The Cybersecurity of Medical Devices
Episode

Pascal Potvin, CRO and Jeremy Haltom, VP of Sales Engineering at Ordr & Jim Brady, CISO and VP of Information Security at Fairview Health Services

The Cybersecurity of Medical Devices

One of the biggest challenges is securing connected devices, including medical devices.  Welcome back to part two of our chat with Pascal Podvin and Jeremy Haltom from Ordr inc.; we also introduce Jim Brady, the CISO for Fairview Health Services, to the conversation on cybersecurity and healthcare. The three of them discuss the challenges that Healthcare Delivery Organizations face and what assessments they could do to increase the security of their devices to take care of patients.

No one can protect anything without knowing what the threats are, so identifying them is a specific step in the process, and taking action will then make it fruitful. Technology is only one part of the equation; the other one is a great team that is constantly working on increasing the cybersecurity of the organization. Be sure to listen to the previous conversation with Pascal and Jeremy before listening to this episode! 

The Cybersecurity of Medical Devices

About Pascal, Jeremy, & Jim

Pascal Potvin, Chief Revenue Officer of OrderWithMe. Pascal’s been making his mark in Silicon Valley startups since 1991 and as a cybersecurity expert since 2014, with deep knowledge of the US, European and Asian markets, he’s driven hypergrowth businesses to 100 million dollars consistently leading the way to optimal exits. Prior to joining Order, he held CRO and CEO positions with SAS enterprise software companies. Based in New York City, Potvin has a passion for sales, strategic alliances, and customer engagement, as well as for driving VC funding.

 

Jeremy Haltom is the VP of Sales Engineering at Ordr and has over 20 years in the wireless networking and technology industries working for both early-stage startup companies and fortune 500 companies. At Ordr, Jeremy specializes in helping companies deal with the problem of discovering, profiling, and securing IoT and IoMT devices. Outside of securing customer networks, you can find Jeremy competing in Ironman events or tinkering in the garage building cars and even the occasional hovercraft.

 

Jim Brady is excited to have joined the executive IT team at Fairview Health Services, an outstanding nonprofit, integrated health system based in Minneapolis, Minnesota, and part of the M Health Fairview partnership and collaboration, consisting of Fairview, the University of Minnesota, and the University of Minnesota Physicians. 

Prior to joining M Health Fairview, Jim had the honor and privilege of serving the amazing people of Los Angeles County, leading and empowering the talented IT staff within the Department of Health Services (DHS), and partnering with the dedicated leaders and staff within many of the Los Angeles County’s 34 departments. 

Before joining DHS, he had the wonderful opportunity of being a part of the Kaiser Permanente organization and was humbled to have been a recipient of the Becker’s Hospital Review 2019, 2018, and 2017 Lists of Hospital and Health System CIOs to Know, the Los Angeles Business Journal 2015 CIO of the Year Award, HIMSS 2015 Distinguished Fellows Service Award, and HIMSS SoCal 2015 Chapter of Year and President Level Advocacy Awards. 

As a highly successful IT executive with significant experience leading technology and security initiatives in complex academic medical centers and multi-hospital healthcare settings, Jim has strived to be a committed, transparent and strategic thinker with a track record of quality, systematic decision making, providing transformational and business-focused value in this new age of the digital economy and consumerism. A proven leader with the ability to build strong relationships, he is passionate about communicating effectively and building consensus across the organization.

 

Outcomes Rocket Podcast_Saul with Pascal, Jeremy & Jim: Audio automatically transcribed by Sonix

