’ve got to continue with the efforts throughout the year and you’ve got to continue to do it on a real-time basis. So that’s the other second part which when once it’s connected you’ve got to look at cyber security on a continuous basis.
And then the third part is when you decommission the device. A lot of people say, decommission it and I’m done with it. There’s no cyber risk anymore. The reality is there is still a lot of cyber risk there because it’s protected health information in many of these devices. And you got to be careful in how you decommission it, how you are cleaning out the device, and what is your decommissioning process. You might leave a patient hanging waiting for it because you decommissioned the device that was critical to your operation. You have got to take into work on all the factors.. the PHI, the business operations, all of it before you decide to release a device completely from your environment. So in a sense, like cyber security goes across the entire life cycle and it’s a very important practice to think of cybersecurity at every stage. Not to think of it in isolation as in some other team is going to manage it and you may just come in once a while and look at it. It has to be ingrained in the overall process. It has been ingrained in your overall methodology and that can be done through technology and processes. It can be done to external services through internal resources however you want to do it but it has to go across end-to-end to achieve your objectives.
Jeremy Linden:
Absolutely. And that’s something that we focus on here at Asimily where we try to take a holistic approach all the way from procurement through management all the way to decommissioning. Next, I wanna talk a little bit about phishing. Phishing attacks and financial scams have really increased exponentially since the pandemic. And this year we’re actually looking at more than 80% of reported security incidents being able to be traced back to phishing attacks. We have a lot of campaigns about trying to emphasize e-mail security, secure text messaging reporting, and suspicious emails but something doesn’t really seem to be connecting, or, at least I think, there’s some stuff we can do better. How do you think we can do better on this… whether it’s healthcare devices running some kind of applications or whether the incident comes from social media use on workstations that are being used alongside these help their devices. What do you think are some real tips that some of our audience would be able to appreciate?
Shankar Somasundaram:
I think this is an important piece and I think phishing has become a way for ransomware to affect the devices and the environment as well. It’s a common attack vector to get, you know, different kinds of malware that effectively then trigger ransomware. It is a very important piece that is required in the environment. I would say there are a few things that a health system can do. It goes without saying it’s training…top of the mind. You don’t want to have somebody just give out passwords and give out usernames when somebody calls them and says, “hey there’s an emergency. give me all the username password.” That just doesn’t work irrespective of how great our technologies are. You do something like that, you compromise yourself. You don’t want somebody to say, “oh somebody just called me they really needed our credit card and needed my SSN but just gave it all out because it was such an urgent call”. I mean you need to have some level of security awareness and training. Not to click on certain links. It says “click here there’s a $50 discount on your next dinner”. I mean you don’t want to be doing things like that which effectively, regardless of how great your technology is, it opens up a can of worms in your organization. So I would say the first thing is training. And there’s a lot of training modules out there that can actually solve this problem. You don’t have to reinvent the wheel. If you go look at cyber hygiene training online there’s a ton of modules out there from a ton of companies that will effectively guide you. And we ourselves that Asimily when we are with a customer we always remind them that on top of technology we have to follow certain processes and we guide them on some of this as well. So that’s step one.
I think that second step, which is very important, is obviously inventory everything because what we have noticed is there are a lot of customers, they have certain rules and processes for certain devices in terms of what you can browse and emails you can check. But then they forget about the other devices in the environment…those could be shadow IT, those could be a medical device that they didn’t know it was actually connected, medical workstations they treat it as an IT workstation and start sending e-mail on that. So we really need to have the context for the device so some of it is highly contextual. And so having that inventory and classifying every device, understanding the data on the device, all of this is very important when you actually look at the phishing problem because without that you really don’t have any context in the environment and without the context I mean it’s really hard to solve the problem.
And then the third piece is continuously monitoring. There are some devices and hardening. There’s some devices which don’t need certain accesses. You don’t need maybe to be checking your e-mail on that medical workstation. That should not be happening. However urgent it is, you have to take a different workstation to check it. You shouldn’t be going shopping on an ultrasound connected workstation. You cannot be doing certain things or certain devices. It ties back to the context but it also ties back to, you know, what you are allowed to do and what you’re not allowed to do. And tracking that and monitoring that in real-time so that you effectively make sure that certain applications and certain websites are not allowed from certain devices. And once you have the context of the device and people are trained and you’re continuously monitoring, this is very much achievable. So it’s a combination of trading, education, as well as technology and processes to ensure this has to happen. I think collectively if you take all of these actions, you go a long way in ensuring that you really bring down the risk in your environment.
