Challenges and Constraints of Medical Device Cybersecurity
Welcome to the IoT Security Chats podcast where we bring you the latest information in Cyber and IoT Security. From asset and vulnerability Management to Incident Response, hear the experts talk about the latest threats affecting connected devices and how to keep your organization secure.
Host: Priyanka Upendra, Senior Director of Customer Success, Asimily
Guest: Axel Wirth, Chief Security Strategist, MedCrypt
Axel Wirth and Priyanka Upendra discuss medical device cybersecurity challenges and constraints which has expanded technological and human efforts.
Priyanka Upendra:Good Morning, everyone. I am Priyanka Upendra, Senior Director of Customer Success at Asimily and I’m thrilled to welcome you to the IoT Security Talks podcast series. Today in episode three, we will focus our conversation on Establishing the Healthcare Technology Management Cybersecurity Center of Excellence with Matt Dimino, Vice President of Advisory Services at First Health Advisory based out of Scottsdale, Arizona.
Matt brings a wide range of technical, security, academic, and HTM knowledge to this scene. He has over 15 years of experience in various roles ranging from being an associate faculty at IUPUI to HTM leadership roles. Many of those years were spent as a practitioner in medical device security. Throughout his career he has developed multiple security programs, integrated complex architectures, performed security consulting, as well as developed risk assessment methodologies coupled with hands-on device hardening experience. A major focus for Matt is to expand on IoMT or Internet of Medical Things Risk Management strategies and prepare First Health Advisory customers and partners for the future of IoMT and create a safer environment of care. Matt, thank you for joining us today.
As we’ve all seen in the last decade medical devices have become progressively more connected and our concern about cybersecurity for these devices have exponentially grown. Having been in the industry for over 15 years myself, I’ve seen changes occur over time on how we manage the devices across its lifecycle…be it acquiring it, installing it, maintaining it, or decommissioning it. However, the few concerns about HTM and other healthcare IT professionals include that they’re not fully equipped to handle the cybersecurity challenges of these medical devices. During this podcast we’ll get insights from Matt on establishing the excellence within HTM cybersecurity.
Matt, when we say HTM cybersecurity center of excellence what does it actually mean and how can leaders build the foundational blocks for the center of excellence?
What I believe this means is changing your brand. Building a new reputation for HTM. For many years we’ve been in this break-fix model and we’ve been siloed and stuck in a generation of this is how we always do things. When it comes to building a center of excellence this is challenging new realm of things that we want to look at to incorporate cybersecurity. So we’re going to work towards enterprise security… making it more conducive to the organization. The idea is to kind of forget about this siloed efforts these siloed effects and look at it from a business perspective and not just a Biomed or HTM perspective. You’re there essentially building a program to help the organization in its security efforts.
Now the foundational building blocks of this are essentially people, process, and technology. You start with people and you evaluate culture. You look at who you have in your organization. Who you have within your own team? Who are your internal champions and who are essentially your external champions? When I say external champions, that’s your partners too… its people like you with some of the tools and people like me from an advisory firm. It’s not just those again within your organization. And then external can mean outside of your department so IT and IS, right, whether it’s a good, fair, or poor relationship, it has to expand it has to be built and it has to change in order to create that culture that’s necessary as a building block.
The technology piece is also going to be critical so whether you already have the technology. Are you using it properly? Are you using it to your advantage? Are you showing our ROI (return on investment) on it? Is it just another tool sitting on the shelf or is it something that’s really integrated and incorporated into your whole program? If you don’t have the technology, it’s building the business case to be able to obtain the technologies. The technologies are aspects to this and they are necessary and critical to really build that center of excellence that you’re looking to do. The other element or foundational piece is the processes and workflows. Do you have repeatable processes are you able to take your people and your technology and build workflows around it so it’s repeatable. We are seeing a shortage right now of some talent and when you do acquire talent or when you do have these individuals who are highly trained on your team, what happens if these individuals tend to leave the organization? Do you have again these repeatable processes that can be demonstrated back to leadership that you have that retainment? Do you have the ability to continue on and carry on this program and process?
Thank you, Matt.
You talked a little bit about you know having hands-on hardening experience for these devices. We see that as one of the major challenges. So when we are looking at the cybersecurity changes or controls bolted onto medical devices or even their networks involving some kind of implications to patient care delivery and clinician workflows, how do HTM professionals facilitate the application of these controls or hardening guides in the environment of care?
