FDA Cybersecurity Regulations: Medical Devices

A cardiac pacemaker is a lifesaver for many and is considered an implantable medical device. The FDA imposes regulations to protect these devices. Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine FDA Quality System Regulations, ISO standards, and FDA guidelines used by Sterling Medical Devices that are essential to the manufacturing practices.

FDA Cybersecurity regulations in medical devices is a tough topic! Consider the cardiac pacemaker, probably the most notable life-saving implantable medical device. Did you know that it is operated by a computer chip? Just like any other computer they can be vulnerable to cybersecurity breaches.

Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine the FDA’s Cybersecurity quality system regulations, ISO standards, and guidelines followed by Sterling Medical Devices to ensure cybersecurity for all their devices.

Tune in to Part 2 of our 3 Part Series on Medical Devices

The FDA Cybersecurity Regulations: Medical Devices Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m back on the show today with Keith Handler, Keith, thanks for being back on.

Keith Handler (KH): Thanks again for having me.

LN: And Keith, again, is from Sterling Medical Devices, and today we’re going to talk about what measures are in place, that the FDA imposes to help ensure cybersecurity on medical devices, especially safety of PHI, and safety of the operation of those devices for end-users. Thanks again for being here.

KH: Yeah, thanks for having me. So, cybersecurity. It’s a tough topic, and the FDA is still figuring out how exactly to deal with it. They have issued guidance that attempts to categorize how high the risk is of cybersecurity for a device and the basic standards you need to follow in designing, and testing, and documenting your processes for developing that device. That guidance is currently how we generally implement most of our analysis processes and controls. The FDA has chosen to recognize certain certifications, such as UL 2100-1-2.

LN: And what is UL 2100-1?

KH: 2100-1 is a certification for network-connected systems, as far as cybersecurity is concerned, and 2100-1-2 is a subset of that standard, specifically for medical devices connected to the internet or a network. Mostly that standard follows the 2100-1, with a couple of modifications, based on the fact that medical is safety-related.

LN: Have you seen any changes in the standard since the WannaCry attack that took out a lot of the UK hospitals?

KH: Nothing that I can point to specifically. You know, that really comes down to changing specific vulnerabilities, our knowledge about them, and the attack vectors that we know that are capable of executing these things, cataloging them, making sure that we plan for them in future designs.

LN: So I know Bluetooth is a protocol that’s vulnerable to exploitation. I think at one point in time, there was a warning that everyone should take their pacemaker and get it updated. Were you familiar with that?

KH: Yes.

LN: Can you tell people a little bit more about what happened?

KH: Yeah, well, in that specific case, I’m not actually 100% sure what occurred there, but most of the time your issues are, with a lack of authentication, a lack of encryption, you need to be sure that what the device is talking to on the other end is exactly who they expect it to be, what they expect it to be, and you have to make sure that that communication is secured and unchanged, unaltered. Typically, that’s done by using specific security libraries, integrating them in careful ways, making sure that all communication over the wire is encrypted, things like an asynchronous key generation.

LN: I think, just from my memory of events, one of the problems they discovered is that these protocols, there’s a period of time before authentication occurs, in the preamble when there’s broadcast of the Mac address, the wireless name, and whatnot, where there’s a potential to create an overflow situation, to actually compromise a device before encryption and authentication occurs.

KH: Yes, in certain system designs it is that way.

LN: And, unfortunately, these protocols are, you know, they’re everywhere. So, at the time, I believe that the chip makers and various equipment providers, not just only in the medical area, but across the board, had to create fixes that help protect against these types of cyber-attacks.

KH: Yes.

LN: So, you were talking about UL 2100-1-2, what about TIR57? Can you explain what that is?

KH: So, AAMI TIR57 describes how to marry up the processes of medical safety risk analysis and security analysis. It’s an attempt to show that the security analysis process is actually very similar and very familiar for anybody that’s done the safety risk analysis before. More of less, it takes ISO 14971 and applies security risk management to it with a mix of a little bit of some NIST standards in as well. But the general idea is to really categorize what assets you’re protecting in your system, and the known vulnerabilities that your system has, and then from there, you attempt to determine a list of known attack vectors and categorize the profiles of your possible attackers. With a combination of that type of information, you can assess what the real vulnerabilities and risks are for your system, and design in controls, from the ground up, to make sure that you’ve protected against them.

LN: Yeah, well, this is really fascinating stuff. I appreciate you being on the show, and I look forward to our next segment talking more about cybersecurity and how to keep these devices safe.

KH: Thanks again for having me, Lee.

Don’t Miss Part 1 of this 3-Part Series on Medical Devices

Part 1 of the 3-Part Series on Medical Devices

View Related Articles

To Learn More About Sterling Medical Devices

https://sterlingmedicaldevices.com/company/

FDA Cybersecurity Medical Devices Regulations

https://www.fda.gov/medical-devices/digital-health/cybersecurity

AI Trends in the Legal Industry

AI trends in the Legal Industry is revolutionizing data, and whittling down the amount of paperwork involved in legal practice. Lee Neubecker and DISCO’s Cat Casey discuss trends in the legal industry.

Paper death! Legal professionals get buried in a mountain of paperwork. Artificial Intelligence (AI) replaces that mountain of paper with cloud-based apps and whittles down costs. What’s new in Artificial Intelligence (AI) as it relates to the legal industry? Check out this video as Forensic Expert Lee Neubecker and DISCO’s Information Officer Catherine “Cat” Casey talk through AI trends in the legal industry.

View Part 2 of our 3 Part Series on Artificial Intelligence (AI) in the Legal Industry

Artificial Intelligence (AI) in the Legal Industry

The video transcript AI Trends in the Legal Industry follows:

Lee Neubecker: Hi, I’m back here again with Cat Casey from CS Disco. Thanks for coming back again.

