Behind lifesaving medical devices are Cyber Experts hard at work to secure and protect Patient Health Information (PHI). Check out this video on securing medical devices.
Cutting edge medical devices save lives! Not only do they save lives but they carry a vector of complicated communications and a unique set of security challenges. Cyber Security Expert Lee Neubecker, sits down with Sterling Medical Device’s top engineer, Keith Handler who develops cyber protection and security for their client’s medical devices.
Sterling Medical Devices helps companies design and develop mechanical & electronic medical devices and follows them through FDA approval. The conversation is educational and important to those interested in knowing how medical devices are cyber protected and secured. In this video, they outline the concerns that relate to the control, security, and confidentiality of the patient’s health information (PHI) when using these medical devices.
The transcript of Part 1 of our Series in Medical Device Security
Lee Neubecker: Hi, I have Kieth Handler here on my show from Sterling Medical Devices. Keith is a top engineer here that helps ensure cybersecurity and resilience and protection of medical devices of their clients. They help assist through the FDA certification process. Keith, thank you, thank you for being on my show.
Keith Handler: Thanks for having me, Lee.
LN: So can you tell me a little bit about what your firm does and how it helps clients in cybersphere?
KH: Yeah, sure. Sterling Medical Devices is a 13485 certified product development firm. We help various companies design and develop electro-mechanical medical devices. Pretty much from, anything from concept all the way to submission to the FDA.
LN: So, can you tell everyone what, ISO…?
LN: 13485 Certification means?
KH: Yes that is, that is the ISO standard that defines the product development and manufacture of medical devices. It defines all the processes that we generally run our business by.
LN: Okay, so what are some of the concerns that you have as it relates to the patient personalized information, sometimes known as PHI? Is that right?
KH: Yeah, patient help information, that’s correct. Well, you know, our first concern, of course, with any medical device is safe. We want to make sure that the devices are treating patients as intended and not presenting any undue harm to the patient or anybody else. The second thing is the Patient Help Information. It’s very important that we maintain confidentiality for all patients, in any of these systems. Diagnostics, their personal information, all need to be protected.
LN: These devices, they have PHI, they also have, they also are involved with the generation of electronic medical records, known as EMR, that feed into the various hospital systems that are used to provide and deliver healthcare to users. As it relates to this, what are some of the top concerns that you try to address as it pertains to safety for your clients?
KH: Well, when it comes to information or command and control that can be done remotely on a device, it’s again important to maintain the integrity of those communications, and to protect everything there. One of the hardest aspects, I would say, is integrating a medical device into a larger hospital system. We may have control over the confidentiality of the information, and of the commands that are sent and received within a device, but as soon as we connect to an external system we lose control of that data. So, it becomes a unique challenge to try and make sure we are protecting, and not only in our system but also in any system ours might integrate with.
LN: Yeah, and there’s such a myriad of ways devices connect, Bluetooth, wifi–
LN: I’m not sure if medical devices use infrared or–
LN: Near band communication, but there are all these vectors of communication that create new threats and potentials for compromise.
KH: And typically medical hardware is pretty cutting edge, you know, some of the things that they’re trying to treat now still can’t. So all of these things that you’re bringing up, all exist in medical, all need to be protected.
LN: Great, so in our next segment we’ll be talking a little bit more about the FDA, the certification process, and some of the standards that devices might undergo to help ensure adoption by the FDA, and to make them commercially viable to be sold in the United States. And then, in our third segment, we’ll talk more about protecting devices against cyber compromise, the firmware and software that gets embedded into these devices, and other things that should be done to help keep medical devices safe and secure. Thanks for being on the show today.
KH: Thanks again for having me, Lee.
Related Materials on Medical Malpractice
See more about Sterling Medical Devices on their website.
The Energy Sector must protect the electric power grid system, oil, and natural gas infrastructures from the ever changing cybersecurity environment. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. cover the many steps necessary in detection and protection against any and all threats.
As global unrest heats up, the Energy Sector has to maintain its cool. What is the energy sector? The oil, electric power grid, natural gas refineries, and pipelines are all part of the intricate web of the energy sector. To avoid a disaster they must wrestle with the ever-changing cyber security environment, protect themselves from internal and external threats in all of the energy sector infrastructures all while keeping up with energy demands. That’s a mammoth task! Both experts agree Energy Sector protection can be achieved if approached with precision. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. cover the many steps necessary in detection and protection against any and all threats.
Part 3 in the four-part series on Energy Sector Cyber Insecurity.
Lee Neubecker: I’m back again with Geary Sikich and we’re continuing our series discussing cyber global insecurity, as it relates to the energy sector. And in this segment, we’re going to talk more about things that can be done to help protect against these cyber threats.
Geary Sikich: So Lee, when we look at protection, I think there’s a three-level process and I think you can describe some of the things that have to go on in these three levels. Strategically, I put together a business plan for an organization and that organization sets goals and objectives, one would be to have cybersecurity. Now, how do I execute that, what are the things that, at the operational and tactical level, the things that really are going to prevent, what are those things, what are those things that are going to help me?
LN: Well, much like we were talking before about detecting compromises, having a solid inventory on what your digital assets are, what computer devices, what cell phones, if you know what your devices are and you have that information available, you’ll be able to spot when something goes wrong. So, part of protecting is doing the bean-counting work of inventorying your digital assets.
GS: So, it’s not just an audit process, it’s a much more of a detailed look at what those assets consist of?
LN: Yeah and once you know what your assets are, you can figure out, who are they assigned to? If someone leaves your organization, you should have accountability steps in place to retrieve those assets. You should also be inventorying the state of those assets, are they fully patched and up-to-date? If you’re not patching your devices, you’re at great risk of cyber compromise.