Something to keep in mind is, I’ll call first and foremost, control has to be mapped back to a risk. It’s got to be that mapped back to a very specific risk. Otherwise, you’re ultimately going to stack up a bunch of controls that’s going to cost time, money, and effort that may not even reduce the risk. It is evaluating these assets from a risk perspective and making sure the controls mapped back to it. Do you have processes in place to monitor the controls? Because if you don’t, it ends up being kind of an ad hoc process and you’re not really sure where you stand and you still have no data and you have no elements to really share with Security or your stakeholders that are that are going to be vested in this process.
Now specific to that, this is going to be done through you know looking at RACI diagrams, having changed control configurations, procedures and processes, and even having secure configuration standards. So, you have to be able to be able to look at all this from an initial state standpoint to an end result or from a life cycle perspective. On top of that, CE and HTM sometimes needs a sandbox to test some of these controls. You can’t just go ad hoc or make a wild decision that this is the best approach…this is what we’re going to do. There’s got to be some sort of again change control and testing environment. And then kind of the last element to this is really communicating with the clinicians. HTM and CE are essentially boots on the ground. We’re face to face with those people and we need to communicate to them that we’re going to make a change that might impact their workflows. Oftentimes bringing these individuals into a committee and I know we’re full of committees but into some sort of work group to have these conversations. We all want to secure things…we want to apply controls, but we don’t want to impede that care whatsoever. We tend to just say. “You know what? Forget it. I I’m too worried about what could happen.” The idea is we think we know it all because we’re so integrated into the Environment of Care, but until we actually bring those people from the Environment of Care in and just talk to them and have an understanding of what it really their workflows are, then we can more appropriately map the controls and reduce the risk of impeding their clinical care environment.
Thank you, Matt.
Along the same lines you actually helped me adopt Asimily in my prior role at an integrated delivery network — ranging from developing processes, key performance metrics, and training materials. Can you elaborate on the specific features and functionalities of Asimily that HDOs can adopt to drive this transformation and how does First Health Advisory specifically do this?
Some of the elements within your tool in the product here that that I find extremely advantageous to a programmatic standpoint is Policy Management. You have the opportunity put a profile around these assets. You can see what they’re doing. You’ve got your visibility and now you take it a step further past the visibility and you say, “Look I want to know if this device changes its behavior, if something in the environment changes, if we on board a new device that doesn’t meet where we stand from a baseline perspective.” The customization within the product itself to me is gold. It’s just one of those elements that now you have a compliance perspective. You’re working so hard in this effort of creating an iterative program and in the end of that that program …you need to monitor and your tools do that. Asimily a product that allows you to monitor that very granularly to see if there’s any deviation. To add to that is the Risk Scoring. Everyone has a hard time of, “well how do I how do I evaluate risk and what doctor should I be considering?”. Asimily has an algorithm that really contextualize is the environment. It contextualizes the product overall. It gives you a very clear number of what this represents, and that number tells you what you. That’s the understanding of number of how impactful this asset could be in your organization. So without doing a “business impact analysis”, the risk score self and the likelihood of the impact values that Asimily brings and shows and demonstrates is enough for you to make some really good informed decisions. You know where to focus your efforts.
Another key element to this is the CVE and Vulnerability insight information that Asimily provides. It takes the legwork out of sifting through you’ve got about 2 thousand, 4 thousand, or 6 thousand connected medical devices and if you’re an HTM Security Analyst and you’re parsing through these in your reading. You’re like, “where do I go? what do I do?” The Asimily inside product shares and gives you the recommendations and a good workflow that we recommend you do and this will reduce the risk. It makes it a little easier and a less difficult level of effort for that person to really make it impactful change. I’d say from First health Advisory standpoint, that’s exactly what we look to do. We like to help the customers essentially with where you start. What’s the starting point and it’s really looking at the criticality the sensitivity of the assets that risk because the whole point of this, in my opinion, is the risk management perspective. If you’ve got 4 thousand connected assets and if you just trying to tackle all of them…you’re just going to be spinning your wheels. When you look at the criticality, you understand the environment, and then you go from there …you have the CVE recommendations and vulnerability information and the Policy Management, you’ve almost got a complete iterative process of evaluating risk, what do I do to reduce my risk, and then how do I monitor my risk.
Thank you, Matt.
I think Asimily really does that because it’s reducing a lot of that indefiniteness for the healthcare technology management professionals or even just the health system in other IT professionals in that it solves the challenges with just doing your inventory, prioritizing the numerous amounts of vulnerabilities that we come across, and actually defining what’s an exploitable one. And where do we really need to focus the efforts and then what makes the most impact on the patient data and the business. And that’s where you focus all of your resources at least in that short-term period.