Cat Casey: My total pleasure.

LN: We’re going to continue our conversation in this multipart series. This time, we’re talking about artificial intelligence and the trends impacting the legal industry and the whole eDiscovery industry as well.

CC: Absolutely, so in my role at Disco, I’m chief innovation officer, and one of the things I’m tasked with doing, both now and in my prior roles, is going out and figuring out what’s going on in the market, and what we’re seeing is AI written everywhere. Sometimes it’s true AI, sometimes it’s not, but what we are seeing is people want to find evidence faster. People want to eliminate those low-hanging tasks that aren’t the practice of law. And so, we’re seeing a lot of tools that are driving efficiency both in practice management and litigation management and in finding evidence.

LN: So where do you see we’ve gone in the last few years with AI in terms of advancements and providing products for the review process?

CC: When we first, I think, announced AI about 2006, seven, eight, nine, I was working as a channel partner with the company that patented the word predictive coding. That was the first AI model in eDiscovery and people liked it. They didn’t really want to use it. They were nervous. What I’ve seen is not only has the process improved instead of TAR 1.0, where you have a sample, you make decisions, and then, the algorithm might learn, we have continual models. So the tools got better, but the appetite to use them has increased dramatically, I think, in the last 18 months, because data’s getting very big, very complicated, and no amount of money or time is enough to actually get through it without using this sort of technology.

LN: So are you seeing that other messaging platforms are starting to become more a part of this process, like Slack?

CC: Oh, yeah.

LN: You’ve got all kinds of other messaging platforms, WhatsApp.

CC: Weird data is the new normal and I noticed it starting, I’ve been at Disco about a year, so starting my last 18 months at Gibson Dunn, where it used to be, okay, email, maybe text. That’s all I got to worry about. No, no, no, now I’m dealing with ephemeral messaging, which is self-destructing text messages. I’m dealing with collaboration tools like Slack and Messenger and Teams and each one of these tools has a challenge in terms of formatting the data, being able to review it, and relating it. Think of a given day. This morning, I was on Slack, then I was answering text messages, then I had a phone call, then I sent an email, then I went back to my Slack channel. That was before I got out of bed and if you want to recreate kind of this digital footprint of what people are doing, you need to have all of that info. And so, finding tools and partners that can deal with it is paramount.

LN: So does your platform at Disco, does it have APIs and import specs that match upon those alternate data streams?

CC: We do to a degree. We also do kind of a middleware layer of parsing and creating a new visualization, like say from a JSON file for Slack, we recreate that in our ecosystem and render it the way you would’ve seen it in the Slack dialogue box. And so, we’re developing more of those direct APIs of a 365 box, but we’ve worked on the visualization and ensuring that the data we receive is reviewable, usable, and easily rendered, so.

LN: Now, it’s interesting when we’ve collected cellphone data, we’ve used some of the popular tools on the market and the output of the data isn’t necessarily always easy for the attorneys to review. And what we’ve done is we’ve often taken the spreadsheet output of text.

CC: Oh yeah, yeah.

LN: So what are some of the challenges you see facing AI and its adoption over the next few years?

CC: Like with everything, it’s fear and desire. People desire the outcome of finding stuff faster, being able to practice law, but no attorney went to law school to play with relational databases and lambda calculus. I didn’t. And so, what ends up happening is there’s a fear of the unknown and a fear of explaining something to a judge who maybe didn’t even use a laptop when he was going to law school, probably didn’t. So there is a fear of using technology that folks don’t understand, a fear of explaining it, and that’s when having the right partner, the right person to testify, the right person to navigate you through this becomes so important.

LN: Have you seen much, part of my practice deals with patient electronic medical records?

CC: Oh yeah, yeah.

LN: And patient audit trails of EMR, electronic medical records.

CC: Oh, yeah.

LN: Usually, those records aren’t quite like an email thread. They’re more cryptic. They’re more accustomed to the specific platform the hospital’s use. Have you seen many of those cases come in where they’re pulling in the charts and various transcripts from the physicians and whatnot?

CC: I haven’t run into that as much at Disco, but when I was at PWC, we were doing very complex multilayer investigations, and so, we would have, sometimes, medical charts. Sometimes we would have trade databases and so, marrying and creating a story between that structured data and the unstructured data was always very challenging and very bespoke, and there’s some tech that’s beginning to create a unified place to do that. We’re looking in to do that as well, but it’s very hard to take that weirdly formatted data and render it in a way that then ties to what the humans are saying and then, help you get those facts to build your case.

LN: That’s great. Well, this has been great. In our next segment, we’ll be talking a little bit more about artificial intelligence and some of the potential challenges and impacts for organizations that don’t get on board. So thanks for coming on again.

CC: My pleasure.

View Part 1 of our 3 Part Series on Artificial Intelligence (AI) in the Legal Industry

Part 1 in our Three-Part Series about Artificial Intelligence (AI) in the Legal Industry

View Other related blogs from Enigma Forensics.com

Artificial Intelligence (AI) Plays an Important Role in EMR Audit Trails
Artificial Intelligence (AI) in Hospitals
Artificial Intelligence (AI) in the Energy Sector

View DISCO’s website and receive a free demo

https://www.csdisco.com/

View Law Technology Today LTT as it reviews AI trends in the Legal Industry

Data Breach Response Experts

Chicago Tribune reported, “US says Chinese military behind Equifax breach that stole Americans’ personal data” Data Breach Response Experts Lee Neubecker and Kari Rollins say “Data Breach is inevitable!” They give us advice on how to prepare.

