David Finn
Hello, my name is David Finn and I’m one of the Vice Presidents at chime responsible for the Association for Executives in Healthcare Information security. And today I,’ve got three that are three people I have to call heavyweights in the security industry, particularly around medical devices. So I’ll make some brief intros and we’ll dig into a very interesting topic.My first guest is Shankar Somosundaram, who is currently the CEO of Asimily. Asimily data-driven non-invasive medical device monitoring solution for healthcare providers and medical device manufacturers solving for asset management, risk cybersecurity and operational use cases. Previously Shankar led the Internet of Things business unit at Symantec, and in this role, he oversaw the enterprise Internet of Things business for multiple verticals including healthcare, industrial control systems and facilities. Prior to that Shankar was part of the business and corporate development teams driving deals in the enterprise storage and security space. And before Symantec, Shankar held engineering strategy and product management roles at companies like Qualcomm, interdigital and British Telecom Shankar also established and operated startups and enterprise software and security areas and holds 50 plus granted patents is patents across networking and security.
My second panelist today is Axel Wirth. Axel is the Chief Security Network Strategist at MedCrypt, and in this role, he provides strategic vision and industry leadership to med crypt and its customers and guides in critical security strategy decisions. He’s an active participant in industry and standards organizations, serves on boards and committees and shares his cybersecurity knowledge through publications and presentations. As an adjunct professor, Wirth teaches a medical device cybersecurity course at the University of Connecticut Clinical Engineering and graduate program. He is the co-editor and co-author of the first two books on medical device cybersecurity ever published addressing the needs for cybersecurity education of Clinical Engineers in hospitals, as well as engineers working for medical device manufacturers. In recognition of his accomplishments, he was awarded the 2018 ACCE HIMSS Excellence in Clinical Engineering and IT Synergies award, the ACCE 2019 Clinical Engineering Advocacy Award and has been recognized as a fellow by AAMI and HIMSS. He holds a BS in Electrical Engineering from the University of Applied Sciences in Dusseldorf and an MS in engineering management from the Gordon Institute at Tufts University.
And last but certainly not least, joining us today is Steve Grimes. Steve has over 40 years of experience working with independent service organizations, academic medical centers, healthcare consulting and research firms. He is a recognized authority and frequent speaker and author on topics ranging from future challenges facing technology support to healthcare technology convergence, medical device security risk management and quality management issues. He recently co-authored and co-edited AAMI’s medical device Cybersecurity Guide for Health Technology Management Professionals and teaches a graduate-level engineering course. In medical device cybersecurity at the University of Connecticut. Hey! You and Axel might know each other. I just realized that he’s been involved in the development of many of the industry’s key Health Care Technology Management Standards, and has served as an HTM consultant to the World Health Organization and the Pan American Health Organization. He is the recipient of AAMI’s annual Healthcare Technology Management Leadership Award, ACCE’s Lifetime Achievement Award and the ACCE HIMSS annual excellence in CEIT Synergies award. In 2019. He was inducted in the ACCE’s Clinical Engineering Hall of Fame. And that is a lot of introduction but these are these represent a lot of experience. So I’m going to dive in starting with you Steve and Shankar healthcare is in kind of a difficult straight as is all the sectors in our economy. It’s kind of a difficult time planning, figuring out whether the we’re in recession or inflation or what’s going on. So my first question to you is, what’s the number one objection you hear from C-suite when asking for budget around cybersecurity? Steve?
Steve Grimes 5:32
Thank you. Probably the biggest issue that we hear is it’s difficult for people to plan when it comes to cybersecurity for a reasonable budget, or what to budget for. And that difficulty comes about because well, first of all, the nature of our industry, healthcare is increasingly making use of new technologies that are have the promise of improving healthcare, the quality of healthcare, the availability of healthcare, but along with the introduction of new technologies, we’re reducing the technology is bringing new vulnerabilities. And we’re also seeing in the cyber threat world we’re seeing in an increasing number of cyber threats that are occurring. The problem is that historically, there may not there hasn’t really been a history on which one could project easily project, what the those, the cost of future cyber compromises are going to be. And so one really needs to not just look at historic information, but project based on the nature of the organization’s the technology, choosing the vulnerabilities that they have. But also what’s the threat profile? How are the threats evolving? And so based on both historic information, as well as looking at the evolution of the technology, the new technologies that are being used, the evolution of the threats that are occurring? What do I need to budget to ensure that I can protect against these new these new threats that are associated with the vulnerabilities? So that’s one of the significant difficulties, people need to look again, beyond just the historic information, but also the project based on what are the my use of technology? And how is that affecting my vulnerabilities? And also how, how are the threat profiles? Evolving, emerging? And how do I address those?
