Protecting Medical Devices from Cyber Attacks with Elad Luz, Head of Research at CyberMDX: Audio automatically transcribed by Sonix
Protecting Medical Devices from Cyber Attacks with Elad Luz, Head of Research at CyberMDX: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Welcome back to the Outcomes Rocket, Saul Marquez here. Today, I have the privilege of hosting the amazing Elad Luz. He is the Head of Research at Cyber MDX and has more than 15 years of experience working hands-on in cybersecurity software, research, and management. As head of research at Cyber MDX, Elad is one hundred percent focused on protecting and improving the safety of medical devices. He painstakingly studies how they work and whether they have any open gaps or vulnerabilities that bad actors can exploit. The research includes classical cybersecurity techniques such as analyzing protocols, reverse engineering software, testing vulnerabilities, and also data-driven techniques using machine learning and artificial intelligence. Elad regularly shares his interests with insights with vendors and officials, which often results in public vulnerability disclosure. It’s a risk that we’ve been very well aware of for a long time. And those of you listening to this, whether you be a provider hospital buying these devices, wanting to keep patients in your facility safe, or if you’re a med device company looking to increase the safety profile of your devices. This is the episode for you. So glad. I’m so glad that we’re here today. And thanks for joining us.
Elad Luz:
Thank you for having me, Saul. So I’m excited to be here.
Saul Marquez:
Yeah. And by the way, thank you so much for jumping on late in your day. You’re calling in from Israel and we appreciate your dedication to what you do here.
Elad Luz:
Sure, it’s perfectly fine.
Saul Marquez:
So, listen, I’m curious what it is about, like just what you do. What is it that inspires your work in security within health care?
Elad Luz:
Saul that that’s a story that started four years ago. Just before I joined Cyber MDX, I was looking for my next position in a cybersecurity company, and I met Amir Magner, our founder and he was describing the challenges hospitals are facing in cybersecurity. It was not long after the war cry ransomware attack with literally hundreds of thousands of computers were attacked, causing billion-dollar damage and delays in caregiving worldwide. And so I remember coming back home having thoughts about this I would say injustice situation, because hospitals are places we go when we’re the most vulnerable and hurt, either emotionally, physically or even both. So those places should be neutral. They should be ethical, sensitive, safe, of course. And bad actors are coming and messing it all up. They target our hospitals, our safe places. We go to the most vulnerable. That means that’s like benefiting from hurting humanity at its weakest point. And the more I thought about it, these thoughts became emotional. Even now what I’m describing this to you, and that’s just what I understood I’m joining. So I know this work is going to inspire me and wake me up every time in the morning protecting the things that protect human life that’s motile. And so that is the motivation and inspiration for me in health care.
Saul Marquez:
That’s fantastic. I love that. Protecting the things that protect human life. And that’s something to wake up for and stay up late for. Well, how would you say that you and the team at Cyber MDX are adding value to the health care ecosystem?
Elad Luz:
So we part of the ecosystem in different points, in different aspects, perhaps first and foremost, obviously. So we supply them with the cybersecurity solution, which is specifically designed to help their challenges, hospital challenges in the cybersecurity area. And we also don’t just deliver a solution. We help them guide them frequently, share our knowledge with them. So that’s what we do with deals. Another player in the ecosystem who we interact with is medical device-managed security services. You’re obviously familiar with Philips, which is a leading manufacturer. Health care sector. Critics today are also offering cybersecurity services for deals, and they have decided to exclusively choose our solution to be used as a foundation for the development and implementation of cybersecurity plans for the customers. So they give services for cybersecurity, for hospitals by using our products of our hospitals that use our product themselves and our hospitals who use, manage, outsource security services. And we are also involved.
Saul Marquez:
Very nice. Hey, quick question for you. What does HDO stand for Elad?
Elad Luz:
Health delivery organizations
Saul Marquez:
Got it. Got it. OK, I’m with you. I’m not now. You’re good. You’re good. I just wanted to make sure we were on the same page there and it makes a lot of sense Right. being able to provide all of the stakeholders’ perspectives on the security status of these devices. Philips I mean, they’re a huge player in this space across many, many devices. There must be a good reason that they’ve decided to work with you guys as the exclusive provider of what you do. What makes you guys different or better than what’s available today?
