This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

The IT department usually sits in our offices. They've got PC techs that run around and network guys and stuff. But the reality is the biomed team is at the bedside. They're in the departments. They see everything every day and when something new arrives, they're equipped to go "Hey, wait a minute."

Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now 📍 onto our show.

Hey welcome everybody. To another episode of this week health town hall. My name is Samuel Hill. The director of product marketing at mitigate by clarity. Today I'm joined by a very special guest one who is truly an expert in his field. Steve Rubino, formerly of Scripps health. He's now retired and has been a good friend of the medicate by clarity family.

And I wanted to lean on his expertise. He spent 20 years as an army, biomedical technician and engineer, and the last 27 years of his career working at Scripps health as a lead biomedical engineer. And I think he finished his career doing project management planning for all of the device, life cycling and expansion.

That scripts has been going through down there in San Diego. So Steve, good to see you. Thanks for joining us from the beach there in San.

Thank you, Samuel. Let's it's warm out here. So the beach is appropriate.

I can imagine, I can imagine not many more beautiful places than the beach in San Diego, but Steve, I wanted to talk to you about kind of the critical role that biomedicine, biomedical engineering plays in cybersecurity of these devices.

As we all know, there's so many devices that float around hospitals, each of them are unique and they all kind of bring a risk. With their connection. While at the same time, they're also doing a great job of caring for our patients. And so thanks for being here to share this knowledge with us.

Hey, my, my pleasure this is near and dear to my heart.

There are a lot of things that have gone on recently and while I can't get into 'em and everything, I hope to be able to share some information to the biomed community that will help them as they go forward in developing their cybersecurity program.

I know this is gonna be a fun conversation, we're gonna, as we get into it, we're gonna cover seven myths about medical devices and cybersecurity, know, seven things that are kind of commonly held to be true or believed by security professionals and hospitals by biomed professionals and hospitals that may not necessarily be true.

So I know we got a really fun list, but Steve, just from your perspective, You've been around and seen a few things. What has changed and become different over the course of your career as a biomedical engineer.

So in biomedical engineering, early in my career, it was always preventative maintenance and repair of equipment helping clinicians operate the equipment and provide a safe environment for the patients.

With the electronic medical record directive and having to integrate medical devices to the record, we now have to have our devices on the network, and that now puts us into an area that we now need to step forward and begin to become familiar with how the network works, how we protect our patient's health information.

And better yet. How do we continue to protect our patients? Should there be an adverse event that occurs via the internet and.

So the cybersecurity challenge of these devices has only been amplified, with more devices, connecting with the electronic medical records and all that interconnectedness that we're looking for really to make the lives of our frontline staff and of our patients and our communities easier.

And I remember something you told me a while ago was, originally. The biomedical engineers were the first network people in hospitals because these devices would come into the hospital and they would need to connect. And so really biomedical engineers were the first network technicians, if you will.

Yeah. If you look back into the the fifties and sixties patient monitoring, when it was developed they created their own network. It was all a closed network, but it was their own network. Their. Information it folks information services that was a department that was not created.

And so it was really left up to the biomeds and the manufacturers to develop. And then in the sixties slash seventies came wireless technology and everybody shaked their head, but that's what telemetry is. So we were responsible for being able to manage telemetry and all the issues that went on with that.

But little did we know that it would come this far into cybersecurity concerns as it is?

And I know that a lot of the work that you've done throughout your career has been, with the cybersecurity focus, where you've been able to help bridge that gap between biomed and the cybersecurity professionals that are, your peers across the organization.

What would you want folks in the biomed community and also in the security community to know about that relationship between those that manage and maintain and keep these devices operating, and those that are directly responsible for the security of the network and of the patient data.

It takes a community or a village, whatever you wish to say to protect our patient and our patient's data and not one group can do it.

The biomedical engineering team, they need to realize that they're responsible for medical devices and that the it individuals, they really don't have the qualifications to manage and support that equipment, but they can help in the support of the equipment the security team the security team.

We need them to alert us when there are events going on that we need to be aware of. And it's the three groups coming together supporting the clinicians. To make sure that everything is kept secure nowadays. And it's important to know you can't just do this job once a year. You have to do it virtually every day, every day, you need to be monitoring your network and your equipment.

