Host: Priyanka Upendra, Senior Director of Customer Success, Asimily
Guest: Brian Cayer, Chief Information Security Officer (CISO), Tufts Medicine
Welcome to the IoT Security Chats podcast where we bring you the latest information in Cyber and IoT Security. From asset and vulnerability Management to Incident Response, hear the experts talk about the latest threats affecting connected devices and how to keep your organization secure.
In episode 7, Brian Cayer and Priyanka Upendra discuss IoMT cybersecurity risk management challenges, standards, best practices, and ways to impact operations with evolving cyber risk strategies.
- ‘Why,’ Not ‘How’: CISOs Discuss the Keys to Selling Zero Trust, HealthSystemCIO.com
- One simple action you can take to prevent 99.9 percent of attacks on your accounts, Microsoft
- Using The Cybersecurity Framework, CISA.gov
Good morning everyone. I’m Priya, and I’m the head of Customer Success here at Asimily and it’s great to be back hosting the Asimily podcast today. On the IoMT or the Internet of Medical things front, we’re no longer fixated on preventing data breaches, but we’re really advancing to strategically and tactfully address threats that impact health care operations and patient well-being. As we recognize and celebrate Cybersecurity Awareness month and share insights, we have with us today, Brian Cayer, the Chief Information Security Officer at Tufts Medicine, to dive deep into IoMT Essentials.
A little bit of introduction about Brian. Brian is the CISO at Tufts Medicine overseeing cybersecurity initiatives for Tufts Medical Center, Tufts Children’s Hospital, Melrose-Wakefield Healthcare, Lowell General Hospital, Home Health Foundation, and New England Quality Care Alliance. Brian has been in the industry for well over 25 years and is a thought leader in cybersecurity, risk management, application security, and more. Prior to Tufts, he was the Vice President and Director of Cyber Resilience at Stroz Friedberg, Vice President of Information Security at State Street, and has served in the United States Army as an Intelligence Analyst and Army National Guard Fire Direction Control Chief for over a decade. My team at Asimily has had the opportunity to closely work with Brian and his teams at Tufts on operationalizing IoMT cybersecurity risk management. Again, Brian, thank you for being here today and sharing your expertise.
Great, thank you for the introduction.
IoMT has been embedded in healthcare now and we’ve seen rapid digitization in this ecosystem. In the last few years and especially through the pandemic, this acceleration has happened because of alternate care settings and the need for smart monitoring of patient conditions. With this kind of growth, any exploited vulnerabilities in this sector allow malicious actors to gain control of these devices, steal sensitive information, obstruct network traffic and disrupt critical care delivery. Malicious actors have evolved as well, whether it be in terms of motivation, the mechanisms or techniques they use really just turning the underground economic transactions. Adding to this level of acceleration, we’ve already seen the consequences of bad security or no security. And unlike other sectors, whether it’s retail, banking, etc. that security or the lack of security considerations while building these technologies can literally cause safety events for the provider and the patient and even fatality. So Brian, let me start off by really applaud you for taking ownership and embracing IoMT risk management at Tufts. Your team really drives the efforts and that in my opinion is actually a unique stance where cybersecurity has taken charge and is driving the entire momentum of risk reduction measures with different stakeholders. It surely ensures that there is a comprehensive cyber risk management program. How did that transition work in your favor and any guidance to offer to different health systems and/or listeners?