Outcomes Rocket Podcast_Saul with Pascal, Jeremy & Jim: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Saul Marquez:
All right, everybody, welcome back to the Outcomes Rocket podcast. We’re here at ViVE, and this is the part two of the episode that we were chatting with you about. I’ve got Pascal Podvin, chief revenue officer of OrderWithMe, Pascal has been making his mark in Silicon Valley startups since 1991 and as a cybersecurity expert since 2014, with deep knowledge of the US, European, and Asian markets, he’s driven hypergrowth businesses to 100 million dollars consistently, leading the way to optimal exits. Prior to joining Order, he held CRO and CEO positions with SAS enterprise software companies. Based in New York City, Podvin has a passion for sales, strategic alliances, and customer engagement as well as for driving VC funding. I also have the pleasure of Jeremy Haltom joining us. He’s the director of Sales Engineering at ORDR responsible for the Global Sales Engineers Efforts and initiatives. His background is in networking, computer engineering, electrical engineering, networking, and a specialty in cybersecurity. And we also have the amazing Jim Brady. He is the CISO for M Health Fairview. Jim is the VP of Infrastructure Operations and Information Security and CISO for M Health Fairview. Prior to joining M Health Fairview, Jim was the Chief Information Officer at Los Angeles County Department of Health Services, the second-largest municipal health system in the nation, with the integrated system of 19 health centers and four hospitals. Jim was previously the CIO at Kaiser Permanente, Orange County and the CTO and CISO at Hawaii Health System. He holds seven security certifications and a Ph.D. from the Nova Southeastern University Graduate School of Computer and Information Sciences. Such a pleasure to have all three of you here. Thanks for joining.

Jeremy Halton:
Awesome to be here.

Pascal Podvin:
Thank you so much.

Saul Marquez:
Absolutely. So we are experiencing so many changes in health care, and the opportunity for partnerships to happen in order to maximize technology exists in a big way. I’m excited to cover cybersecurity with you guys today. Before we start though, just curious what you guys are enjoying about the conference?

Jeremy Halton:
Well, actually, for me, it’s awesome to see people in, you know, in the flesh and blood and to see faces that I haven’t seen before, connecting. There’s lots of great talks, just collaborating, some focus groups that I’ve been a part of, networking, and just hanging out, so it’s great to be around friends.

Saul Marquez:
Once again, right?

Jeremy Halton:
Once again.

Saul Marquez:
We were gone for too long.

Pascal Podvin:
Yeah. It was, it was so exceptional that actually the, the conference organizer felt it was necessary to print little rubber bands that said, if you’re agreeing, you know, you agree to shake hands and have hugs, you know, which I thought was quite funny. But yeah, I mean, it’s so great to meet with real people again.

Saul Marquez:
Couldn’t agree more. Well, guys, health care organizations and in particular chief information officer leaders, they’ve been faced with challenges in cybersecurity the last few years from the increasing number of cyberattacks like ransomware and also surge of devices and patients due to COVID 19. One of the biggest challenges is securing connected devices, including medical devices. These devices, they’re critical to patient care but aren’t designed with security in mind. What’s the approach here in protecting these connected devices? Pascal, why don’t you answer that one?

Pascal Podvin:
Yeah. So it’s absolutely true. One of the reasons why, you know, it is so crucial to secure those connected devices is that unlike a manufacturing connected device, where if it’s, if it’s not working properly, if it’s hacked, if it’s compromised, the production line start stops. In health care, obviously, you have patient lives at the end of that supply chain. And so the criticality is extremely high. So and it’s true as well that most of those devices have been designed with no cybersecurity in mind. And so we’ve tried to bridge that gap by working with HDOs for the past five years and trying to bring, of course, the cybersecurity that is absolutely necessary for those devices. The minute the device is connected, it’s a window to the outside world, it can be hacked, it can be taken over. We’ve all, we still have the sad memories of WannaCry. And that’s really what we are, what we’re working towards, you know, making sure that those types of events never, never happen again.

Saul Marquez:
Yeah, for sure. That’s a great one. And so, so, Jim, this one’s for you, ORDR, they’ve been working with health care delivery organizations on securing connected devices for the past five years. Do you think the importance of securing medical devices is now well understood by leaders?

