Chris Reed, Deborah B & Aftin R_October Cyber Awareness Month Podcast Series: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey, everybody! Welcome back to the Outcomes Rocket. And I want to welcome you to this 19th annual National Cybersecurity Awareness Month podcast series. We’re doing this in collaboration with the Health Sector Coordinating Council and all of its leaders and members. Super excited to get this off the ground with our next amazing leaders in cybersecurity in healthcare. I want to start by introducing them to you here. First, I want to introduce Debra Bruemmer, she’s a senior manager at the Mayo Clinic with the Office of Information Security. She’s accountable for leading a team to address cybersecurity resiliency for foundational assets such as servers, workstations, applications, IOT devices, and maintain secure identity and access management practices, as well as uphold security principles and network segmentation. She is an extraordinary contributor in the area of cybersecurity, and I’m excited to have her on the podcast today. In addition, I also have the outstanding Chris Reed, who’s director of digital health and product security policy at Medtronic. He leads and advises Medtronic’s product security strategy for product submissions, and as a leader of the Product Security’s Office Executive Leadership Team. Previously, he spent over 21 years with Eli Lilly and Company, including building Lilly’s product security program, supporting digital health. He’s actively engaged as a leader in many medical device security and digital health industry initiatives such as the MDIC Cybersecurity Working Group, Health ISAC Medical Device Security, Information Sharing and Coordination Advisory Committee, as a co-lead for the Health Sector Coordinating Council, MedTech, Cybersecurity Task Group, and many others. Finally, I want to introduce our third guest on the podcast, Dr. Aftin Ross. She is a senior special advisor for emerging initiatives in the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Device and Radiological Health. In this role, she provides leadership and coordination within the center on a range of emerging public health issues, including medical device, cybersecurity, respiratory protective devices, personal protective equipment, and incident response. Dr. Ross completed her graduate work from the University of Michigan, earning a master’s and Ph.D. in biomedical engineering. It’s such a privilege to have you all here on the podcast, welcome to today’s episode. And so with that intro, I am so excited to welcome Debra, Chris, and Aftin to the podcast. Welcome, y’all.
Debra Bruemmer:
Thank you.
Aftin Ross:
Thank you for having us.
Chris Reed:
Thanks, Saul. It’s great to be here.
Saul Marquez:
It is such a pleasure to have you guys here, and the work that this team is doing is really just fantastic. The opportunity for so many organizations and leaders in healthcare to have the resources that you’re producing are, it’s just, it’s fantastic. So thank you for doing what you do. Why don’t we start with, Debra, what’s the cyber security issue with medical devices?
Debra Bruemmer:
Well, Saul, thanks for asking that question. Starting maybe at more just some general thoughts, thinking about how medical devices have transitioned from historically knobs and dials to being built on more standard technology with defined end, the ends of life, that’s kind of a background that bear in mind as we talk about medical devices. While at the same time we’re transitioning to more standard technology, devices are also being placed on healthcare networks, and the primary reason for that is to improve clinical workflow and patient outcomes. While at the same time these two significant changes in medical devices are happening, HDOs typically will retain and use medical devices longer than the technology useful life. So when you think of a Windows operating system today, it’s set for ten years, Microsoft says that. Yet as a healthcare organization, we may go out and buy a piece of medical equipment and plan to use it for a longer lifespan. So as you think about that, this creates security gaps and a couple of really specific cybersecurity issues that result from that is really the inability to apply patches rapidly in order to ensure patient safety. And another specific security issue relates to the inability to install and use standard security tools.
Saul Marquez:
Thank you, Debra, and you know, it is definite, there’s so many things that can happen. And having a plan to actually tackle that is huge. And folks, I want to remind everyone that if you look in the show notes of today’s podcast, you’ll find a link to the Medical Device and Health IT Joint Security Plan. That plan, we’re going to be covering the details of that plan and how it could help you and your organization with the work and the gaps that Debra just highlighted. And so how do we make these devices more secure? Maybe, Aftin, Chris? Would love to hear from you guys.
Aftin Ross:
I’m happy to start. So first, let me just say that medical device, cybersecurity for medical device manufacturers, it’s not optional. It is a requirement, and it’s a requirement for exactly the reason that Debra articulated, it is a patient safety issue. But we recognize that it’s a complex ecosystem, it’s a complex space, and so we really do need to have collaboration in this area, especially because for medical device cybersecurity to make things more secure, we have to think about it across the total product lifecycle. So from the time that the device is in a concept phase, we’re actually designing it, we’re thinking about what we want that function to look like, all the way through to being used in the hospital, and even in those end-of-life stages that Debra talked about. And so if you’re not thinking about cybersecurity at each phase of that lifecycle, you’re not going to have the most robust device possible. And so it’s very important for us to have these different workgroups and things that the HSCC and other international efforts provide to help us think about how we can enhance those cybersecurity best practices across the lifecycle.