Jeremy Linden:
Great. So last, I wanted to take it to talk about you a little bit. This month is really all about exploring cybersecurity and creating awareness, promoting the careers that are available in cyber security and really ensuring that it remains a dynamic and exciting field to be in and to participate in and to work in. You have an interesting background where it’s pretty diverse. You come from an electrical engineering background. You’ve also had roles in finance and strategy as well. What do you think are some of the top skills that enabled you to be successful in cybersecurity that our friends in the HDO space can work on developing?
Shankar Somasundaram:
Yeah, I would say that’s three things that you need to do to effectively become a lot deeper in cybersecurity. And these are things I still practice today. These are things that have definitely helped me. I have to say it’s broadly true across any industry but I think in cybersecurity it’s more important than other industries because of the way cybersecurity is evolving. I would say the first one is really reading and absorbing information. And you’ve got to read and absorb a ton of information if you are going to learn cybersecurity. And you know there is so much happening in cybersecurity all the time and the interesting part is I’ve been looking at the cyber security space now I would say for 12-13 years and what I have noticed is there is that even those new attacks come, in the context of cybersecurity, they are broadly the same …they keep evolving but they are only a small evolution in concept. But you got to understand a lot and you got to just absorb everything like a sponge. A lot of people are worried to do that… are afraid to do that because they think it’s too much. They won’t understand or they think, “why should I even understand that because it’s not part of my job?” But I think to know cybersecurity you have got to understand everything. For a simple example at Symantec, we have so much resources that I pretty much like went and read every possible white paper that was built by any division at Symantec. For a year, I pretty much read end covered everything. It didn’t matter which division it was. It didn’t matter who wrote it, I used to read it. And if you are in the HDO space, you have the resources. You have resources and documents that are in your organization and vendors that are servicing you. Go ask your vendors to provide you with information. I guarantee you every vendor will give you a ton of good information to read which would really make you knowledgeable and give you a ton of information that you need. So that’s the first step really to learn, learn, learn. Absorb. Read. Go ask your vendors. Read the white papers. Read the framework and you’ll get a ton of information that you need to understand cybersecurity.
The second piece is really creating a peer group that you can actually ask questions to. So this is something that helped me always. And for example at Semantic, I had architects, leaders, innovators from every business group and there were quite a few business groups there. And every little product actually, not business, that I had the association with. So I could call on anyone and everyone and ask detailed questions on why it works the way. What it did. And if you are in the HDO space, there are a ton of people in HDOs who are learning at the same time. There are people in other HDOs who are also going through the same learning journey as you. If you go to one conference in the year, you’ll find a ton of people who also want to network with other people and those who want to learn from them. Again, you can always return to the webinar, you’ll find people in that even if you don’t have resources find people you can attend ACCE webinar or a MD Expo webinar. They don’t cost anything to attend. Some of them you can see who’s attended and get the attendee list. So you can form a peer group and then you form a peer group you can a ton of questions to your peer group to understand how they are thinking. And sometimes when you ask people in the same boat who are learning as well, it actually enables you to learn faster. So that’s the second thing I think you need to do. Form a peer group and learn with them and there are a lot of people in HDO learning this right now. So I think that’s a great place to be if you want to learn.
And then the last piece is really keeping at it and being persistent. I think persistence in cybersecurity is very important. Sometimes the concepts are very alien. They seem very hard but if you keep looking at it, you’ll get it. And the other part of cybersecurity is you can’t really stop learning. Even today, I think I’ve spent a lot of time reading a lot and understanding a lot but even today I read out every framework. I read every paper that I can with my whatever time is there because there’s always something new getting published. Some of these are old conflicts we hashed. Sometimes it’s a completely new concept and you got to understand it. But if you keep at it and if you keep reading, you’ll find that it gets easier and easier. What would have taken you five hours to learn now takes only half that to learn and you read faster. You learn better and you’ll be able to tie the pieces together better than anybody else. So I would reading a lot. Absorbing a lot. Bombing the peer group and then being persistent about it. Keeping that continuously as part of your educational cycle. I would say these three if you cultivate, I think very soon the people will ask you. Whoever follows us will be a cyber expert, will be driving the rest of the industry, and with the medical device knowledge that a lot of people already have, I think it would be an unbeatable combination.
Jeremy Linden:
Yeah, I totally agree. And from my side, I definitely think that understanding the details and understanding the why, having that kind of a curiosity to want to understand the why I think is super important. Because even if something might be one level of technical below what you actually need to solve the problem, often understanding that gives you so much more context. And one thing I’m definitely glad that nowadays there are a lot more opportunities for people to learn through formal or relatively informal options that weren’t there before. So that’s really nice.
So this brings us to the end. Thank you, Shankar, for being here and sharing some of your wisdom. And thank you for continuing to innovate in the world of IoMT cybersecurity. For anyone listening, if you have any questions or you wanna learn more about Asimily, you can contact us at info@asimily.com. Until then, take care and see you next time.
[end]