Elad Luz:
Well, that’s a question for customers. But I think they would tell you three things. First of all, our inside and I’m particularly proud of that because it has to do with the research our team delivers, the team that I lead. We’ve discovered fifteen different vulnerabilities in the past years, affecting over a hundred different medical device models. That is greatly benefited our customers as well as the broader community, not only our customers but everyone who uses those devices. We can now improve the security of the facility. And I’d carefully say that we are the leaders for medical device vulnerability research. Also our flexibility. So we enable customers to optimizing for the security. They can segment entire groups of devices inside the hospital, which are common policies. They can block specific scenarios between connected devices. They can control the utilization. Your compliance alignment will inside the company will very innovative and constantly looking for what values we can give our customers and step in and reach solutions, and I think our customers really feel it. Another point is about action. We take the out of risk management and make it more science. So we have a unique approach called device-centric risk management. And which solution can simulate the risk reduction before taking action later on? We automate those actions for you. We also help our customers determine whether they should start, because usually in cybersecurity, you have lots of issues and lots of different devices and aspects, and you just need to know where to start. You just need to know how to prioritize things and also how to do that, how to mitigate the risk and have alternatives, because not everyone can do the maximum effort for every problem. So it was very important for us to enrich this action aspect of the solution because that increases the chances our users will decide to act and eventually that’s what’s going to protect their devices. Those are the three things I’ve said mentioned our insights of research, the flexibility of our solution, and our attention to and reaching the action aspect.
Saul Marquez:
And that’s very unique. Thank you for mentioning that. And there are so many things that can happen with these devices. And then there’s also the areas of care so you could be dealing with a device that is acquired and operated within the walls of a hospital. Then there’s the actual implantable and devices, external devices to see that, for instance, that is taken home to take care of therapy for a patient. Those are very different. And so what are some thoughts that you would share around those that stay at the hospital and those that go home?
Elad Luz:
So those that go home can be divided into implantable and also telemedicine. People get equipment like patient monitors, and this equipment is connected remotely to the hospital reporting about the vital signs. Yes. And this is the new normal. Also following COVID. These are new challenges that we have to cope in the next year.
Saul Marquez:
Yeah, yeah. And so so within the context of telemedicine. Yeah, you’re right. It’s become central. I mean, the shift to remote medicine, virtual care, care at the home, call it what you want. There’s a lot of opportunities there for attackers, but there are also opportunities for us to get ahead of it. What would you do or what does your company do to improve outcomes or make business better in that area of security?
Elad Luz:
Mm hmm. Yeah, good question. So first of all, if I like I can tell about this situation is more so obviously COVID and our POC’s on personal contacts on hospitals are usually project managers, personal information security personnel, Biomet. And when we start, those people were busy setting up new departments, connecting more devices, enabling remote work and more. And they also had to deal with new constraints. So they were less responsive for a couple of months and that delayed some processes. But the cyber threats, just like you said, did not help. It’s the opposite. Hackers were exploiting the new normal. So what we see more is staff working from home are easier targets. New networks that are rapidly deployed might have missed proper security, uncertainty and instability, affected people’s judgment, and open so many options for phishing attempts because every day you get surprising news and you start believing everything. And phishing works better on you when you’re unstable. So eventually attacks on hospitals rose. So a couple of months later, not only HDO’s restored those cybersecurity efforts, but they also extended them and more of them understood. It’s a vital part of the organization and business and continuity. They came back with new challenges and more requirements, just like when most of us believe. Also, listen know at the beginning of COVID was skeptical about how working at home is going to work and will we adapt it all. But eventually, it created a revolution. So we adapted it and we learned how to do new things and we are now better. So, of course, we all wish this was under different circumstances, those hyper jumps canonly happen, I think, after introducing significant constraints. That reminds us that we’re not open-minded enough sometimes and evolutions could happen more frequently.
Saul Marquez:
Yeah, I totally agree with you. There is that opportunity. And COVID became one of those bad things that happen that we’re making huge advancements with and thankfully with the work that you and your team and the work that the security teams are doing at these organizations, we can deploy these solutions safely. There’s a huge opportunity and we shouldn’t wait for things like COVID to make these huge leaps and revolutions, as you call them. Well, speaking of leaps, what are you most excited about today?
Elad Luz:
Well, obviously, my baby girl, nine months ago, I became a father. And excitement is an understatement.
Saul Marquez:
Congratulation, man. That’s awesome!
Elad Luz:
Thank you.
Saul Marquez:
Are you getting much sleep?
Elad Luz:
I was just beginning to say that sleeping, on the other hand, is an overstatement. Yeah.
Saul Marquez:
So, yeah, congratulations.
Elad Luz:
Thank you. But I love it. So I’m excited about research in general and vulnerability research in specific research is obviously exciting. And you may know what it starts, but you never know where it ends when you end up with valuable findings. There is much excitement because of research that you started on your desk in the lab and then report it to the manufacturer could end up with protecting thousands of hospitals worldwide if there was a public advisory, if patches are released and we had this happening for millions of devices and that was so amazing and exciting. Also excites me is when we get feedback from customers saying your solution, help them secure the devices or specifically when it helps, preventing serious damage that can make my day.
Saul Marquez:
Yeah, that’s fantastic. Yeah. You know, you started on your laptop or on your desktop there, and then the next thing you know it, you’re helping protect those devices that protect people’s lives like in the millions. And that’s a damn good feeling. That’s a damn good feeling.
Elad Luz:
Definitely.