Shankar Somasundaram 7:38
Thanks, Steve. And if I can add to what Steve mentioned, I think where the other problem when it comes to asking for a budget is where the health system is really aware of the cyber risk, they really don’t know, they really are saying, okay, how am I going to use this? How am I I don’t have the staff to implement any measures if I didn’t have the staff to use any solution, and others have the staff to work with, let’s say, a service organization. And I think the other part of this is you got to look at cybersecurity as a plan, not as an overnight success. And anything, when you look at it, and you look at it, and you you think of it as small bites at a time, I think it’s a much more easier thing to actually budget for trying to budget for an entire army who is going to solve your problem overnight, right? So breaking up into small chunks where you eat it one bite at a time. Also makes it easier because right now the biggest honor, the big problem is really how do I get the budget from the board for a really large team to solve all of these problems that if you really break it down into smaller chunks, things you can address piece by piece, then I think it’s much easier to do so.
David Finn 8:47
Thanks, both of you. I’m going to go to you next Axel and Steve. And we’ve talked about the part about asking for the money but before that there’s the quantification of risk, what really is the risk to the organization? And we’re seeing this risk quantification really boil up in, in healthcare, I think. And I had the pleasure of working for a number of years with Axel at Symantec, we were typically coming in through the it door and those the risks from an IT perspective, are different than certainly from a clinical engineering perspective. And those are both different from the CEOs or the CFOs perspective. So Axel, how do you see organizations today quantifying the risk and the value of cybersecurity today?
Axel Wirth 9:46
Yeah, so you’re making you’re making an excellent point there that a lot of the models we’re using, actually come from the traditional IT security space, applying those two medical devices has limitations. On the medical device side, we’re used to doing traditional safety risk analysis. But the results are different than a security risk analysis. So if we want to quantify medical devices and their risk due to cyber exposure, I think we need to look at a combined model that combines the principles of traditional IT security risk analysis, and the experience from traditional safety risk analysis, and perform a dedicated medical device security risk analysis and just to highlight two specific areas where we need to pay attention to differences they are more but nevertheless, give you two examples. One is certainly the statistical estimate of, of likelihood of occurrence of an event that we in cybersecurity, we have very little historic data which would allow us to project the future, we can derive trends, we can look at the big picture, but we cannot predict based on historic data, the probability of a certain cyber event occurring, I can try to understand my system, my vulnerabilities and weaknesses, and assess how exploitable it is how easy it would be to compromise in an attack, and then assume it will happen one day, rather than looking at the past just make that bold prediction about the future. Because after all, we operate in a life critical space as compared to mission critical space on the IT side. Second example I wanted to bring up is that suddenly in cybersecurity, but even more so with medical devices, it is never about just the single device or single weakness or vulnerability. And we know that sophisticated hackers chain multiple vulnerabilities to penetrate systems. So estimating each individually really doesn’t help us to build a good defense. But we also know that a compromised device, the problem never stays with just the device, but it spreads to other devices or a compromised device impacts an entire department. And in some cases, it can even impact the entire hospital or other hospitals in the region. But if my CT imaging in my emergency room is down, I cannot accept certain incoming patients with symptoms of stroke, I need to reroute them to other hospitals. So the complexities of impact and risk I need to consider on the medical device side far exceed what we are used to traditionally in in cybersecurity but also traditional device safety.
David Finn 12:56
Steve, any additional thoughts on that topic?