Saul Marquez:
Thank you, Aftin. Yeah, and it’s so great to have this cross-section across FDA, industry, and provider organizations. How about from the industry side, Chris? Thoughts there? How do we make them more secure?
Chris Reed:
Yeah, I mean, I will definitely add on to that. You know, a lot of times when, as a medical device manufacturer, as we’re designing a device and we of course, take pride in our work and our, if you will, our viewpoint is our device, it’s our baby. And we want to make it very effective at what it does, and honestly, I would say I’m quite proud as a manufacturer, some of the technology that we do to deliver to patients to improve pain management or some condition or complex situations between pacemakers or insulin problems or imaging to diagnose, there’s some amazing technology there, but one of the things that this collaboration helps surface is helping manufacturers to think more about how our devices end up operating out in the environment that they are integrated into. And often we don’t appreciate the full complexity of, imagine any room that you’ve walked in, to a doctor’s office or a hospital room, an ER room even, right? If you scan around the room, you’ll see at least five or six different devices, and the manufacturers definitely don’t need, this collaboration helps us have a better picture of exactly what the healthcare delivery teams need to have in order to effectively manage potentially hundreds, if not thousands, of different types of devices that need to interoperate and work together and stay secure in this complex environment. And so it’s just this collaboration to make sure that we are sharing our different needs across, you know, as builders, as implementers, and that we’re helping support each other, managing the unique risks that we might have. The other thing I want to comment on is on the total product lifecycle. You know, there’s definitely a shift happening, Debra mentioned this, right? But more and more things are being connected. You know, traditional medical devices have not necessarily, they’ve been more hardware-focused, not connected. We have more and more software. And one of the things we’re working through in partnership with the FDA as well, is how do we change these lifecycles so that we can keep pace, with the pace of change that needs to happen. You know, Debra mentioned the patches, like what is a reasonable time frame that, we probably don’t want to be taking down a key medical device in a hospital like every week to do maintenance and patching, but at the same time, we can’t wait so long that it’s potentially causing a safety issue for the patients in that hospital. And so through this collaboration, we’re working through what do those patterns look like and how can we find the right balance of speed, but also manage patient safety and not try to do things too fast where we actually cause issues with safety because we’re taking things down. And so that’s the point of the collaboration is to work through those issues.
Debra Bruemmer:
So if I could add one comment to this, to this topic, and maybe just an example that’s going to be up and coming. So if we think about how all three of us within the industry play a role in looking at the Windows ten going end-of-life, for example, when I think about a medical device manufacturer, they need to begin thinking now about what are they going to do with the Windows ten devices going end-of-life and how do we manage that. And as a healthcare organization, as I’m thinking about purchasing these pieces of really vital equipment in the use of our care delivery, you know, what are purchase decisions around the long-term sustainability as we look at buying these assets? And then the FDA should be thinking about considering what do we do with new product submissions as we get closer to that Windows ten end-of-life. So I think these are conversations we have in these cross-industry groups and we each do play a role.
Saul Marquez:
Yeah, no, I appreciate that, Debra, and I think that’s, it’s vital. These things have gone from islands to connected devices. I mean, and they all, I mean, they all have to at least connect to the EMR. And so we’re working with devices that are no longer standalone and these collaborations are super key. What are some other examples of successful collaboration that have improved security?
Debra Bruemmer:
Well, if it’s okay, I’ll start in.
Saul Marquez:
Yeah, that’d be great.
Debra Bruemmer:
You know, as I look in the rearview mirror, Mayo Clinic began in earnest with a focused medical device security program back in 2015, and the industry collaboration has improved immensely since that point in time, so I applaud everyone in the industry, all three of us as partners. Previously, one example that I can share that has been a significant improvement is how medical device manufacturers have begun to be more open and transparent about vulnerabilities in their products. And while this is great, I do think we still have some improvements to make. And just as far as an example, last month we received a vendor notification we never would have received five years back, highlighting a high-risk vulnerability in a product and giving us solutions and options as to what we as a healthcare delivery organization can do to protect our patients while we wait for a patch. The one thing that I would maybe highlight here is really the fact that we do still tend to hear we can continue to use these devices. However, a patch isn’t going to be imminent for maybe 6 to 10 months, but we can continue to use it, and if we do, take it off the network. So thinking about that, that tends to be a challenge in the delivery of care for patients because these products are bought with the intention of being network connected. So thinking along that lines, that’s where our opportunity for continued collaboration between all of us players in the industry really needs to continue to expand. And I consider this just like thinking about an elevator in a 20-story building and telling people not to use it and walk up the stairs. You know, there’s a lot of manual processes that come around as a result of removing that device from the network.