There are things that come in even without your knowledge, and you've got to be able to be monitoring your network and know what's arriving and what's not.

It really is a kind of a holistic approach where, you know I think I've said this before, and I've said it numerous times where, biomedical engineering should be involved in the tabletop exercises that cybersecurity teams put together.

They should be involved in that they should have their plans put together. They should be thinking through and be involved in that process of preparing. I won't say it's the inevitability of a cyber attack or a breach or an incident. But unfortunately that might be the trajectory that we're on.

And so being in that thought process, I think is very important for a lot of biomedical engineers, because they bring such a unique level of expertise about these devices that are inherently risky to the hospital, the rest of the hospital staff. I don't know if you would agree with that, Steve, but what's your experience been about participating in the cybersecurity?

I'm going to take you down a pathway about how equipment comes in and why? I think the involvement of biomed is so crucial. you know, Sales reps walk into the, to the hospital and they get to the docks and they tell 'em, Hey, I've got a new widget and this widgets really fantastic, and this will do everything for you.

Now I'm not promoting service now, but we have a service now platform that we use for our it depart. And they we've actually got ourselves involved in what they call the idea ticket. A new product is coming in. And so they, somebody submits a clinician, submits a ticket saying, Hey, I wanna bring this piece of equipment in.

And there's a precursory review of that device to determine what inter departments within biomed and it and security that need to be involved in the review. Once that's passed and it's ready for an indepth review they do a technical review and that brings in the network people, the data, people, the cloud people, it brings security brings in everybody along with biomed.

So why does biomed need to be involved? Cause we're talking about the equipment and we're talking about the clinical aspects and its clinical functionality. So it's, we play a very crucial role in this and the clinical users generally are not going to be. And once that is, has gone through and all the questions are answered.

Then there is a design solution document that comes forward about how this medical device slash clinical system is going to be installed or implemented within your organization. And what is its integration to the different applications and how we're going to document or validate that everything is working correctly in here is probably areas that I know that bomb can play a really important role.

When a system is installed, we need the documents and we need to validate that the solution design the way that it's been approved to be put onto your network, that it is actually installed and implemented that way. You will be surprised that there will be times when a system is installed and it's not in line with the solution document. So biomed plays an important role. And then the final piece that they play a huge role as. This system is coming in. They're aware of it. They know what's going on and now they can begin to capture all the data about that system. And I'm not just talking about a manufacturer model and serial number.

I'm talking about it's operating system, the version of operating system, the antivirus I'm talking about it's port numbers, it's VLANs, and anything of that nature to make sure what is actually coming in and it's the right equipment being installed. The right.

Well, and you think about it too.

It's also biomedical engineers have the context of that device. They understand really in depth how that device is supposed to work, what it's to is supposed to be used for. And so if something does go wrong, if that is an attack surface area that is then breached or impacted by a cyber incident.

They're gonna be a wealth of knowledge about that device and the communication patterns. What's normal. What's not normal, the preventative maintenance history of that device the patch history. I mean all the different details that go along with that specific device that could help really either speed up the remediation of an attack or a threat or the forensic analysis of, Hey, what happened here so that we can avoid that mistake.

And I know Steve, we're gonna get into these top seven myths of about biomedical devices, about devices and device security. Other comments, any final thoughts that you wanted to share about why and how biomedical engineering, the whole, HTM, healthcare technology management professionals, how and why they shouldn't be involved in device cyber security.

Yeah. First of all share with the bomb, those that already have their programs, they know what I'm going to be saying now. You can no longer be an ostrich and hide your head in the sand. You've got to take and get involved. And that means. That you're gonna need to go get some training.

It helps to be net plus certified. A plus you probably are already there, but net plus, and you should at least have somebody in your shop. That's security plus certified also at Scripps health. We created a it network risk manager for medical devices and that position sits and buy on.

And that allowed us to come to the table with the it department. It took a long time to build relationships and it is gonna feel that they know everything about networks and computers and all that stuff and cybersecurity. But the reality is they don't know anything about medical equipment.