Sedona Conference Incident Response Guide

It is not a question of if you will fall victim to a Data Breach incident, it is when. Organizations large and small need to be ready for when cybercrime strikes. Data Breach Response Experts Lee Neubecker and Kari Rollins know how to prepare for a data breach without breaking the bank. Kari is a partner in the Intellectual Property Practice Group for Sheppard Mullin in New York, and also a member of the Sedona Conference, Working 11 group. Kari describes the Sedona Working 11 as a group of Cyber Breach Experts who design tools and how-to resources that are available to the general public through the Sedona Conference website. The Sedona Conference is a nonprofit research and educational institute that brings together jurists, lawyers, experts, and academics. Kari and Lee share their combined knowledge and talk about the options available to small to midsize companies that may not have the resources in-house necessary to respond to a data breach incident.

Watch Part 1 of our 3 Part Series on Data Breach Readiness follow:

Kari Rollins and Lee Neubecker discuss Data Breach: Sedona Conference

The Video Transcript of Data Breach Response Experts Kari Rollins and Lee Neubecker Follows

Lee Neubecker (LN): Hi, I’m here today with Kari Rollins. She’s the co-managing partner of the New York office of Sheppard Mullins. Thanks for being on the show.

Kari Rollins (KR): Thank you for having me.

LN: And I had Kari, she’s a specialist in the whole area of privacy related litigation involving data breaches and personal information and what not. She’s also a member of the Sedona Conference. Could you tell everyone a little bit about what the Sedona Conference does?

KR: Sure, so the Working Group 11 is the Working Group that is dedicated to helping companies and other practitioners understand some of the hot topics and legal issues in data privacy and cybersecurity today that are rapidly evolving as the laws in that area change. And the Sedona Conference itself is dedicated to pulling together practitioners from private sector, public sector, judges, regulatory authorities who all come to talk about their experiences in these different specialized areas so that it you know, you have a knowledge base with a wide variety of perspectives.

LN: Great and so I asked you to come on to talk a little bit about the data breach incident response guide that the conference came up with. Can you tell us what this is about?

KR: Sure, so as a member of the Working Group 11, several of us at the request of Sedona Conference came together to put together what our views were on how to handle a data breach, or an incident response from the very beginning of the breach life cycle, i.e. planning for and anticipating a breach, through the breach investigation itself and even thinking about issues that may be implicated in a post-breach regulatory inquiry and how companies can best defend themselves and prepare for what is now today, the inevitable, a data incident.

LN: So this is a free resource available to anyone?

KR: It is a resource available to anyone. It’s really a practitioner’s guide. We think this is probably best used by small to midsize companies who may not have the resources or staff in-house, legal staff in-house dedicated to responding to incidents. And it’s, though it can be used by any practitioner, any counsel, any type of company, we do expect that this is probably something that would be useful to small to midsize companies as really a guideline and material to help them issue spot and understand what are the issues in incident response? What should I be concerned about? What are the pitfalls? What am I going to need to be on the lookout for?

LN: Great, and if people want more information about this or want to download the guide, where can they obtain it from?

KR: They can go directly to the Sedona Conference website. There are, there are publications that are, in the publication section of the sedonaconference.org website, it will have all of the various publications including this one, “The Sedona Conference Incident Response Guide,” and you can download and access the publications there.

LN: Great, so in our next segment, we’re going to be talking a little bit about what should be done before a data breach happens.

KR: Right.

LN: And then in our third segment, we’ll talk a little bit about okay, the data breach happened or an incident happened, what do you need to do to respond? So watch those segments and tune in again. Thanks Kari for being on.

KR: Thank you.

View Related Articles here

Forensic Experts Can Form a Response
How the Energy Industry Responds to a Cyber Breach.
How Hospitals Respond to a Data Breach
Lee Neubecker Presents on Infrastructure Vulnerabilities
Be Prepared and Know Your Companies Vulverabilites
Select a Computer Forensic Expert Before a Data Breach Incident

More Information about Kari Rollins and Sheppard Mullin

https://www.sheppardmullin.com/krollins

View The Sedona Conference Website

https://thesedonaconference.org/

https://thesedonaconference.org/download-publication?fid=4860

Other Resources on the Web Helping Organizations Prepare and Defend Against Cyber Attacks and Data Breaches

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf

https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/dc-drr-project-description-draft.pdf

https://www.ready.gov/cybersecurity

https://www.cisa.gov/national-cyber-exercise-and-planning-program

BIPA: How it May Affect You

Does your employer require your fingerprint when you clock in for work? That fingerprint is considered private biometric information. BIPA is the Illinois law that protects its use. Experts Lee Neubecker and David Rownd share how this law affects employers that have Illinois based employees.

Biometric Information Privacy Act (BIPA) is a law that covers the employer’s use of biometric information of its employees. Biometrics are the physiological means to gather an individual’s uniqueness. The oldest most widely used is a fingerprint but other biometric identifiers may be also used such as; facial recognition, photos, retina scan, voice recognition, ear shape, and hand scans all are considered private biometric information. The Illinois BIPA law is designed to govern, secure, store and prohibit the sale of biometric information. Forensic Expert Lee Neubecker and David Rownd from Vedder Price discuss how BIPA may affect employers that have satellite offices in Illinois.

Part 1 of a 3 Part Series on Illinois’ Biometric Information Protection Act

The Video Transcript on BIPA: How It May Affect Employers in Illinois.