When I came on board at Tufts Medicine, I didn’t really have visibility on what was connected holistically. We had pockets of information in a decentralized manner. One of the first things I said was we really need to think about an asset management solution that is in more of that passive state… that is going to collect. So I started going through different analyses and came upon Asimily. We did some POC work with you guys and built that out and then really started saying what does this do to give me visibility? We started implementing our Vulnerability scanning into it as well. Focusing on it saying, “Well now what do I see? What’s my risk? What is it connected to? Where is it going through?”. And started working that process and really helping everybody take a risk management approach to how we’re addressing it. Because when we had a traditional vulnerability management program previously, it addressed where all the high vulnerabilities are, but it didn’t take into account where they reside, what’s the impact of that device, how is that connected and what does it do operationally. So it always becomes a problem, right? Everybody doesn’t want you to touch their equipment. We’ll take care of it. One of the things, again, was a focus on getting that visibility, putting it together and we actually changed the name of our group that does this from Vulnerability Management to Attack Surface Management. When I think about that, it is really about how can these be attacked. Let’s understand. Identifying threats. Identifying your risk. Identifying your pieces and going through that. And then it really started giving visibility to what we have on there, what we need to really fix, and actually it’s really helped in a couple of stages where we had a vendor that was bringing another device onto our system and we looked and said, “Well hold on. You actually have ten other devices as well but they have not been updated and not maintained.” It is a great opportunity when they know they’re selling you something net new, how do we address some legacy issues. So we’re using that as an opportunity to basically get them to address it. “I won’t put your new solution on until we address some of the risks that we have on your legacy solutions that you’ve implemented and upgrade them as part of that process. And actually, they are happy to do it. The operational teams weren’t even aware of it because it’s just something that they didn’t have that visibility so we’re actually able to get all upgraded tools and solutions in place and implement this new technology as well at the same time and address it. And so that’s kind of the idea…how do we address risk, it’s really bringing that forward. So now not only did we reduce the cyber risk, but we also reduced operational risk because we brought upgrading equipment and better operational effectiveness for the Clinical teams too. So those are the things that we’ve seen come into place and really taking that risk-based approach and bringing it to the Operational teams and then back to the vendors as well.
And that’s a great closed-loop solution, Brian. You touched upon inventory. You touched on the visibility of the vulnerabilities and threats and addressing them. And another important component you addressed was just holding vendors accountable. And when you look at IoMT Cybersecurity, the kind of challenges healthcare faces are just numerous. In your opinion, anything in particular that you would rate as top three?
The top three risks? So some of the things that we found out too when I think about medical IoT security, we did a big migration to our EMR to the cloud. And when we went through that process, we actually found out that we had medical devices sending in data up to the Management counsel insecurely –not using TLS. So natively these solutions did not have TLS enabled. Initially, when you have conversations from these vendors, they’re like, “Well, that’s how we’ve been built. It’s FDA approved.” all this information and if you’re in a closed network…maybe…possibly you could have an argument saying, “OK. Sending data from this EKG device up to the monitor and server on a closed network behind a firewall, on-prem. OK.” I could maybe say that we have some mitigating controls to allow that. Now we switch and say how do we transfer this now to the cloud? So I’m going to send this data up or the Internet to a cloud service that is unencrypted. So we had to go back and work through a different solution… identifying vendors. And then some vendors if they weren’t going to support native TLS within their products, they were a no-go for us. We’re starting to really push them too. Some vendors were able to work through that process and it was kind of in their road map, but they just said to be honest nobody has really asked us for it which is kind of interesting when you think about where we are in security today, that all this time that no one asked him to secure the transmission of their medical data. So those are some things I thought about when I think of the areas of risk. If we are going to cloud service or cloud hosting, is everybody prepared for that? I can spin up a virtual machine and anybody can. But when I think about that connectivity. So that’s a big area that I think needs to be focused on.
And also too…what about care at home? We have a care-at-home facility so how do we do that? How do we make sure that we’re doing this in, sharing in, and getting that patient data secure. So we are really focused on that aspect as well, making sure that we can have visibility into what’s going on with the patient and having them have the other data secure.
And then the other piece I also think about is misconfiguration. Not knowing what we have on our network and how it’s being configured and what is being done. Somebody doesn’t realize that this data is being shared out inadvertently and it could pose a risk. Those are areas I see that we’ve been focusing on in our organization.
And you would think when it comes to cloud security, those are some of the trivial matters, but on the medical device side, you’re actually looking at that being a complex challenge in itself. And that sort of brings me to my next point here. In March of this year, Microsoft actually reported that 99.9% of the account compromise incidents actually could have been blocked by using multi-factor authentication. And this statistic really concerns me when it comes to medical devices. Rightly so because we’re looking at weak passwords, hardcoded credentials, and shared credentials not only internally but also among vendors. Adding to this is the fact that many practitioners use these IoMT devices connected to public domains or guest networks. How can IT, Cyber, and Biomedical collaborate better on this critical step to prevent the use of such weak credentials? And as leaders, another problem I see happening is just obtaining the trust of clinical practitioners for such compensating controls. How can we avoid security alert fatigue?