Steve Grimes 13:00
think it’s a very good summary, I would only add that, again, because, you know, we’re talking about medical devices. When we talk about cyber compromises, there are not only the financial risks that one needs to take into consideration, but also the impact on patient safety on patient care. The organization’s overall operations are as excellent as describing when a certain services are taken out the overall operations can be severely compromised. And also there the compromise can significantly impacted an organization’s reputation. So these are all things that need to be considered. And when obtaining a budget, you need to be able to convey this information to the leadership to the board as to what the potential is in terms of you know, what the compromises can, how they can affect these aspects of the organization, and what the implications are in what budget is necessary to expect a reasonable, you know, have a reasonable chance of eliminating or at least mitigating these kinds of risks. So, again, looking at various aspects of what, what these kinds of cyber risks with respect to medical devices represent, and making sure you convey that information in as best you can. extrapolating from historical information using the information you gain from your risk assessment to determine what the probability and the potential impact is on these areas of finance operations, patient safety, as well as reputation.
David Finn 14:51
Thanks, so it sounds like it and clinical engineering are gonna have to work together on this. And I started with the bug Good question for and you, Steve. So I’m going to come back to you. We talked about some of the issues you’re hearing, when people asked for budgets and some of the things they might do, then we went into the risk quantification. So I’m going to come back and kind of complete the circle. Shankar and Steve, what do you think that organizations will be able to do in the future? To ask for cybersecurity budgets and, and have an improved opportunity and improved ability to tell this combined story?
Shankar Somasundaram 15:39
Yeah, Steve, you can go first.
Steve Grimes 15:41
All right. Thanks, Shankar. The approach that those that are involved in in managing these risks and ensuring that the organization is, you know, fully aware of it is that, you know, first of all, what they need to be doing is analyzing reporting on the organization’s what are the vulnerabilities based on the technologies that are being used, the processes, the stakeholders that are involved in the use of the technology and how all of this technology is operating together. So there needs to be an analysis and report done on the current vulnerabilities in this area. They also need to report analyze the report on the what’s the current, external the threat landscape, what are the sources and the types of compromise. And again, this comes into the doing that an effective risk assessment, we need to estimate the potential impact on patient safety, in care and on the organization’s finances, operations, and the reputation should one of these vulnerabilities that they’ve identified be exploited. And then finally, they need to provide steps associated with the in a budget to reduce the will assist them and reduce the appropriate security compromises, or at least significantly mitigate and compromise if one does occur.
Shankar Somasundaram 17:04
At all, thanks, Steven, I think we’ve covered a lot of great points. If I can add to what Steve said, I think a couple of other things organizations can do. One is quantifying their risk compared to other organizations out there in the landscape. And to really get that information, you can either get it, you know, there are solutions can provide it, you can also as a CISO, or cybersecurity leader, you might have your own peer group, you can reach out to them, they might have quantified their risk posture. So you can get that and you can compare their risk posture with yours. And in general, I think you obviously want to make sure that your risk posture is aligned with the rest of the industry at the minimum, and you want to keep improving it because the security landscape is definitely improving. But you definitely don’t want to lag behind. So definitely comparing the risk posture or benchmarking it, your org versus the industry is very valuable. The other thing I think you can also do is there are breaches that have been published in healthcare by different institutions. And what you can do is make some CISOs. And CIOs have told me that when that breach occurred, they have been able to get information on what was the some of the security controls in place, what were some of the actions they took, they have been able to look at their own org and said, you know, that’s the bare minimum, because even with that the breaches have occurred. So we need to do better than that. And so they have been able to go to the board and say, This is the best set that we know we havehe seen. And we know that there have we have seen some issues. So we need to do better than this. And this is the total amount of budget required to get there. And so again, this is a different kind of quantification, where you’re measuring against events that have happened and what was done. They’re really trying to improve your own posture and asking for the budget for doing that.
David Finn 18:38
Thank you. Thank you both. And I’m going to dive down a little deeper into the conundrum that we’ve raised, and that is clinical engineering and ice it or information security working together. I think most of you know that, you know, in a former life, I was a CIO. And in the early 2000s, I was probably one of the first CIOs who had clinical engineering moved underneath then. And the Director of Clinical engineering was a brilliant guy, but he did not. He was not thrilled about moving under the CIO. In fact, his first words to me when the CEO announced that decision, or I have never reported this low in an organization in my life. And I will tell you, we came to an understanding very quickly, I did not know clinical engineering. I love a lot of the urgency that clinical engineering brought to it. But the clinical engineers were about solving problems and didn’t have a lot of the processes that it usually builds around themselves, sometimes for good and sometimes for bad. So my question Axel and Steve for you is is how are you seeing organizations Clearly, we’ve heard from you all today that IT and security are going to have to work together in the future. But what kind of models? Are you seeing? What are organizations doing to bring security and it and HTM or clinical engineering into alignment? And what do you think is working and what isn’t going to work? Axel, I’ll start with you.