Jim Brady:
Yeah, I think that leaders, CISOs, CIOs, maybe not the CEOs in the boards, but they understand that, hey, we need to secure these devices. But I’m, at that executive management level, I don’t think they really know the details. So medical devices are devices that typically the hardware goes for 10 or 15 years, software for maybe 5 years. And we have patches that are coming out, vulnerabilities that are being introduced on a daily if not a minute basis, but definitely weekly, monthly. And they’re simply, as Pascal mentioned, they’re simply not designed to be managed by IT, typically there are clinical engineering, biomedical engineering. These are folks who are awesome people, but they are not in IT, and they have oftentimes they have a whole different toolset of how they manage and do the lifecycle management. So I think that we know on the security and the IT side that, hey, this is a problem, we can’t use traditional antivirus. A lot of these operating systems that these devices are running on, they can’t accept anything. They’re managed, they’re regulated oftentimes by the FDA and not by oftentimes in health care IT, it’s HIPAA that we’re kind of going by. So it’s tough to secure them. So you have to be a little bit creative. You have to find, you know, where are these devices? One of the things that we experienced is, wow, we put ORDR in and we didn’t realize we had a couple of hundred thousand IOT devices. We didn’t, and plus, it picked up all the personal devices that were attached to the network.

Saul Marquez:
Oh, wow!

Jim Brady:
So you don’t really know what’s in your backyard until you put a tool that can effectively discover what’s there and then detect how the, you know, are they acting appropriately? So there’s a lot that a tool like ORDR can do, and I’m excited that we’re using it.

Saul Marquez:
That’s great, yeah. And there’s so much that, that we don’t know. And the opportunity to have visibility to that is critical. Jim, why was securing connected devices important to you in Fairview, and what were some of the requirements that, that you were looking to address with the security solution?

Jim Brady:
Yeah, well, none of us want the big one to happen. That’s a big business-impacting event that could conceivably shut down a large provider of patient care. You know, we’re an academic health system. We, we have patients, we’re serving the community, we don’t need to have our doors shut, not collecting revenue, not paying our 34,000 employees because of a ransomware attack or something. In the olden days, you know, a number of years ago, not too far. It was about, oh, you got a data breach and you might have to pay a fine. If you were assessed a fine by OCR or something, but now we’re seeing that people are being impacted, if it’s a patient safety, patient care, and so these are the devices that are connected, infusion pumps, etc.. So we need to make sure that those devices are secured. And as I mentioned earlier, it’s difficult to use traditional methods to secure them. So yeah, so I’m excited that we’re able to kind of get our arms around it, employ what’s called micro-segmentation and detect activity and try to stay on top of it.

Saul Marquez:
Yeah, for sure. A lot of leaders and health care delivery organizations are looking for help, as you know. Do you have any guidance for HDOs taking this challenge on, and where should they start?

Jim Brady:
Yeah, I think the, one of the first things you could do and that you should do is to do a risk analysis or risk assessment. So if you, you can do it internally, if you have the staff to be able to do it. Oftentimes, if you’re medium to large, you’re a complicated, complex organization, you might want to consider bringing an external party. They’ll come in, and they’ll assess you based on maybe the NIST, N I S T, CSF cybersecurity framework. There’s another initiative the government recently has been supporting called HICP, HICP 4o5(d).

Saul Marquez:
I heard about that one, yes.

Jim Brady:
And so that gives you security best practices. It identifies things that you should be doing, so maybe the top five threats that, that are out there, and maybe the ten best practices. So basically assess, assess your environment, kind of know what’s in that backyard of yours. And one of the things you’re going to understand quickly is that, hey, medical devices, there’s a lot of them, and then we can also go beyond medical devices and do what’s called MIOT or Medical Internet of Things. So there’s facilities and building systems, everything seems to be connected to the network. And so those are, those are vulnerable for attackers, they can get on those and get access to them, then they can cause harm to patients. And so it all starts with doing an assessment, I think, and then you can see, well, what are the things that were found? It could be tens of things, could be hundreds of of gaps and say, well, what are the ones that I really need to focus on first that have the most negative impact that if something significant were to happen? So I think medical devices, because they’re so important to delivering care, those have to be looked at and assessed in working with your clinical or biomedical engineering teams. Come up with a joint program, typically IT is not in that organism, that part of the organization, work together to apply security patches to make sure you have an asset inventory. And in staying on top of those.