Saul Marquez:
Yeah, well said. I would hate to be on floor 20 of that one.
Debra Bruemmer:
And we need a .. defibrillator by the time I got …
Saul Marquez:
At the end of that. And, you know, I mean, truthfully, our clinicians are at floor 20 and when something like that happens, it’s a big inconvenience,and having a plan is key. A great, great example, I love that, Debra. And Aftin, how about you? What are your thoughts, examples of collaboration, successful collaboration?
Aftin Ross:
No, absolutely, so certainly we have been at FDA, a … of collaboration from the very beginning. But we recognize from working with our industry partners that even if FDA could make strides in the different pre and post-market policies that we are putting out the best practices that we were advocating, we were not going to have the reach that we wanted to have because last time I checked, cybersecurity bits and bytes don’t know national borders. And so it definitely is an international challenge, and what we were hearing from a lot of our multi-national industry partners was that even though FDA was being forward-leaning in its approach, that, there were still needs internationally as well. And so there is an existing organization, the International Medical Device Regulators Forum, that actually exists to help accelerate convergence, adoption, and key areas of medical device challenge, and so cybersecurity was recognized as being one of those. And so back in 2020, actually, we published the very first International Medical Device Regulators Forum Cybersecurity Guidance, and it was such a hot topic. It was known to be so important that the guidance was done in 14, 15 months. And anyone who can tell you that doing a guidance for one country in that amount of time would have been, you know, outstanding, but to do that on an international scale was really exceptional because everyone recognized that there were just basic best practices that we just needed to start doing and we needed to start doing it right away. And we’ve been able to build on that and also are working on some of those challenges that Debra brought up in her intro about what some of the primary challenges are with some of the outdated software and products that you can’t actually update to be reasonably protected. So we’re actually doing some legacy work in the international space right now as well. It will be very complementary to some of the legacy work that the Healthcare Sector Coordinating Council is actually doing here in the US as well.
Saul Marquez:
Aftin, that’s extraordinary, thanks for highlighting that. And I think it would be phenomenal if that’s an accessible resource that we share that with today’s listeners in the show notes. Is that something we could get to them?
Debra Bruemmer:
Yes, we can definitely share the final guidance that was released in 2020 and even the draft for the legacy, the final is being worked on right now.
Saul Marquez:
Oh, man, that’s so great. And again, folks, I want to just remind everyone, you know, we’re stronger together. I think Greg Garcia kicked us off with the message here at the first podcast we did, no one person is stronger than all of us, and this goes beyond the US. We’re going international with the work Aftin and team are doing, and we’ll provide that to you so that you could take action from this podcast to implement into your organization. Chris, how about you? Any thoughts on successful collaboration?
Chris Reed:
Yeah, I mean, so we’ll kind of pivot a little bit to, I think one of the documents we want to talk about from HSCC, and that is the Joint Security Plan. And I just want to emphasize why the word, Joint Security Plan is kind of a strange title for a document, right? But the whole point of choosing that term was to talk about how it was this partnership between manufacturers and healthcare delivery. And it is actually primarily focused towards manufacturers, but it has that voice of the healthcare delivery organizations in it as well. And so it’s really meant to be, there’s all these amazing resources out there, like Aftin’s mentioned with the IMDRF Guidance, and there’s risk management standards for cybersecurity and threat modeling resources. And a lot of what the Joint Security Plan is meant to be is kind of a roadmap for manufacturers specifically on, if you had a product security program, what are the different components you should have and what are the resources available to implement it? I can tell you I have, in my past, I used to work for Eli Lilly and Company and I built their product security program. We were working on insulin pumps and connected insulin pens, and it was a great resource because I was trying to convince my leadership of what resources and processes we needed to invest in. And right around that time, this Joint Security Plan got published and I was able to use that to essentially inform, and basically, it wasn’t just me trying to convince my leadership, look, this is a practice everyone else is trying to implement as well. And of course, I was even able to inform a little bit of my thinking on it, and so it became an amazing resource for me. And that’s really what we’re intending to do, is how do we make this. It’s not a simple thing to do all this work, but we want to try to simplify it as much as possible and build consistency as well as common expectations that travel between the two.