So that’s a lot of areas to cover. So talk about 2FA, we’ve implemented 2FA crosswordization –hands down needs to have happened. Why do we do it? We do look at monitoring what devices are connected to our guest network and ensuring that they are not critical devices…walking through that process. I understand the need to say, “well, this needs to happen, but we need to make sure it’s in this secure process.” So we’re also going to look at that, making sure that we’re not doing things in insecure methods. As you know, the guest network is one of them. But like you said, “alert fatigue”. How do we address this? Because there are definitely a lot of alerts that fire up for us to review. For me, it really goes back to understanding the control aspect of what we are doing. Understanding the threat, the risk, and what we’re doing from a control process and then focus on that versus chasing down numerous alerts…getting to that alert fatigue. So start from that. What are we looking to protect? Why do we want to protect it? How are we going to protect it? What are we going to do when that happens? My thought process around it is high fidelity. So I’m going to address something that’s going to be something of high fidelity versus just sending a whole bunch of data up and then thousands of alerts that don’t really go unanswered and you miss things that are potentially critical on that path. So those are the aspects we look at and awareness and training–teaching everyone there. As part of our attack service management team, we have Biomedical engineering teams that are outsourced between the organization. So we are really now working in a collaborative effort with those organizations to say how do we now make sure that we are sharing security issues across, addressing that whether it’s a recall aspect or addressing particular risks and making sure that we’re targeting those and building that in. Through our Attack Service Management team, we turn calls to our Vulnerability Assessment teams. We call it the VAT. We huddled together, come up, look at the issue. What is the latest vulnerability? What? Where? What is that criticality? Where’s our exposure? What are potential compensating controls to mitigate that initially and then what is our corrective action plan to remove that? Sometimes it’s just isn’t as easy to patch and sometimes there are no patches available. Vulnerability found. Patch not available. How do we address this risk? How do we go through it? We have this huddling team now to come in and collectively address it. Come up with a plan and course of action to address that list. That’s how we’ve kind of worked to approach it.
I think something that worked for me in the past, Brian, is really getting my Biomeds and IT folks to sit together at the table, discuss, and then attend what’s called the Nursing Educators Forum. That’s something most nursing units have on a monthly basis and I had a standing 15-20 minute update right there just about security controls. And this was not just a one-time thing but just reeducation and retraining throughout the year, not just as an annual LMS [Learning Management System] module. That’s really something that worked to reduce that alert fatigue on the clinician side and also have a clinical champion in my security efforts. That really worked wonders, I would say. And prioritization is everything. And as you can see within Asimily, we’re actually prioritizing whether it’s anomaly detection or vulnerability and that seems to really help with not just looking at the needle in a hay sack, but actually addressing what’s the ones that are most critical, what are, what are the weakest points in your environment.
Let me shift gears a little bit from the technical front to the administrative front here. One of the growing concerns for healthcare CIOs and CISOs is staffing. Despite having robust cybersecurity strategies and tactics and the introduction of AI & ML [machine learning]-based technologies, recruiting that blended expertise has been a challenge and we’re struggling, not just in the last two years, but forever with blended expertise but more so now post-pandemic. To ensure prevention first culture, what are some of the strategies you adopted with your teams to address this shortage or lack of vendor expertise and ensure a proactive methodology with risk management?
I’ll acknowledge yes, staffing [is an issue]. We haven’t had that problem in my team, which is great. Nobody’s left my team but I acquired individuals from IT backgrounds as they came into my group. So working that process, here’s the definition of the job that we have to do. Here’s the role. Here’s the description of what needs to be accomplished. Do they have these necessary skills? Not in all cases. So we put together a road map for success. How do I get there? What are the skill sets I need to get those individuals? I’ll look at the application certification. What applications do they touch? What are those pieces they do? Is the certification process. It doesn’t have to be a formal certification that says I passed this thing but do you know where I’m reaching out to be a SME [subject matter expert] on the technology that’s going to be most closely tied to your avenue of expertise. That’s going to be one. So I want to make sure that they understand that and then I’m going to give him another focus on the broader cybersecurity arena. What are all things you need to do? Attend webinars and other training areas where you are going to understand other aspects of risk or threats coming up so you could understand what we need now to start applying to my role. If I have a base foundation of the skill set or the technology and I can make sure that I now own the risk that I need to be working through towards those two pieces, now you become that subject matter expert on that.