Saul Marquez:
Yes, some great tips, Jim. And I think there’s a lot of value through the journey of getting, getting all these devices secured. When you guys implemented ORDR, were there any interesting findings you could share?

Jim Brady:
Yes, I might have mentioned it earlier that, wow, we have a lot of devices on the networks. Like where do these come from?

Saul Marquez:
Yeah.

Jim Brady:
And if I were to ask just leaders and they say, well, how many devices do you think we have? And they might say, you know, 100 or 1000, but or 10,000, but not in the hundreds of thousands. So I think it’s the sheer number of devices that we’ve got. Also, when we did the implementation, how you actually implement the sensors and how you configure them technically on the network to be able to get to all the nooks and crannies of the network because we’re an organization that is built by acquisition. And so we do have a single network, but you can’t necessarily get to all of the devices on all facets of the network unless you work with the network team to open up those ports and VLANs and those technical terms there. But.

Saul Marquez:
Yeah.

Jim Brady:
So it’s, it’s really working with all of the, the teams that would be involved to be able to get a full view and then to stay to have that full ongoing visibility of the network because things are coming, things are going, sometimes things don’t work. So they just kind of move it over and put it in a corner and shut the door behind the closet. And you’re like, what happened to that medical device? You can’t find it, it’s not anywhere. Yeah, it is, it’s sitting over there in the closet for a week or two.

Saul Marquez:
Oh, my gosh.

Jim Brady:
So it’s working. It’s everybody working together to make sure we can keep on top of all of our devices.

Saul Marquez:
Yeah. So some great insights, Jim, and thank you for sharing those. Certainly, we all have an opportunity to get better in this space, and there’s even other ways. So so maybe Pascal or Jeremy, maybe when you guys can share different applications that ORDR can be, can be used.

Pascal Podvin:
Yeah, absolutely. So we’ve talked a little bit this morning about C-no and secure you know which are the three logical steps typically on a, on a customer journey like Fairview, you cannot protect anything unless you know what it is. And so, you know, we’ve put a lot of work making sure that we could see, understand which devices are in the network in a non-intrusive way. You cannot apply certain methods like active scanning on, you know, on a medical device because you could alter the behavior of the device and then put the the health of the patient at risk.

Saul Marquez:
Right.

Pascal Podvin:
And so you need to come up with with methods that are passive agent-less and that’s really important. Then know, you know, the threats and the vulnerabilities around those devices. And then I think for, for many customers, and it might be the case for you as well, Jim, I think the goal is to get to a situation where all the devices are appropriately segmented in some kind of a zero-trust type of philosophy, right? And then maintain that that state of of organization. And as Jim mentioned, you know, it’s a very dynamic environment. You know, the devices come and go and sometimes devices come into the business without anybody knowing. You know, it might be a nurse who is is really excited to put an Alexa box, you know, in a room for children to be able to play their tunes. Well, that’s great. She doesn’t know that she’s actually opening a window to the outside. And those are the types of examples that we have to deal with. So that’s one thing. The other thing is and maybe Jeremy can talk a little bit more about it, as Jim indicated, there are multiple personas in the health care industry that we need to cater to and security and networking we’ve talked substantially about, but there is this biomedical engineering population, which is extremely important to the the general functioning of the, the business. And we are reinforcing the functionalities that we’re bringing to this population. And specifically, we just came out with a new product called ORDR eight Clinical Defender, and we’ve substantially increased the level of functionality that we’re putting in the hands of this this population. Jeremy, do you want to comment a little bit about that?

Jeremy Halton:
Yeah, it was really interesting, Jim, you were talking about kind of the journey that you’re going through. And we actually have a playbook, and that playbook talks about the things that you get when you first implement, which is the C, you know, what’s going on out there. But it also talks about the other components that you have to have. And some of them are not technology, right? There are people, and it’s getting those other teams in play because this is a game. It’s like a football team, right? It’s not one person. The quarterback doesn’t throw the ball down the field, right? If there’s nobody down there. So getting everybody involved in this entire process is really important. And each one of those personas or organizations really has a different view of what they want and what they need. And so having this clinical defender, really, I mean, we’ve always had the networking piece and some of the security pieces and all the other sorts of things, but really focusing in on that HTM or the biomed team and providing those things that they need instantly when they first walk in, in the morning is really important for actionable data.