Lee Neubecker (LN): Hi I am here again with David Rownd from Vedder Price. Thanks for being on the show David

David Rownd (DR): Thanks for having me

LN: David is an attorney that specializes in defending class action lawsuits also employment litigation, trade secret theft, and misappropriation. I asked him to come on the show today to talk a little bit about BIPA which is the Illinois Biometric Information Protection Act and specifically he deals with a lot of trading security-related financial services firms and since that law applies to Illinois and many trading firms in New York have satellite offices I wanted him to talk a little bit about the act and some of the concerns that employers should have if they have employees working in Illinois. So, David, can you tell us a little bit about BIPA what it is and what it entails?

DR: Basically it covers the employers use of biometric information of its employees and this can be a retinal scan it can be a fingerprint it can be a number of different things and it can be used for time cards access to the workplace and things like that and employers are using biometric information because its an easy way to keep track of employees. However, it is also a privacy issue and that’s where the BIPA comes in and BIPA is intended to regulate employers ability to utilize biometric information and put certain requirements on them for notifying employees they are using it and notifying employees why they are using it keeping written records of the biometric information and it specifically prohibits the sale of biometric information to third parties.

LN: It’s especially troublesome too because if you lose your biometric unique identifiers you can’t necessarily get those back unlike a social security number you could replace a social security number but if someone is able to copy your retina scan your fingerprints what not it could cause a lot of permanent damage.

DR: That’s true you only get one of those things

LN: So we will be talking later in the series next well be talking a little bit about what employers should do before they land in trouble with BIPA to help protect against finding themselves embroiled in litigation and then finally we’ll talk a little bit about some of the national happenings with Facebook and other entities who have been en snagged in the BIPA trap and we’ll conclude with there so thanks for being on the show today.

DR: Oh thanks for having me.

View related Employment Litigation articles on our website.

EMR or Electronic Medical Records May Contain Private Biometric Information
Forensic Data Collection can be used in cases where ESI is breached or stolen
Private Biometric Information is Electronically Stored Information (ESI) and governed by BIPA
An individual’s photo is considered biometric information.

Employment Litigation articles

Learn More about Illinois BIPA Litigation

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

Protection under BIPA

https://www.vedderprice.com/

AI Smarter Solutions: eDiscovery

Artificial Intelligence (AI) can be used to vastly improve the eDiscovery document review process. Zylab is one of several eDiscovery vendors offering solutions utilizing AI. Lee Neubecker, Computer Forensic Expert, and President & CEO of Enigma Forensics met with Jeffrey Wolff, Director of eDiscovery Solutions at ZyLAB during his visit to the Legal Tech Conference 2020 in New York. Lee and Jeffrey discuss how AI can be used to conduct more effective eDiscovery.

Artificial Intelligence (AI) technology is everywhere. It’s hard to imagine how it’s being used in the legal industry where legal libraries filled with law books and courts filled with black-robed judges reign. In this formal traditional world, AI is now providing smart solutions for today’s electronically stored information or ESI and is streamlining the way the Legal Industry works.

In this video, Lee Neubecker, Computer Forensic Expert, and President & CEO of Enigma Forensics met with Jeffrey Wolff, Director of eDiscovery Solutions at ZyLAB during his visit to the Legal Tech Conference in New York. Lee and Jeffrey analyze how Artificial Intelligence (AI) develops smarter solutions in the eDiscovery process. Jeffrey shares with Lee that ZyLAB’s mission is to provide automated full-text retrieval using AI, for both on-premise or cloud-based solutions.

Watch Part 1 of a Three-Part Series on Artificial Intelligence (AI) and eDiscovery.

The video transcript of AI Smarter Solutions: eDiscovery follows.

Lee Neubecker: Hi, I have Jeff Wolff, back on the show from ZyLAB. Jeff, thanks for coming back on.

Jeff Wolff: Thank you.

LN: He’s their Director of eDiscovery, and I wanted to ask him some questions as it related to what differentiates ZyLAB from other products out on the market. Some of my clients may want to use this type of artificial intelligence program to help get through their review and see what the results are of using AI verse the traditional e-discovery review process, so.

JW: Sure.

LN: Jeff, could you tell us what sets ZyLAB apart from other competitors in the marketplace.

JW: Sure, sure, so first, I think ZyLAB is uniquely positioned in the fact we understand the corporate space quite well, as well as the law firm space, but we got our start incorporate, or start in information governance. So we are very vested in search and data science, and that’s really where we’ve put a lot of our focus. We have both on-premise solutions, as well as cloud-based, SaaS solutions like every other next-gen provider. But we really push our interface, our user interface and our user experience, as one of the most unique selling points. And that is, that it is not difficult to start using. Anyone, any legal professional can pick up our product in an hour, from start to finish, and understand really how you utilize it. Drag and drop interfaces for getting data into the system, and immediate color-coding and tagging, easy search, and the ability to really visualize your data and understand what’s in the dataset.

LN: Okay. So, what would you say for a company that has to deal with multiple jurisdictions, they’re in Europe, they’re in the US. JW: Sure. LN: There are some unique challenges posed by all the various regulations out there, like GDPR.

JW: Right.

LN: Maybe the have operations in China. How could you help a company that has to deal with various regulatory authorities spanning the globe?

JW: Sure, and that’s another advantage that ZyLAB has, actually, we’re actually a global company, so we’re dual-headquartered in Washington, D.C., here in the US, as well as Amsterdam in the Netherlands, in the EU. And as a result, we have cloud operations in both jurisdictions. So our global customers can actually keep US data in the US, and they can keep the European Union in the EU, and not worry about that issue. But we also have the expertise, consulting expertise, in both environments, both geographic locations. For example, I’m doing a lot of work now with corporations, not so much focused on directly just on e-discovery, because e-discovery is a bit reactive, you know? Or corporations go through peaks and valleys with e-discovery, the litigation, something they have it, sometimes they don’t. What they constantly have though, are internal investigations, regulatory responses, in the highly regulated corporations. And more and more now, data privacy concerns. So, my European colleagues have been dealing with GDPR for a while, we’re now starting to feel it here in the US, with CCPA, the California Consumer Privacy Act. And there are a number of states on the horizon that are going to California’s examples, so corporations need to be able to find, and classify all the data that they have in their organization that has customer information because if those customers request it and they can’t provide it, they’re financially in a lot of trouble.