Saul Marquez:
That’s great, Chris, thank you. And you know, the topic during our discussions of organization size has come up, you know, and what are the organization’s capabilities, small versus large? Are these, is this Joint Security Plan something that could be scaled up or down?
Chris Reed:
Yeah, we spend a lot of time thinking about that. We are, maybe one thing I’ll plug here a little bit is we recently actually did a benchmarking survey from the, so the first Joint Security Plan was released back in 2019. And this, in the summer, actually, since the beginning of the year, we’ve been trying to collect data from companies of all sizes, including how big they were on how many of the practices they’ve implemented, and it is meant to try it. We try to leave language out of it that makes implies that you have to be a large organization. So as an example, large organizations might have entire teams that run a certain process, whereas a small organization has part of a person, right? So we try to stay out of to where we require like written procedures for everything and things like that, but at the same time, we do have to acknowledge that in the medical device space, we’re typically working within quality system regulations that require some amount of documentation. And so we try to find that balance to like, hey, you should be doing this practice, but we try to be, you know, give a guide but be silent on exactly how that might happen in an organization not to expect or imply it. One of the interesting findings we did have, though, a couple of things from that benchmarking, and that report is actually due to come out very soon. I might be able to provide that link as well based on, depending on the timing, but there were two things. One, we found out the size of the organization didn’t really impact the maturity scores, which was interesting. What really impacted it that will get driven home in a report is having an accountable named leader that owned, making sure security was implemented in the product. And so that’s one of the things that we drive home with the Joint Security Plan is having a named accountable leader that is in charge of making sure all these practices are mature enough based on the context of that specific organization.
Saul Marquez:
Yeah, that’s great. Have somebody be the leader, and the same same thing came up when we were talking about emergency preparedness. Having that designated person, if the lights go out, that is going to be the air traffic coordinator, the leader on this, that accountability is powerful. Thank you, Chris. And so Joint, that implies collaboration. So, Debra, what does the Joint Security Plan have just to help enable collaboration and improving security?
Debra Bruemmer:
I think, I’d just like to kind of expand a little bit upon what Chris was sharing and highlight really the power of bringing cross-industry players together. So it affords all of us to bring forward our expertise, our thoughts, our challenges to a central place so that we can come up with what I would deem recommendations and even go so far as to say maybe expectations within the space of medical device security, and I really look at this from an investment perspective. As a healthcare delivery organization, along with a medical device manufacturer and the FDA, we’re all bringing our focuses and expertise together. And it’s really easy for us to sometimes just talk about and say, hey, there’s insecurity in these devices, but it can be more challenging to come together and roll up your sleeves and try to propose up solutions and ways to protect our patients, and that’s really the value of what I see in the Joint Security Plan. While a lot of the work really resides on the part of the manufacturer because they’re developing the products that a healthcare delivery organization is providing, we are adding in, from a healthcare delivery organization, our perspectives, our thoughts, our needs, our layering on how those devices are used in the delivery of that care, and I believe that’s important. And it just leads to even more secure medical devices that the manufacturers are developing.
Saul Marquez:
Yeah, and having clarity there is key, and a proper guidance could be a huge benefit. So Debra, yeah, thank you so much, and having this transparency, clarity, and what exactly is needed is key, no matter how small or large the organization is. So, you know, this has really been a lot of fun. We’ve got one question left here. Aftin, this one is for you. Is the Joint Security Plan required by the FDA?
Aftin Ross:
So as Chris very well articulated, the JSP is a best practice guide and it definitely provides a lot of insights into a range of medical device cybersecurity considerations across that total product lifecycle. However, it’s not a requirement. It is an industry best practice. It is also relevant to other resources that the HSCC has put out, again, that could be used to help in, to help the ecosystem in trying to demonstrate that they do have good medical device cybersecurity across the TPLC, but it’s not an explicit requirement.
Saul Marquez:
Good to know, and an opportunity for folks to have a pathway to gain faster approvals hopefully, Aftin? Fingers crossed.