GS: So is identity, not only do I have to worry about being compromised from an external source but I also have the internal threat of a disgruntled employee, of someone leaving the company, not with any mal, you know, intent, no malicious intent, if you will but just not following up on what I should have done as they out-process.
LN: Exactly, password rotations, people have weak passwords, people become compromised, people reuse their passwords. As someone reused their password for one of your important infrastructure systems on a popular social media site and that site becomes compromised, guess what, those passwords get loaded up into software for hacking and they do what’s known as “credential-stuffing attack”, they loop through and they fire at every device they can using the username and password, the known username and password and that’s how a lot of people fall prey to attacks.
GS: So, in that context, should you store passwords via one of them, like Google Chrome or some of the other, Internet Explorer, those types of things, should you store passwords that way?
LN: I recommend against storing it in your browser. If you’re going to store them somewhere, I think a password management tool like LastPass, that has two-factor capabilities, two-factor authentication essentially means that you have to know your, it’s something you know, plus something you have or something you are and in the case of LastPass, you’re typically using either your cell phone with an app that has an authenticator, that’s something you have, plus your master password and that helps protect against someone intercepting your password and being able to log on.
GS: So, in essence, protection is not a simplified process, protection is something that we have to, sort of, dedicate ourselves to conscientiously and make sure that we continue to maintain an up-to-date awareness, in order to be able to fully protect ourselves.
LN: Exactly and that brings in your staff, you need to know that your staff are being educated about popular ways that companies become compromised like if a bunch of USB devices are dropped in the parking lot, they might say things like “payroll” or something on it, would your employees plug that into your computer, you know, are you testing for that? You know, there are things you can do, there are services out there where you can have your own organization spearfished by a white-hat hacker, that’s going to tell you who clicked and then you know who you need to educate.
GS: So, we’ve made two points thus far on protection. One is that it needs to be part of the business plan, it has to be audited. In terms of auditing, knowing what you have devices-wise. Second is that you have to have educated employees. Now, both of those aspects present somewhat of a business conundrum, if you will. Education doesn’t necessarily equate to dollars coming in but from a protection standpoint, I think the sales point would be that it prevents dollars going out and the better educated, the more aware so that we can look at the other aspects that we discussed, detecting and protecting being two.
LN: Unfortunately, if you run an organization today, you have a new job, which is to make sure that you’re cyber secure and it’s a serious threat that corporate boards are making their CEOs accountable for so you know and it’s multi-faceted, you got to train your employees, you got to nail what you have, you got to make sure what you have is up-to-date and patched and then you also need to make sure that you have some mechanism to monitor and record events so that you can tell if you become compromised so the protection really requires much more today than it used to, it’s, the number of ways that an organization can become compromised, can be via an employee’s cell phone that becomes compromised and then it launches an attack on your internal systems.
GS: So, in the, it’s kind of like the mindset, if you will, has to be changed, in terms of looking at management and their commitment to cybersecurity protection. In the days past, we looked at protection. “What can I do, put up a wall, what can I do, “I can physically protect my facilities and my operation.” Now, today, that becomes more of a challenge because we’re dependent more on things that are not necessarily in the realm of physical protection per se so we really have to be getting to rethink how we look at protection and then ensure that the process is continuous, not a one-time situation.
LN: Exactly and certainly, you know, a DR, known as disaster-recovery planning and contingency planning can go a long way, you know, a simple act of making an offline backup on a periodic basis and you know, maybe that’s only once a month for some organizations but at least, if you have something offline, if you get hit by a Cryptolocker attack, the risk comes down to “well, what does it cost “for us to rebuild the last month?” Or maybe it’s the last week or maybe it’s last night so thinking through, I think going through the disaster-recovery planning exercise is a really good way to help protect your organization.
GS: Okay, I agree with you on the planning aspect. The caution I would say with that is that all too often, organizations develop disaster-recovery, business continuity, other types of plans to deal with emergencies, the response. The challenge is that those plans need to be kept, as you did say, with the cyber up-to-date and consistently reviewed, we have to have it in the mental work.
LN: And that’s where having someone like you and myself come into audit the business risk and actually inspect to see is the plan being followed, is the C-suite having a false sense of security because there’s this plan that was produced years ago, that no one’s really looked into, you know, it doesn’t take but you know, I think, you and I onsite for one day, we could help poke holes and give a report of, is an organization following their plan or does it look like everything’s far off but you’re not going to get that reporting from your own people internally.
GS: Yeah, I think it’s a challenge for people internally because there’s a vested interest, number one. Number two, they think that, in a lot of respects, they’ve done what needs to get done. The other aspect and I think this is important from what you pointed out, is that when you begin to look at today’s plans, you have to realize, they’re kind of reactive, in many respects, they’re not very proactive so they react to an event happening. That’s good because that helps companies become more resilient but it doesn’t keep them from protecting themselves as they need to.
LN: Exactly but there’s also a financial component to these plans, you know, it’s not uncommon that IT, they’ll go through this exercise and then afterwards, they’ll say “well, I need this subscription, this software, “I need this vendor” and none of that funding comes through but it’s much better and that sometimes gets lost in the minutiae from planning to execution and if that, in fact, is happening, you’ll want to know about it before you need the DR and it’s not there.
LN: So, I think that wraps up our section on protection. In our next segment, we’ll be talking a little bit more about responding to the crisis of a cyber breach, as it relates to the energy sector.
Watch the other segments on Cyber Insecurity in the Energy Sector
Part 1 – Global Energy Sector: Insecurity
Part 2 – Energy Sector: Intrusion Detection
Watch other related video segments
To learn more read this government report about Cybersecurity for the Energy Sector delivery system