LN: Do you think that the regulations coming down on companies are going to fundamentally change how companies chose to communicate with their vendors, suppliers, and own employees?

JW: Absolutely. If you look at all the recent data breach situations, it’s typically not the organization that has the problem, and I won’t mention any of the large companies that have recently had data breaches, but it’s typically not the original company that had the issue, it’s one of their suppliers, or one of their vendors that had accesses to the database, and wasn’t protecting it properly, and that’s how the trouble began.

LN: Yeah.

JW: Same thing with data privacy.

LN: The supply chain certainly is a huge point of vulnerability for all types of organizations. The governments, the military,

JW: Yep.

LN: and even corporations.

JW: Yes.

LN: So what do you see happening over the next few years with the adoption of AI platforms?

JW: I think the e-discovery market is going to fundamentally change. There’s still always going to be a need for discovery within corporations and law firms, but what you do you with the data is going to become much more important, so it’s going to be about how you can extract value from the data, not just metadata, which we’ve always been able to do for years now, but now more about looking for entity information. People, places, organizations that are mentioned in documents and emails, and collaborative environments, and being able to visualize those, and quickly drill down to what was going on in your organization. You know, if you got people that are going to the dentist three times a week, they’re not doing to the dentist, they’re doing something else, They’re just writing about going to the dentist.

LN: Yeah.

JW: Software like ours that can identify those references in documents are going to be crucial to the success of organizations.

LN: That’s great. So it seems that there’s continued e-discovery service provider consolidation out there.

JW: Mmhmm.

LN: The companies that are using tools that are more of a channel partner tool to resell.

JW: Yes.

LN: But as those companies consolidate, do you think that there’s going to be a movement away from those providers where, the company, the firms, directly do their own e-discovery?

JW: Oh, yes. Yeah, very much so. We’ve been seeing that over the last few years. A lot of companies, even small companies that tend to have, in the past, just used outside vendors for e-discovery, are now deciding that they prefer to control, not just the cost, but also their data. They don’t want their data outside of the organization for reasons we’ve already talked about. So they’re purchasing in-house tools that they can use themselves, and then they can invite outside counsel in to make use of, that way they control their costs, they control the efficiency, and they control the data.

LN: Well, this has been great. Thanks a bunch for being on the show.

Lee Neubecker: Thank you again.

LN: Take care.

JW: Bye bye.

View related articles on Artificial Intelligence

Artificial Intelligence (AI): Medical Data
Artificial Intelligence (AI) Re-inventing Legal Technology
Artificial Intelligence (AI) eDiscovery
Litigation & Computer Forensic Experts
Cyber Security & Artificial Intelligence (AI)
Artificial Intelligence (AI) Assists in Cyber Security

View ZyLAB’s for more information on (AI) Smart Solutions: eDiscovery

https://www.zylab.com/en/product/artificial-intelligence

View Law Technology Today’s article on Artificial Intelligence (AI)

Medical Device Security Challenges

Behind lifesaving medical devices are Cyber Experts hard at work to secure and protect Patient Health Information (PHI). Check out this video on securing medical devices.

Cutting edge medical devices save lives! Not only do they save lives but they carry a vector of complicated communications and a unique set of security challenges. Cyber Security Expert Lee Neubecker, sits down with Sterling Medical Device’s top engineer, Keith Handler who develops cyber protection and security for their client’s medical devices.

Sterling Medical Devices helps companies design and develop mechanical & electronic medical devices and follows them through FDA approval. The conversation is educational and important to those interested in knowing how medical devices are cyber protected and secured. In this video, they outline the concerns that relate to the control, security, and confidentiality of the patient’s health information (PHI) when using these medical devices.

The transcript of Part 1 of our Series in Medical Device Security

Lee Neubecker: Hi, I have Kieth Handler here on my show from Sterling Medical Devices. Keith is a top engineer here that helps ensure cybersecurity and resilience and protection of medical devices of their clients. They help assist through the FDA certification process. Keith, thank you, thank you for being on my show.

Keith Handler: Thanks for having me, Lee.

LN: So can you tell me a little bit about what your firm does and how it helps clients in cybersphere?

KH: Yeah, sure. Sterling Medical Devices is a 13485 certified product development firm. We help various companies design and develop electro-mechanical medical devices. Pretty much from, anything from concept all the way to submission to the FDA.

LN: So, can you tell everyone what, ISO…?

KH: 13485?

LN: 13485 Certification means?

KH: Yes that is, that is the ISO standard that defines the product development and manufacture of medical devices. It defines all the processes that we generally run our business by.

LN: Okay, so what are some of the concerns that you have as it relates to the patient personalized information, sometimes known as PHI? Is that right?

KH: Yeah, patient help information, that’s correct. Well, you know, our first concern, of course, with any medical device is safe. We want to make sure that the devices are treating patients as intended and not presenting any undue harm to the patient or anybody else. The second thing is the Patient Help Information. It’s very important that we maintain confidentiality for all patients, in any of these systems. Diagnostics, their personal information, all need to be protected.

LN: These devices, they have PHI, they also have, they also are involved with the generation of electronic medical records, known as EMR, that feed into the various hospital systems that are used to provide and deliver healthcare to users. As it relates to this, what are some of the top concerns that you try to address as it pertains to safety for your clients?