Aftin Ross:
So certainly, if you have good security and you can articulate that in your engagements with the agency, that can certainly help you as you are going through, you know, your pre-market process, whether that be for a 510K or a PMA product. And again, a lot of the different resources and things that the HSCC puts out, if you follow those general best practices, you’re going to be in a much better position than you would be perhaps if you didn’t leverage some of the resources, the lessons learned from others in the ecosystem to help you make sure that you’re maintaining cybersecurity where it needs to be to ensure, again, patient safety. That’s at the center for everything that all of us are trying to do to try to make sure that patients have safe, effective devices that are also secure.
Saul Marquez:
That’s fantastic, thank you so much, Aftin. And I want to say thank you to you, Debra, as well as Chris, for your collaboration here. And folks, I think you could rest assured and know that the cross-functional groups in our country are working to make medical devices safer, safer for patients, and safer for our health systems to make sure that we’re delivering on the promise of patient care that our country makes for the people that live and breathe here. I want to thank you all for listening to today’s episode. And before we close, I’d love to give all of our guests an opportunity to give all of us a call to action. And then the best place where we could follow them and learn more about their work. So why don’t we go ahead and kick that off with Aftin, since you had the last question there?
Aftin Ross:
Sure, so I’m going to emphasize, I think, the general point of our overall talk, which is collaboration really is key. We’re not going to get to where we want to be, nor are we going to get there at the speed that we want to get there. There’s always opportunities, as Debra has said, you know, for improvement in acceleration if we don’t work together and we don’t collaborate. My secondary point is, our number one objective is patient safety, right? But that does not mean that security and innovation have to be at a crossroads, you could actually have both, and there are lots of innovations we can actually do to enhance security. If you would like to learn a little bit more about what FDA is doing, we do have a medical device, cybersecurity web page. If you were just to Google, FDA Medical Device Cybersecurity, view, probably the top hit, and there’s a lot of great resources there that we’ve worked with others in industry on, to provide to the ecosystem.
Saul Marquez:
Thank you so much, Aftin, appreciate that call to action. Debra.
Debra Bruemmer:
Yeah, Aftin did such a wonderful job there. The thing that I would add on for my call to action is, regardless of organizational size or maturity in the space of cybersecurity, I just say there’s opportunities to get involved. And if your organization doesn’t have the bandwidth to get involved, reach out to others in your industry. So reach out to, if you’re a medical device manufacturer, reach out to Chris and others who are heavily involved. If you’re a healthcare delivery organization, feel free to reach out to me as well. And I know I’ve had several calls with HDOs in the past or healthcare delivery organizations in the past and shared what I can with them to help them advance their cause. Because, again, as Aftin said, everything is focused in on the patient and it’s patients everywhere.
Saul Marquez:
Thank you, Debra. And last but not least, Chris.
Chris Reed:
Absolutely, I probably, as I’m listening, these are all great comments. I’d be remiss if I didn’t mention a colleague of ours on the, more on the security researcher side, Josh Corman. He runs a group called I Am the Calvary that talks about bits and bytes, meat, flesh and blood, and the concern of just this, it’s really important and essential what we’re doing. And I guess comment a little bit on what Debra said, that my call to action would be we need to improve. So if your organization’s one that hasn’t started the work yet, use the JSP to get started. If you’re someone that’s in the work and trying to figure out how to do it better, come get involved. There’s a lot of opportunity to do it. We’re making a lot of progress, but we need to move and continue to move faster to make sure we secure, keep this environment both secure and safe. I just, I think we, I know, I continually am engaged. I work definitely extra hours and I am happy to do it because I know it really matters to people and patients at the end. This technology really does amazing things for people, but we need to make sure it doesn’t end up being a point of weakness or causing harm. And so that’s, it’s really just, evaluate your place in that process and figure out how to get engaged to just help make this environment better. And as far as where to contact me, I think on LinkedIn you can look up Chris Reed or C H R R E E D, the same thing on Twitter if you want to get ahold of me there. And then lastly, you can check out the Medtronic product security page for some resources, Medtronic.com/Security will get you there.
Saul Marquez:
Love it. Thank you, Chris, Aftin, and Debra, the work you guys are doing is meaningful and impactful. There are bad actors out there that want to take advantage of just these openings and the work that you’re doing is making a stronger. So thank you all for what you’re doing. And listeners, thank you for tuning in. A reminder, again, everything that we discussed today on this episode is available in the show notes, so check those links out, take action, because that’s where the magic happens. Appreciate all you guys today. Thanks for joining me.
Chris Reed:
Thanks so much. I appreciate you having us on.
Sonix has many features that you’d love including share transcripts, automated subtitles, powerful integrations and APIs, upload many different filetypes, and easily transcribe your Zoom meetings. Try Sonix for free today.