We are then running crisis management exercises, so we do some of that as well. In our organization, we purchased a crisis simulation tool that runs through a series. I think about 40 to 50 different scenarios that we run through. One I am running right now with our Vulnerability Assessment team, which includes stakeholders in our Biomed teams on a zero-day exploit. What do we do? So let’s run through this scenario and make sure that we’re aware.
And then bringing just broader security awareness to your organization is the next thing and agree. That is the next-level post…the security champions. How do I get clinical people to also be security champions? Everybody wants to. How do they become part of that? How do they provide because they might see something? Awareness of risk. What should I be doing? We’ve also, ourselves, actually gone through and created a 20-minute 10 episodes of customized training videos focused on specifically healthcare and security. There are real-world scenarios, maybe not always specific to our organization, but things that we’ve seen out there. In a hospital study, we take this and then walk through a specific security issue. Somebody picking up a USB drive. What should I do with this? Should I plug it in and see what it is? No. So we go through what could happen. They are animated to lighten up the context of it, but it also has a message. So we do that as a part of orientation. We’re doing it with clinical orientation as well, and then all new hires. It just gives you what to do, what steps, what should you take, what are the actions you, as an individual, need to think about so we could help build a security champion space. We are not there yet. Sometimes it’s hard. I don’t think everybody understands how important cybersecurity is. I look at is as cybersecurity is patient safety. They are synonymous in my opinion. So that’s the message that we try to focus out there to get that.
Those are all the challenges and then it’s retention. What are giving people…making their job challenging but not overwhelming. You want to give them excitement to do their job and they’re not stuck in a dead-end role. The way I’ve organized my cyber security team is creating what I call it towers of success. Focusing on everyone getting their subject matter knowledge and expertise and they get to a point where they feel that they’ve reached the max and their interest in something else. I could swap roles now getting cross-knowledge and cross-sharing of that and continuing to keep the team focused and informed and wanting to stay here versus trying to go out and recruit. Because that’s a challenge to find somebody to do that and then they may not still have all those skills you need. So having an ongoing practice for the education of the team.
I think that’s a huge plus point when it comes to retaining and having that high retention rate. Providing that autonomy to see how that interest grows over time and especially in an evolving space like cyber. And you brought up a really interesting point that cybersecurity is patient safety and one of the things I read last night was that Joint Commission, starting Jan 1st of 2023, they’re requiring a safety briefing on day one of their arrival to a healthcare organization. And in this, surveyors are expecting health systems to be prepared on how they respond or how they should respond to an emergency such as fire, smoke, or anything. And in my opinion, any safety events, incidents related to cyber risk, and down times also classify as emergencies. I think it’s awesome that you’re doing those crisis management exercises. That’s just going to go a long way. Looping all of this together, any specific frameworks and standards or guidance that you would like to recommend to our listeners today?
We’ve adopted the NIST cybersecurity framework and also compared it to HiTrust cybersecurity framework. I like NYST and I’ve used it in other organizations because its an easy way to think about the five identified: identify, protect, detect, respond, and recover. How are we doing in that and what are those areas in there? When I say we pair it, there are overlapping capabilities within the High Trust framework as well. How are we then working specifically on it because obviously that’s area regulation for us. So it’s really the merge of those two where we focus on and just addressing all that. So that’s how I’ve aligned my team. Breaking it out we then go through each thing, where the individuals of my team have to focus on and drive the capabilities in the five functional domains of the cybersecurity framework.
Thank you, Brian. This is great insights for our listeners and you know all users of Asimily. So Brian, thank you for being here with us today and sharing your expertise. These are, again, excellent takeaways and on behalf of Asimily we appreciate you taking the time and look forward to our continued collaboration. And listeners, if you have any questions or would like to learn about what Asimily has to offer, contact us at firstname.lastname@example.org. Until then, take care and stay safe.