You brought up an important point about compliance. We all know that security doesn’t mean compliance so along the same lines we’ve not seen any explicit regulatory requirements in the Environment of Care Standards. Most specifically for HTM in the elements of performance to drive cybersecurity risk management. What we’ve seen so far are health systems that are increasingly cyber insurance policies to cover certain compromises in the infrastructure and health systems also starting to invest now in dedicated HTM cybersecurity staffing. With this gap in the regulatory requirements, do you think there’s something that HTMs can use to establish this Center of Excellence or how harder or will this be and can they use existing data sets from their CMMS or to a proof of concept perhaps with Asimily to build the justification to install a dedicated program and then adopt this technology full-fledged?
First, without you know the limited regulatory element piece, no I don’t foresee this being any more difficult. In fact, would say this would be the other way around. Cyber insurance companies are not willing to pay out anymore. What they’re doing is they’re making sure that you have requirements in place. Are you meeting these minimum requirements so in the event you have a negative incident, we will pay out but you have to meet these minimum requirements? And, sure, there’s no minimum requirements right now around medical devices in HTM per se, but what they’re looking for is the fact that you have a holistic, iterative process. You have something documented. You clearly show you you’ve done it your diligence and, again, based on a framework. That’s where a lot of First Health Advisory comes into play. Everything we do is not ad hoc and it’s all based around the nest cybersecurity framework. And we’re seeing a lot more health care delivery organizations and security department moving in that direction. One of the things that we were to do for Cyber Center of Excellence or HTM Cyber Center of Excellence is …just that. Mirror what IS or IT is doing from a controls perspective from a framework perspective.
And now we have those foundational elements so again taking NIST cybersecurity framework into context here. It’s got five core functions and, tiers, and profiles. What that allows you to do as you’re trying to build your program is look at the five core functions. You map it back to what you can do and, especially with a tool like Asimily, you can map back a large handful of these core functions from the tool. So the tool will provide you what you need to fill that void of the one of these functions. And then you look at the profiles and the tiers. Not to say that a tier is a kind of maturity, but to some degree it’s a road map of “here’s where I stand today. I’m at a level of one or zero maturity where it’s kind of its ad hoc or doesn’t exist at all and I want to be at a three.” The profiles is really help you map what does a one look like, what is the two look like, what does a three take, and then what does a four and five take. Now you know where you going to focus dollars, where you’re going to focus efforts, and we’re going to focus all these. You’re going to find that even though you’ve got five core functions and lest say 123 categories, you can’t fill them also. It’s impossible. It’s too costly, too hard, and everything in between.
The framework is not meant to be pre-prescriptive but for you to just evaluate and make it specific to your environment. You’re going to map it and, again, look at the profiles and tiers and say, “well today I’m OK being a two. It’ll cost me x and or this amount of effort to be a three and at three we feel very comfortable. At three we feel we’ve reduced our risk to the environment. I can share this with leaders. This is great.” Then same thing again. You’ll look at another profile or another function and you’d evaluate it and you’d say, “well this is going to cost me money. I need to go to the board, or I need to go to other stakeholders and do a business case to help with this.”
The other thing here is you know the framework really shares the who, what, when, where, and why. Being the fact that it’s documented, you have the elements you need, you can map back workflows, and people and processes right back to the framework that shows these cyber insurers that you are definitely making an effort. I’m mapping Asimily back to asset identification. I’m mapping a program back to governance as a function. You’re able to map all this out and demonstrate to those insurers that if we have an event and we’re compromised and there’s negative consequences monies involved (all the elements we hear about on the news), they’re more likely to payout because you had something in place. You did your due diligence.
Now, from a an HTM perspective or what can HTM leaders do, this requires a business case essentially. You’re going to look at the framework. How do I match this or what do I need to do with this? And sometimes getting involved with IS and finding out what they have and what they don’t have. Just sharing the fact that, “Hey. Are you all using a framework? Is it this one? Great. We’re going to try and mimic or duplicate that into the HTM environment and here’s what we have. Here’s what we don’t have. Can you maybe help with this?” So you know from a resource perspective that maybe there’s an enterprise control that can be specific or conducive to HTM. So HTM is not spinning their wheels trying to buy something or procure and they are not sure what it’s going to do for them. Security already might have it or IT might already have it. So you have to look at that.