Axel Wirth 20:27
mean, so a lot of that depends, obviously, on each individual organization, I don’t think there’s a one size fits all kind of approach here. I think the model I see the most these days is the one you mentioned, the clinical engineering actually reports into it and IT security. But the other models around this what Mayo Clinic initially established, and some others have copied as well. And that is to form actually a third group that is staffed from both sides, but operates independently, that is responsible for medical technology security, or doesn’t have to be a form an organization entity can also be a committee, or working group that is staffed from both sides. So depending on your size, your experience and expertise, I think, look at those three models and find out which one works best. What’s best for you. There’s also then obviously the procedural side. And that is that certain procedures may require them. steps have been taken on both sides of the organization. Simple example, is procurement. Right? If clinical engineering is in the process of procuring a new device, that is network connected, most organizations will need to then run the prover for that purchase through it and IT security to make sure that the new device complies with the network and IT requirements and keeps the hospital safe in the future. So it’s both an organizational question, but also, a process and procedure question in terms of certain processes that used to be on either side, now need to be on both sides and need to be managed jointly.
Steve Grimes 22:22
So I’ll add being the only clinical engineer in this group. And I’ll add my two cents. The perspective of from clinical engineering, having been in the business now for probably closer now to 45 years, healthcare technology and clinical engineering. Certainly in the in particularly in the last 20 years, we’ve seen a convergence of the technologies, which is necessitated more a closer working relationship, whether it’s joining the department, so whatever between clinical Engineering and IT, the challenge is that these two groups are very different in terms of their backgrounds, very different culturally, for the most part. And as a consequence, that bringing the two groups together, however it’s done is it’s not easy, it requires some thinking. And so one of the problems with the challenges we’ve seen is that organizations have often tried to just essentially change a line in an org chart without giving a great deal of thought to Okay, well, how do we actually get these groups working together in all areas, not just cybersecurity, but it’s, it’s a challenge in all areas. So the clinical engineering, the first of all, in order for them to be effective, particularly in cybersecurity, they need they do need to work together doesn’t necessarily mean that they have to be within the same department, they can work fully, but what they do need to recognize is that their needs, they need to take a synergistic approach, an integrated approach for dealing with the you know, the these hybrid technologies, the computer and medical technologies. So, in terms of you know, when developing policies and procedures, let’s say addressing cybersecurity when dealing with issues like acquisition of technologies, the use of technologies, dealing with security, these are things that can’t be done by either group in isolation, it by itself shouldn’t be determining what how ICT security is dealt with, Nor should the clinical engineering group, they need to take an integrated approach to ensure that there are no gaps in terms of their security programs. They need to look at, you know, sit down and plan, how are we going to effectively work together ensure there are no gaps in the in the approach that we take to this day? Cybersecurity, that we’ve got integrated policies, procedures that were essentially, you know, following the same gameplan. And, again, it’s not something that comes naturally to most it or clinical engineering folks. But it’s something that the safe and effective use of the technology is going to require, again, that these groups collaborate more effectively. And that will, it’s the sense that you necessary, you’re going to be, again, having a cyber secure environment, but medical devices.
Axel Wirth 25:39
maybe one thing to add to that is also we shouldn’t forget about what you may want to call the third leg of the stool, which is facilities, right. You know, they operate a track elevators, security and alarm systems, all of which use network, SCADA devices, industrial control systems, IoT devices, which are equally at risk from a security perspective. And in fact, there are several high-profile breaches out there that have been reported that actually started with a facility type system H vac and, and all of the above. And therefore, I need to consider as well, the systems not only as a possible entry point for security attack, but also as a possible risk factor to care delivery. If I shut down my elevators, I shut down the patient transportation. If I change the temperature, temperature in my operating theater, I affect procedures that are scheduled for the day. And so there’s more to it than just a tea and tech engineering.