Saul Marquez:
Yeah, some, some great points there and a lot of things for, for us all to consider. The other topic at hand here is ransomware. So Jim, what do you recommend CISOs and other security leaders to secure their business against ransomware attacks?

Jim Brady:
Yeah. One of the things that we have done is we brought in a firm to do a ransomware readiness assessment. And so what that is, it’s a combination of tabletops, but it’s running through all of our security protocols in the event of, as I mentioned earlier, the big one. So we have a complete and total down, we’re down, we can’t function, no access to the network. Similar to an organization I know about a year ago that they had a similar, they had a situation like that where all they had were SMS texting, they had their cell phones running off of cellular signals. And they also had, I think it was Cisco Jabber Web conferencing or something. But they had to run for 3 to 4 weeks, the entire hospital, you know, delivering labs. I mean, it was you know, people are used to being down for a few hours with the EHR and not in use, and we can take care of patients. But if you, if your imaging system goes down and you have an event like a significant ransomware event, you cannot accept emergency patients that have to use radiology if you can’t take their images. So you have to divert them. So it’s a, it’s a huge you know, it’s a huge, significant concern to the organization, they can’t collect revenue. So going through that process more than just the technical, but also bringing in the operational leaders, the executives, what is their role tying it in to the, to the business continuity, emergency preparedness that, that part to, to say we’ve, we’ve done the exercise, we’ve got a playbook. We’ve got, we know that if something were to happen that was significantly negative, then we’re ready rather than, oh, no, something happened. And, you know, you did a tabletop for a couple of hours, but you don’t really know what you’re going to do, and it’s chaos and pandemonium. So I think that’s important. And then, you know, it’s not possible to stop every attack. I know we’ve recently been, for the last four or five months have been tracking how many attacks are we getting at Health Fairview, my organization. So we have 30,000, 40, 34,000 employees and we’re getting 12 hospitals, about 50 clinics, we’re getting about 400,000 attacks per day through email, through the network or firewall or through endpoint devices. So most people, if you ask them, Hey, Mr. and Mrs. Leader, how many cyber attacks do we get at our organization? They might say, well, a couple, a couple a week, maybe? Four a month? And no, we’re in the hundreds of thousands, so, and we’re a mid-sized organization. So they’re and this has nothing to do with the recent activity over in the Ukraine and Russia, etc.. This is just although HHS has said shields up, everybody get prepared. So this is just what’s been going on even before then. So health care is a target, financial services are targets. So I think it’s having as much protection as you can. But then also detection, which I think another thing that ORDR is helpful is, it can look for anomalous behavior and if we see a device that’s high CPU usage that normally it’s you know, it’s not sending out 200,000 emails, it never normally does that, for an infusion pump, so what’s going on here. So it can detect inappropriate or abnormal activity, so that’s good. So I think timely detection is good because, as I mentioned, you can’t stop everything. But if in California, one of the places where I lived for many years that we have a lot of earthquakes and fires and it’s not possible to keep fires from happening, but you can quickly put them out.

Saul Marquez:
Yes.

Jim Brady:
So I think being able to.

Saul Marquez:
Great example.

Jim Brady:
Quickly detect, hey, there’s some activity here, one of our H servers, you know, there’s, it’s doing things that shouldn’t and then, and then blocking it because with good security is going to be layers of defense. And so if you can’t get them at the very front door, then maybe get them at the next door, you know, stop what’s called that kill chain. So keep them from actually getting to the point where they get to your data, they can shut it down, they can say, you know, I want to give you I want to send you a ransom note, etc..