KH: Well, when it comes to information or command and control that can be done remotely on a device, it’s again important to maintain the integrity of those communications, and to protect everything there. One of the hardest aspects, I would say, is integrating a medical device into a larger hospital system. We may have control over the confidentiality of the information, and of the commands that are sent and received within a device, but as soon as we connect to an external system we lose control of that data. So, it becomes a unique challenge to try and make sure we are protecting, and not only in our system but also in any system ours might integrate with.

LN: Yeah, and there’s such a myriad of ways devices connect, Bluetooth, wifi–

KH: Yes.

LN: I’m not sure if medical devices use infrared or–

KH: Yes.

LN: Near band communication, but there are all these vectors of communication that create new threats and potentials for compromise.

KH: And typically medical hardware is pretty cutting edge, you know, some of the things that they’re trying to treat now still can’t. So all of these things that you’re bringing up, all exist in medical, all need to be protected.

LN: Great, so in our next segment we’ll be talking a little bit more about the FDA, the certification process, and some of the standards that devices might undergo to help ensure adoption by the FDA, and to make them commercially viable to be sold in the United States. And then, in our third segment, we’ll talk more about protecting devices against cyber compromise, the firmware and software that gets embedded into these devices, and other things that should be done to help keep medical devices safe and secure. Thanks for being on the show today.

KH: Thanks again for having me, Lee.

Related Materials on Medical Malpractice

Forensic Imaging

See more about Sterling Medical Devices on their website.

https://sterlingmedicaldevices.com/

See other related websites for more information about Medical Device security.

FDA ISO Standards

https://www.iso.org/standards.html

FDA Medical Device Cybersecurity Guidelines

https://www.fda.gov/medical-devices/digital-health/cybersecurity

Re-inventing Legal Technology: Artificial Intelligence (AI)

Forensic Experts Lee Neubecker and Cat Casey from DISCO discuss Artificial Intelligence (AI) as it relates to improving Legal technology.

Artificial Intelligence (AI) thinks, learns and problem solves more efficiently than humans. AI is all around us and in almost everything we touch, it is an algorithm that is designed to make our lives easier and is sometimes referred to as machine learning.

In the case of litigation, it can save time and money by streamlining the process of document review, eDiscovery, and preparation for forensic cases. Computer Forensic Expert, Lee Neubecker and Catherine “Cat” Casey who is the Chief Innovation Officer for DISCO discuss how AI works to improve legal technology.

DISCO is a leader in legal technology is a developer of a cloud-native eDiscovery software for law firms designed to automate and simplify error-prone tasks. They provide a myriad of different types of analytics that will supercharge searching data dramatically reducing time and money.

Part 1 of our Three-Part Series on Artificial Intelligence (AI)

Artificial Intelligence (AI) Re-Inventing Legal Technology

The Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m here today with Cat Casey from CS DISCO. Thanks for being on the show.

Cat Casey (CC): My pleasure.

LN: We’re going to talk a little about artificial intelligence as it relates to eDiscovery and document review. Cat, can you tell us just a little bit about what your firm does to help speed up the review process and lower costs for clients.

CC: Absolutely, we’re a cloud-native AI-powered eDiscovery company. And what that means is we’ve got vast amounts of elastic computational power that we can use to run a myriad of different types of analytics on data to supercharge your searching and dramatically reduce the amount of time it takes you to get to that key actionable evidence. So, we’ve kind of flipped everything on its head. Instead of being a question of how quickly can I read through all of this data, it’s how laparoscopically can I surgically find all of that key information. The results that we’re seeing are pretty resounding. Up to 60% reduction in time to get to that key evidence. Freeing up attorneys to get back to what they went to school for, the practice of law. It’s pretty compelling. We’ve had some pretty interesting additions, including even today, we just announced, I think, the first true AI in eDiscovery with AI model sharing. Basically, with each iteration, with each type of case that you conduct with DISCO, our algorithms are getting smarter. We’re extracting insights and building in more robust taxonomy and analytic structure to parse data, which is going to yield better and better results for our clients. It’s truly exciting.

LN: So we’ve come a long way from the early days when the attorneys wanted everything printed and Bates-labeled before they looked at it. To now, moving ahead using TAR, technology-assisted review, like artificial intelligence, which fits into that, correct?

CC: 100%, we have a continual active learning model, so it’s more reinforcement learning than a standard supervised learning model. Basically, from the coding of document one, our algorithm’s getting smarter and making recommendations on highly likely to be similar documents. We battle test the algorithm on an ongoing basis. Whether it is an affirmative or a negative for a suggested document, the algorithm learns more, and because of that, we prioritize the most relevant information quickly and people are able to then accelerate their review speeds by up to, I think we’ve had over 180 docs per hour. So, it’s pretty compelling and this is just the beginning.

LN: So your platform’s all in the cloud, correct? So companies or law firms, they need no infrastructure other than a browser?

CC: 100%, the nice thing, in my prior life, I ran a global discovery program, and I spent hundreds of thousands of dollars a year just to keep pace, just to have storage, just to have basic replication and back up, and all of that. Now, even a small firm, all the way up to an Am Law One firm or a massive Fortune One company, they can have the same robust technology without having to set up a data center, without having to invest a ton of money. It lets everyone level up and has a better experience throughout the discovery process.

LN: One of the challenges a lot of my clients always have is they have a need to understand what the costs are going to be and to be able to communicate to their clients those expectations so they’re not throwing their clients on the eDiscovery rollercoaster of non-controllable bills. How does DISCO help to address those concerns?