David Finn 26:53
I’m going to enter the lightning round here. So I’m just going to call out a name and give you a question. I’m going to start with you, Steve. I know Axel mentioned working with procurement and having them in the loop. But one of the age old thing questions or issues I hear from clinical engineers is working with the manufacturer and the IT side of that world is they won’t change anything, they can’t do anything. So from the clinical engineering perspective, while you’re in that procurement process, what can clinical engineering or it whoever the purchaser is, do to bring some pressure some new approaches to the manufacturer.
Steve Grimes 27:39
First of all, I think it’s a good point and a good question. It’s, you’ve got the power of the checkbook when you’re talking about when you’re in the procurement process. So you’re never going to have more power than you do at that point. So that’s certainly the time when you want to get the appropriate conditions the opponent or appropriate arrangements made with the manufacturer. And organizations should realize in clinical engineering, and it should, security should realize that the relationship with the manufacturer doesn’t stop at the point of procurement that one. First of all, you ought to be doing things like a document call that virtually all medical device manufacturers, certainly the major ones are, will provide. It’s based on the standard that I was involved in developing about 20 years ago, called MDS2s. But you should request that because that provides security related profile information about medical devices, and assists you in determining what security features that a medical device has and how you might be able to or what you may need to do to interface the medical device you’re considering into your environment, whether it’s going to be appropriate for your environment. The second big issue is that you want to ensure that the relationship goes beyond just the acquisition, medical devices and other computerized devices often have to be updated. We’re all familiar with our computer systems having to have security updates done periodically. And that’s certainly true of medical devices. And there needs to be a relationship that’s maintained along on an ongoing basis for the life of the device that you’re going to do get security patches and updates from the manufacturer as quickly as possible as quickly as they’re available. And you want to ensure that the manufacturer, when the updates are made available, that they get them out to you and that you’re made aware of them so that you can update your products and and help maintain that safe environment. Clinical engineering and it should have the ability to to sign off on devices before they are approved for purchase, because if there’s a significant security issue or any other significant issues with respect to it, aspects of the device or other safety or efficacy aspects of the device that a clinical engineering is aware of those that they ought to have the ability to sign off on the procurement. So getting information upfront in the form of the MDS2 and what other information that should end up the manufacturer, maintain that long term relationship to and to ensure that you’re getting regular security updates and other updates to the to the device and make sure that part of your internal processes is that you’ve got the clinical engineering and it signed off on any acquisition of these new technologies.
David Finn 30:58
Thanks. And your answer, Steve raised another question that I’m going to direct to Shankar because of his unique kind of position, I imagine Shankar sometimes you sell in a provider into clinical engineering, sometimes it may be it or security. But if you’ve made an arrangement with one or the other, what guidance do you give to it, for example, about clinical engineering before they before they in the deal? Or vice versa? If you’ve sold into clinical engineering? Do you give them any advice on what they need to do with it before they start implementing a system around this?
Shankar Somasundaram 31:43
That is a great question. I think we obviously have worked with both sides of the house, we have worked with organizations that work together and organizations where they cannot even see each other they cannot even see eye to eye. And I would say I think the thing we tell both sides where whichever side we are on is they have to understand the other side. So it has to understand that medical devices are unique, they are not just yet another workstation, yet another server, they are not they are different. And so you’ve got to treat them as such, you cannot take the same approaches, you cannot just do a patch Tuesday and just patch the life out of all your devices. So that’s on the IT side, you got to understand some of the nuances like you did, David, when you were the CIO, and you really went and understood the medical devices. For the C site, I think we have to understand the implications of cybersecurity, treating it as a problem, they have to deal with treating the ISI as a problem, the organization they have to deal with and somebody who obstructs their work is not going to help because they are also trying to improve the overall care because ultimately, cybersecurity affects patient care. So they are in some ways hand in hand with the C team to improve the overall care. And so I think understanding each other’s viewpoint is very important. That’s the first advice we give to each other. And then educating them, providing them the information that allows them to get there is very important, helping it understand all the nuances of medical devices, what they can and cannot do, why they cannot do what they cannot do. And how can they move forward with considering the nuances from the IT side and from the sea side, educating them more about cybersecurity, their risk, the impact to patients, I think helps them get better so that when you bring a device into the environment, it side can bring some of its unique perspectives to make sure they’re bringing in the right devices and seek and ensure that the one being brought in is the right one from patient care is the right one for the doctors is the right one for the organization itself. Right.