Saul Marquez:
Well, Jim, a fantastic example. And we have an opportunity to, to dig into this further. The partnership between health systems and tech companies like ORDR are so important, just kind of putting hands together to solve some of these challenges. So I’m really grateful for, for all of you jumping on the mic today to talk about some of these very serious issues. Any, any takeaway points here that, that you guys want to share? I want to give an opportunity to each of you a takeaway point that you want our listeners to leave with.

Pascal Podvin:
Yeah. I’m happy to, to start. I think the, the, the areas of, of added value go way beyond just the, the security of, of devices. There is added value in the, the information that we can provide about how devices are being utilized, right? And we haven’t discussed that, but I think it’s quite important and it adds value by helping our customers understand, for instance, well, we have ten infusion pumps in that department. Nine of them are being utilized at full capacity, but one of them is only utilized that 50% capacity. Can we consolidate there? Can we optimize? Right? So that’s, that’s one area that, that is important. And then there is a brand new area that many people are talking about right now, which is cyber-insurance. And I think the cost of insurance is becoming prohibitive for good reasons, right? And many, many organizations that we talked with at the beginning seem to rely on insurance to solve the problem. It’s not solving the problem. And the insurance providers are now putting premiums that are so high that if you don’t have a solution like ORDR in place, then the cost is going to be impossible to come up with, so.

Saul Marquez:
Yeah, great take, great takeaway, Pascal, appreciate that. Jeremy?

Jeremy Halton:
Yeah, yeah. That, kind of to both comments. One was the kill chain, right? And the speed to actually resolving issues because you’re right, not everything is going to solve every problem, but the speed of which we can respond and the speed that we can recover is really important. And that goes right to kind of the cyber-insurance piece, because the faster you can solve the problem, the less issues you’re going to have, the less downtime, everything else goes down, and insurance companies really love that.

Saul Marquez:
Great takeaway there.

Jim Brady:
Yeah. And it’s not uncommon for health systems to have their, in this year, what 2022, to have their cyber-insurance tripled and have deductibles increased by a factor of two and then you get 50% less. And then there are some things, there’s some components of ransomware that insurance providers are not even going to consider covering at all. So you have to you can’t look to cyber-insurance to, you know. well, first of all, I don’t know if I’d I’d be happy with cyber-insurance if I wasn’t going to have my organization running for a month. So that’s not really even like a good trade.

Saul Marquez:
Yeah.

Jim Brady:
But I think my, my final comment would be to, you know, we, we have a lot of things we need to work on in, in health care. It’s not a simple solution. And often, and then sometimes we move from job to job and it’s a little bit of a shifting environment. And it’s important that every solution or every product or platform that you partner well with, you know, the customer and the vendor work together to make it. And it’s not something you do only at this contract signing, but you do it annually and you say, how can we, how can we get the most value? How can we fully utilize this product? And then on the customer side, hey, what do we need to do on our end to help you to be successful rather than it’s all in the vendor? You guys aren’t walking on water, you know, what’s the problem? So I think it’s that, that takes an effort, building, spending time, meeting, and discussing and sharing strategies and visions and the roadmap, etc.. So it’s I think we need to have less vendors, less products, and better, more utilized, better value platforms.

Saul Marquez:
Awesomely said, Jim, awesomely said. Gentlemen, I want to thank all of you, Jim, Pascal, Jeremy, for spending time with us.

Pascal Podvin:
Yeah, thank you. And thank you so much, Jim. I mean, we’re honored to, to work with Fairview and with you specifically and your team. Thank you.

Jim Brady:
Thank you, Saul.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp3 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including automated subtitles, transcribe multiple languages, secure transcription and file storage, automated translation, and easily transcribe your Zoom meetings. Try Sonix for free today.

 

Things You’ll Learn

  • Medical devices are designed without taking into account security. 
  • There’s a big difference between the traditional IT people and the clinical engineers or biomedical engineers. 
  • Cybersecurity assessments like NIST CSF are crucial for organizations. 
  • No one can protect anything without knowing what the threats are. 
  • It’s not all about technology, securing companies needs a team too. 
  • Protection is needed, but detection plays a big role there too.

 

Resources

Visit US HERE