And then another element is looking at your staffing, resources, and your talent. What do you need to do to be able to justify to create the center is…well not everyone going to be able to run out and go get someone. We’re not going to be able to hire a resource right off the bat. So the digital transformation… the strategy that has to come into play with this is, “alright, I want to make sure the organization is protected. I have to look at it from a business perspective and then my resource perspective” So taking a strategy of looking at what resources you have and mapping it back to what your future desired state would be. And that would tell you where your gaps are and that’s how you would essentially would obtain your resources and create your business case.
You hit it on the nail, Matt. Obviously we’re talking about a lot of different activities starting with asset management to different processes within asset management to hiring people and building the staffing and the skills staff necessary that bring that HTM as the IT experience. And then we’re also talking about technology adoption. So you’ve been part of HTM programs that are focused on medical device cybersecurity and then you moved on to provide expertise to health systems to build dedicated programs. So considering all of these needs and wants, what do you see as you know the big challenges in building a program?
Sometimes the challenges are constraints within the stakeholders. Essentially in many cases, I’ll see where everyone siloed, and I think we’re all well aware of that. But when we’re siloed the other departments almost already assume HTM is doing something like they’re the core owners they’re already doing something. And HTM assumes that well Security is doing something so why do I have to do anything. And there’s where your grey area is. Someone has to have that ah-ha moment and understand that we do have a gap. And that boils right back to the previous elements of the framework. If we come together looking out from business perspective and we look at the framework. We asked the other business units. “what are you mapping to and what do you not?” And then we can find out where some of those gaps are. So that’s just one [of the challenges] its stakeholders.
What I often see too is a product like Asimily or tool other tools other processes might be adopted by Security or IT or another group or even HTM but it’s not really shared. Meaning they get it, they procure, but they’re only using it for 15 to 25% of what it’s capable of. You don’t create that business value and you we don’t have those repetitive processes. You don’t have the ability to share this enterprise tool with all the different business units. So again, you have that that value delivery you’re going to pay a lot of money for one of these tools and that’s just a constraint that I’m seeing. A department might buy it and then again either negate some of the others or finally go, “whoa. This isn’t really all of us. Come on over HTM.” And then HTM says, “well, I don’t have the resources you guys bought it. What do you want me to do about this?” And so the one thing I will share and this is what we’re coming across from an advisory standpoint, is now it’s OK to ask for help. Because this is a new era and it’s a new realm of things. Not everyone who really knows how to tackle these challenges. So if you need the resources and you need the assistance to kick it off the ground, to overcome some of these. it’s OK to ask for help. It’s now widely available or known that there are firms out there that can help in this manner.
The other is some of the enterprise tools that do exist, some of the departments assume they can do the same thing that Asimily can or that these passive scanning tools can do. And it’s not the truth. It doesn’t profile. It doesn’t fingerprint and have the granularity that your tools do. They assume they have it or they assume they are good enough and it’s not good enough. It’s hard to tell these individuals and really sell it back to those departments that well what you have isn’t good enough because no one wants to hear that. So, here’s the need, we need the visibility, and that’s absolutely the starting point. I got to have the visibility. You can’t protect what you don’t know you have. So, the visibility in the granularity and the fingerprinting and all that from Asimily is there to assist. So, getting those business units to understand that this can integrate into their tools, and it can make their lives easier is a challenge because they need to understand that. Sometimes, someone outside their domain telling them that is it can be problematic because we work in those silos. So those are a lot of the challenges we see today.
Thank you, Matt.
My last question for you is in less than 60 seconds can you tell our listeners some of the key elements to adopt digital transformation in the in the Environment of Care?
I would say the framework. NIST cybersecurity framework is a key element. Rather than look at it as “yes it’s overwhelming”. It doesn’t have to be. Break it down to the basic elements and map back what you have to it. The other thing is to forget what you knew for the longest time. Get out of the barriers. Get out of the I don’t have the resources or I don’t want to it’s too hard. Digital transformation is not about making small incremental changes. It’s absolutely about thinking outside the box and going wild with it. Your goal is to transform your business unit and make it conducive to the organization. To make it more advantageous to the healthcare delivery organization from a security perspective. Again do large things. Be innovative. Think outside the box. And bring it all together.
Thank you, Matt.
It’s cybersecurity month now and Matt thank you for being here with Asimily and sharing your expertise. We really appreciate your thought leadership and look forward to continued collaboration with you and with First Health Advisory Services. Listeners, if you have any questions or if you would like to learn about Asimily and what it has to offer, contact us at email@example.com and if you have any questions format about First Health Advisory and how they can help your health system be more proactive and digitally transform in the Environment of Care, contact them at info at firsthealthadvisory.com. Until then take care and stay healthy.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.