CC: Transparency is a major pain point. One of the banes of my existence used to be trying to normalize this pricing model versus this, versus this service provider, versus this technology. We just throw that all out. We charge one flat amount per gig. It includes analytics. It includes processing. It includes everything, and we work with you to get the volume of data that is being applied to that one flat cost per gig down. It eliminates that hide the ball gotcha moment and it gives a lot of transparency. And of course, if someone wants a different model, we’re happy to accommodate that. But in general, straight, simple, honest. It’s really rewarding for our clients.

LN: So, what cases, what types of litigation case matters do you see as having some of the best benefits of being migrated into your platform?

CC: Yeah, I think any case can. If you’re a tiny company, it helps you be David versus Goliath. Even on a small data volume case, you can start getting insights and reduce the amount of time you’re having to spend doing something maybe you can’t chargeback for. For a big massive case, because we are an AWS and we were built on kind of convolutional neural networking, we’re moving, and we have such a robust computational lift, even we’ve had 150 million documents with hundreds of users and we still have sub one second page to page. We are still lightning fast. And so, whether it’s a big case, a simple case, a complex case, there is a value proposition for almost anyone.

LN: In terms of the types of law firms that are using your platform, do you see many smaller, medium-size firms using your–

CC: Tons, actually tons. That was where we got our teeth. Boutique, we started as a boutique law firm. We actually were a bunch of attorneys that were frustrated that all the tools were terrible, and so they built their own. And so, the foundation of DISCO, we had a family of tons of boutique law firms that we were supporting, we still do to this day. The tool we built though, had a longer vision. It was built to be much bigger and more scalable, and as a result, that’s why you’re seeing us with major, the WilmerHales of the world, very large firms and very large corporations because the tool itself can scale up so much.

LN: Great, what are some of the challenges of working, that law firms find that already have entrenched solutions? There are other review products out there and if they really want to make the benefit of your platform, don’t they have to kind of fully use it for the case?

CC: I would say you probably don’t want to split the baby with a case. If you’re processing with another tool, you’re not going to get the same benefit as working with DISCO. But you don’t have to move your entire litigation portfolio to DISCO day one. We’re seeing a lot of people that are sunsetting Legacy Product and Legacy Platforms moving towards DISCO, but it’s not, “I’m going to move every single case today.” It’s going forward, we’re going to start bringing in new cases. There tends to be such an improved experience and improved UI for the attorneys that they start to not want to use the other technology as much.

LN: I know as a computer forensic expert, oftentimes we’re going out initially collecting and forensically preserving the data. But your product sounds like it would be right for a firm that does forensics that needs to collect different data from computers, possibly harvest just an email. Filter the dates and times of the email to a PST and then they can take those PSTs and upload it into your platform, correct?

CC: 100% and we also, we’ve productized some advanced ECA, where we charge a much, much lower rate. So, you get three months no cost hosting. It’s half the usual rate, and you can do ECA for up to three months. And the goal of that is to let’s whittle down to the most surgical, teeny, tiny, laparoscopic piece of data set that you can have. An example was we had a 20 million document case and we were able to run the ECA, get it down to about 5.6 million documents. Run more coaling, run our analytics, get it down to about 200,000 documents. And usually, that would be when you have to review every single one, but we were able to, with our workflow, with CAL, get it down to 140,000 documents. And so, if you think 50 bucks an hour, an attorney can only do 50 docs an hour, the cost savings is monumental.

LN: So as someone uses your platform and they start to tag and prioritize certain documents, your software learns based on that taking. It helps find related concepts to those conversations and what not?

CC: 100%, 100%.

LN: So really, the more that are reviewed as responsive, similar concepts and whatnot so that important links aren’t missed.

CC: 100% and because we do automatic batching, is every new batch of documents a person gets because we’ve applied this artificial intelligence and continual active learning model, it is a more relevant subset of data and people are able to go through it more faster. And sometimes, they will get to a point where they can say, “I’ve hit all my relevant information. “The rest is not relevant. “I’m going to sample it and statistically determine “I don’t have to review those last 100,000 documents “that maybe aren’t relevant,” and it’s pretty cool.

LN: In our next segment, we’re going to be talking What the trends are in the industry impacting law and eDiscovery. And then finally, we’ll talk about some of the pitfalls of what companies, organizations, and law firms face if they don’t embrace artificial intelligence to help make their review process more efficient. Well, thanks for being on the show.

CC: My pleasure.

More Related Articles About Artificial Intelligence (AI) )

Litigation and Forensic Imaging

View DISO’s website to learn more about AI trends in Legal Industry

https://www.csdisco.com

AI is Changing Legal Technology and how they work check out this website.

Tech Tips for Keeping Your Devices Secure When Traveling

Lee Neubecker, President & CEO of Enigma Forensics, sits down with travel expert Robbie Gold. Together they discuss the ins and outs of securing your technical devices when traveling, including devices that may help you in the event of a power outage, and cool tips to help keep your belongings and technology safe. Check out this video that outlines what we believe to be the best practices to travel securely.

This video contains easy important tips to secure your technical devices while traveling.

The video transcript follows

Lee Neubecker (LN): Hi, I have Robbie Gold, President of Travel Center Tours on my show today, to talk a little bit about travel, the travel industry, as well as cyber tips that I’m going to give him to help his clients. Robbie, thanks for being on the show.

Robbie Gold (RG): Thank you, Lee. So, when my clients are traveling out of the United States, what information can you give us on cyber safety that they would need to use while traveling?

LN: Yeah, well, certainly, first you want to make sure that you have all your important documents, including your credit card numbers, the phone numbers to dial, you want to have that information with your travel agent or alternatively, you want to have that documentation put up into the Cloud but encrypted so no one else can get to it but so that you can access it if your bags are stolen and you lose your documents.