David Finn 33:27
That’s very helpful. And one thing I want to ask each of you very quickly, it’s I’m sure it’s a very complicated answer. But one of the things I learned when clinical engineering moved under me is we certainly did Asset Management from an IT side. What I’ve learned in the clinical engineering world is they track a whole different set of information than we did on the IT world. We never track things like Meantime, between failures, and we certainly didn’t log every maintenance issue we addressed on a device which you have to do with their with the regulated devices. So my question to each of you is how do you integrate a solution like a similes into the bigger asset management into the bigger it probably database and get to a single source of truth instead of multiple databases which I wrestled with? Fact so I’ll pick on you.
Axel Wirth 34:32
Okay, I can get started on this. I mean, you said your point is well taken write multiple databases always per trouble because you have disconnected information you have systems that will drift apart in the future. So finding a single source of truth or as an alternative, secondarily, find a way to keep those databases synchronized automatically is too powerful. Our good risk assessment and risk mitigation all starts with asset visibility. And I need to know what’s on my network, I need to understand each individual device need to identify it, but also need to know everything that is security relevant about the device, software version and security and network configuration. You name it. So I need to ensure basically that I understand the security baseline of each piece of equipment on my network. And then I’m able to maintain that baseline going forward, as manufacturers will release updates and patches, or certain devices may go end of life and may require external compensating controls to keep them secure. And then so it’s all on a question of visibility. Steve?
Steve Grimes 36:02
Great question. And it is a real problem. The traditional databases that were used were upper on the clinical engineering side under the what they call computerized maintenance management systems, which were the housed inventory and service information for medical devices. On the IT side, it’s the critical, not critical, but all the all the acronym, escapes embedded, but it’s similar, but it contains more IT related information there. CMDB. See, thank you, computerized management, the right database, the or the entities. So the CMDB. In the CMS, there are some efforts, there are ways of linking the information together. And some organizations are doing that organizations like assembly and some others have developed. And there they are, their offerings have the ability often to integrate. And that’s something I would look for the ability to integrate effectively into the CMDB. So the CMMS is. But as Axel pointed out, it’s important that you have one set of true data you don’t, you know, if you disconnect the databases, if you’re attempting to maintain the same kind of information in multiple databases, that never ends well, because So inevitably, inevitably one is going to be inaccurate was not going to be effective to maintain. So it is extremely important. One of the things we emphasize in our, you know, have been emphasizing for a number of years is that it’s important that organizations ensure that they have access to information like in the case of clinical engineering, they know what’s in the CMDBs. You know, that has the software version, the bill of materials, the other elements, configuration elements, or data assessment, the other configuration elements, configuration items. And so, again, yeah, very important to ensure that these sorts of these are integrated, there are ways of linking them together. And again, some systems are available, like assemblies that will are designed to actually interface with some of the existing products that are out there.
David Finn 38:35
Shankar you get the last word on this one.
Shankar Somasundaram 38:38
Yeah, I think even Axl covered it? Well, I mean, I’d say a lot of say we run into this problem pretty much every day, whether it’s new customers, existing customers. And it’s very simple. You I mean, you got to have the actually work as outside of what somebody does, we work as an orchestration engine, that’s the only way to solve it, whether there’s a knack or a sim or a vulnerability scanner, or a CMMS, CMDB, whatever it may be, everybody has disparate data in their systems, you got to pull all of it together create a single source of truth. And sometimes some systems might have a better version for certain devices, you might have a better version, your NOC might have a better version than others. And depending on which device you’re pulling it from, what the type is, what the category is, you got to decide what data element is better suited from which tool or what solution which average database, and then pull it all together into a single view on this we pretty much are doing on a day-to-day basis. So that’s the that’s the only way to solve it create that orchestration that really brings up single view.
David Finn 39:30
Thank you. I want to thank you, Axel, Steve, and Shankar and I want to thank everyone for listening to this broadcast today. Thank you
[end]