Saul Marquez:
The other thought that came to mind Elad is like oftentimes when hospitals are acquiring these devices and device companies want to sell them, the acquisition process could be lengthy. And I’ve seen the field evolve from 10 years ago to now. Like every single device you have to get in has a lengthy cybersecurity review. I wish there was a way to just expedite that. I wish there was maybe like a more standardized way to go through the process. What do you think about that? Is there a future where it could be more standardized or do you think each device is so different that it will never be standardized?
Elad Luz:
Great question. And to the point. So we walk these days with our customers on the onboarding process for the medical devices. So when you receive a new device to a hospital or when you evaluate the new device, you want to set it, set it up in the lab environment and make sure all the integrations work, all the intellectual ability. So our impression is that when hospitals do that and they already do such onboarding, they focus too much on interoperability, meaning that the device will probably send telemetry to databases and will work with other devices as expected. And that takes time to make it work. But they should we think they should focus more also on cybersecurity, of course, getting the chance of the device inside the lab, having a chance to evaluate its security, some devices, and other capabilities. When they are connected, they can be remotely managed, they can be remotely updated. They can work with other devices that perhaps the hospital doesn’t have. And those capabilities are unnecessary. So it’s best to be informed of all those things before deploying this device as an entire fleet in the hospital. So these are deployed in the most secure way because after you deploy them, it’s very hard to make changes on production. Everyone is very strict about that, about the length of the process. Yes, that process is very lengthy. Everything is very lengthy in that area, manufacturing the device and getting it to the market and deploying it and everything and also supplying updates. So it turns out that. Mobile devices and desktops when there was a security issue. Manufacturers can get updates within days on medical devices. The average time is about a couple of years, something like that. So in that period, the device is affected, vulnerable, whatever. So there was a lot to improve regarding time frames.
Saul Marquez:
Yeah, that’s interesting. Hey, off topic. I’m just curious, you know, about that whole project that Elon Musk has, the Starlink.
Elad Luz:
Yeah.
Saul Marquez:
So, you know, I often think about that. The idea is Internet, but I mean, is it bigger than that? Are they going for more? OK, and so I should level set this. So, folks, you’re listening to this. I was outside the other day. I left my neighbor’s house. It was Friday. I was with my son. It was about nine fifty pm. And all of a sudden I see these like stars and they’re all in line behind each other, moving just directionally, one behind the other in a straight line. And I’m like, oh, my gosh, what is that? And I had no idea Elad I had no idea what it was. I’m like, they’re UFOs. I don’t know what this is. So I went back home and I looked it up. And sure enough, it was the Skynet or Starlink that SpaceX is doing. And I think about stuff like that. So you’re putting these things up there. What if those things get hacked and now, you know, like what are your thoughts on that? I know it’s off-topic, but you think about these things, so I’m curious.
Elad Luz:
That’s crazy. That’s great. So first of all, about your story, there are amateur astrophotographers who complain about those objects before. They’re used to take long exposures of the sky and those objects are moving just too fast and ruining photographs. It’s just another matter. Yeah, definitely. In satellites, it’s a bit more trickier to get in line with the communication or be a man in the middle. And I mean, I hope so. And it really depends on how things are implemented. But they will definitely be a sexy target for hackers.
Saul Marquez:
Right?
Elad Luz:
All the controls of those satellites which are connected to the Internet and perhaps more portable would be targeted.
Saul Marquez:
Yeah, fascinating. Well, anyway, thanks for your thoughts there. It is very real. And so our world is evolving and the work that you’re doing in providing health and health care to patients is important. The devices that you use are critical in that work. And the work that Elon and his team do at Cyber MDX is so important – protecting the devices that protect people. It’s important that you stay abreast of what’s going on. The thought leadership that Elad is doing here is just incredible. So if you haven’t heard of them and you haven’t or if you have, it’s time to dig deeper and get better. CyberMDX.com is where you can find them. Elad, why don’t you give us a closing thought here and the best place that the listeners could get in touch with you or your team if they want to continue the discussion?
Elad Luz:
Sure. My closing thought is let’s help hospitals, cybersecurity, security. Let’s be proactive. Lots of ways we can help. The ex is constantly going and recruiting hospitals in your area might be hiring for cybersecurity positions. Also, if you’re interested in volunteer opportunities, the non-profit organizations that help hospitals with cybersecurity. So lots of ways to get involved. If anyone wants to know more about how they can help with that, feel free to reach me over LinkedIn or you can head to our site and contact us and we’ll do my best to help.
Saul Marquez:
Outstanding. Well, thank you. Thank you for the work that you do and the difference that you and your team make in the daily care of millions, millions of people. Billions, I would even say so. Thanks for jumping on with us and sharing your insights. This is this has been fun.
Elad Luz:
Thank you Saul for reaching out and thank you for helping us raise the awareness on cybersecurity.
Sonix has many features that you’d love including automated subtitles, world-class support, transcribe multiple languages, collaboration tools, and easily transcribe your Zoom meetings. Try Sonix for free today.