RG: And what about if they lose their credit cards, besides reporting them to the credit card company?

LN: Yeah well you know, reporting to the credit card company is important, I, usually, like if you have American Express, they’ll ship you a card next day, in those circumstances, to your hotel but it’s not a bad idea to arrange to have someone on hand, to make sure you have someone on hand that has funds that they can wire to you and what I’d recommend is if you’re going to do that, establish a secret, you know, password in person, don’t text it, don’t email it but give them some phrase or something so that they know that it’s really you asking for it and not a scam by, you know, some type of dubious person trying to impersonate you.

RG: Okay and then what other cyber tips can you give the clients, as far as traveling?

LN: Well, one thing that I’d recommend is getting a VPN, a virtual private network, for your smartphone and your laptop and what this does is it creates a tunnel, if you’re on a hotel network or on a cruise ship, it will create an encrypted tunnel between you and your email or you and your bank provider or your airline or even Netflix and it will let you get that information without the cruise ship or the hotel kind of getting in the middle of your communications.

RG: So, that would make everything secure for you?

LN: It would make it much more secure. Express VPN is one I like, it doesn’t cost much and you can get it for multiple devices and it will also let you often access content that the hotels and the cruise ships purposely try to slow down, so.

RG: Okay, what about for information, once you’re at the destination?

LN: Well, what I’d recommend is, before you get to the destination, there’s a great app called Maps.me and it allows you to download travel guides for your destination and you’re able to have preloaded maps, that even if you don’t have your data plan on, you can still navigate and it will tell you, based on your GPS coordinates, what’s around you and it can help you find a coffee shop, it can help you get back to port and it gives you kind of like a, you know, a navigation but in your hand, without a data plan and that’s really nice, especially if you’re trying to explore and you don’t want to get lost.

RG: And let’s say something happens and we either lose our laptop or our cell phone, is there anything we should have done to make our trip easier?

LN: Well, I’d recommend, before you leave, always back up your laptop and always back up your cell phone and if you’re really paranoid going through security, in some countries, they might randomly inspect your cell phone and the contents and if you work in a sensitive industry or you have patient medical records or other trade secrets or sensitive PII, you want to, you may want to consider wiping the phone after you’ve backed it up and then after you get through a security checkpoint and you have an internet connection, you can then restore your phone back and you won’t have a risk of someone inspecting and getting access to your phone contents.

RG: Okay and I always hear about people having problems when they’ve used bank ATMs or certain things, where people have gone over and they put a shell over them so what kind of safe practices should we use for both our computer and while traveling?

LN: Yeah, well, what’s nice, when you travel in Europe, usually, they don’t take the credit card away from you, they bring the reader to you and you get to see everything happen there. You might want to consider, though, getting a temporary credit card from your credit card company and certainly notifying them where you’re traveling, that’s important because, if you don’t let them know that you’re traveling to a certain country, there’s a good chance your card will be shut off and you know, you can also use some of those preloaded gift cards as a way to you know, protect your account but you know, monitoring is key, if you’re checking your account balances if you set up alerts with your bank, a lot of times, you can get a daily email or an email every time a transaction hits and then you’ll know if something’s happened.

RG: Well and one of the other things I know I’ve done is I’ve put on that there can only be one or two transactions per day and then put the dollar amount on so I would have to call the bank to open it up if I was making a major purchase.

LN: So, when you go to the casino in Las Vegas.

RG: Correct.

LN: You have your bank on speed dial?

RG: Exactly, now what about doing some of these things where I need a charger or you know, I’m getting ready to plug in my computer into one of the USB ports, is that safe or?

LN: Yeah, well, it’s possible that those USB charging stations you see in the airports, especially in some foreign countries, that when you plug it in, your phone could get injected with spyware. So, I’d recommend that you’d travel with your own power brick, you know, one of the things I highly recommend is this solar charging, it’s a battery pack and flashlight so you can use it to signal and you can keep it with you in your backpack and if you’re going out to the beach or sitting on a cruise by the pool, you can lay it out, get sun and you can charge multiple devices with it, without having to plugin. But certainly, bring your power brick as well and I like these, they have these combination cords that have all three of the popular tips so it’s, you know, one less of the cords to carry.

RG: Oh, it’s very convenient.

LN: So, this device, I’d recommend, it’s the HI-S025 solar charger, that’s really nice and then if you’re also looking at gadgets and other things, this won’t keep you cyber secure but it might help you sleep at night if you’ve got someone snoring. It’s an OontZ speaker, Bluetooth speakerphone that’s also shower-proof so that’s kind of nice.

RG: Okay, so let’s recap all the things that you said. We should bring copies of our documents and make sure they’re in the Cloud, we should have a contact where we might want to wire money to us and have a secret phrase, install a VPN, if you’re looking for local things once you arrive, you want to download Maps.me, backup your laptop and your cell phone–

LN: And make sure, Maps.me, that you load the cities you’re going to before you get there so that you have the maps preloaded.

RG: Okay, perfect and you want to back up your laptop and your cell phone and if you do have secure information on there, you might consider wiping it clean and then reloading it once you’ve been through security, you want to make sure you’re practicing with a safe USB and consider an alternate solar-power source, in case you need to charge your phone or your laptop.

LN: And one last thing, if you haven’t heard of these, they’re called Tiles and you can attach them to your key chain, you can also put ’em inside of your bags so if someone were to grab your bag with your important documents and you had this inside, you can go to the local authorities and you might have a chance of actually recovering the bag so this is another proactive measure, these are, you can get four of them for somewhere around 100 dollars.

RG: Okay.

LN: Great.

RG: I think these are great tips, thank you.

LN: Thank you, Robbie, it’s been great having you on.