It's really important that we take and be there. The biomeds, they know more than they know about computers, but they're reluctant because for whatever reason, sometimes it's voodoo to 'em. I'm not sure why, but the reality is that they know a lot more than they give themselves credit for.

I do know that it's resource dependent mm-hmm and so therefore, whatever you can do to automate your processes, whatever you can do to help your system. Your CMMS take and capture this information. It will save you a lot of time and a lot of effort on your part. However, if you don't and you have a cyber event, I can tell you, you will spend an incredible amount of time weeks, if not months.

Having to go get information and you'll wish that you had captured all this information and could quickly provide it to your it department. And so, like I said, you have to get involved. The world is what it is nowadays, and it's not going backwards. So fix and break repair that's by the wayside.

It's now time to, to be involved in cyber.

And I think the other message for, security leaders and it leaders that are listening to this is feel free to engage those relationships with your biomedical peers or those folks, or have your teams connect share lunch, share meals, get to know each other because there's a wealth of knowledge about this really risky area of connected devices that, that group can provide.

So it's a very positive relationship.

I would offer this too. The it department usually sits in our offices. They've got PC techs that run around and network guys and stuff. But the reality is the biomed team is at the bedside. They're in the departments. They see everything every day and when something new arrives, they're equipped to go, Hey, wait a minute.

And if you've partnered with your biomed team, if your biomed team has partnered with you, Then they can quickly tell you something has come into the organization and it needs to be vetted quickly before it becomes an issue. And without that that relationship then you're really vulnerable to anything that occurs the loss of patient information.

Or it could be as easy as some service tech bringing in a USB stick to plug into his equipment. And next thing you know, your network's gone down cuz he's messed up your IP addressing or whatever happens.

Yeah. None of that's good news, but, okay. So Steve, we promised the people that we would cover seven top myths, things that are commonly held to believe or misconceptions, perhaps that may not they're widely held or generally accepted perhaps, but let's cover these myths real quick.

So I'm gonna read off the myth and I want you to respond to it. So the first myth that we have for the people today is that cybersecurity for medical devices is optional, true or false.

Steve

That is false. The cybersecurity is definitely a responsibility of, not only the FDA, but other manufacturers and healthcare delivery organizations.

So it's everybody's responsibility. Definitely an important role for everybody.

I know that myth comes to play because we're like, well, these devices weren't necessarily designed with cybersecurity in mind and that's true perhaps, but that doesn't relieve the responsibility of cybersecurity from many of the people that are responsible for it.

Right.

That's correct. There are federal regulations, but a lot of them put the onus on the manufacturer. For ensuring that his devices are meeting cybersecurity requirements that are put forth. But the reality is a lot of the devices go into many different environments many different types of organizations.

And so they can't cover all the bases. So it is not optional. It is a requirement as part of the regulations with the FDA.

Well, speaking of the FDA and the regulations, the second myth is that the FDA is the only federal government agency responsible for the cybersecurity of medical devices.

Is that true?

That is not true. Not true at all. In fact the department of Homeland security is as much responsible as well as the members of the private sector. And the manufacturers, so healthcare organizations. So no, that is not true.

And I know there's been, obviously there's an executive order that was just recently passed around cybersecurity and hospitals that pertains to medical devices both directly and tangentially, I think.

And there's a lot of work happening, but you're right. There's a lot of regulatory agencies, a lot of different bodies or authorities that are all offering. I hope their help and the guidance around medical device, cybersecurity.

I think if you consider the recent events that have gone on across the nation with ransomware there are a lot of healthcare organizations that are paying huge sums of money.

And that's caused everybody to really begin to look at this carefully. It, it does impact not only financially, but it does impact patient care.

Yeah. All right. Myth number three is that medical device manufacturers cannot update medical devices for cybersecurity reasons.

That is a false statement.

They can update their devices anytime that they feel they've got a risk and they should do that right away. Now they may send that update to the FDA, but it does not require FDA approval. They can update their equipment. Any time , that whatever they're doing to strengthen cybersecurity, they can do it at any time.

That goes back to the next bit that we'll talk about here is that the FDA is responsible for the validation of software changes made to address cybersecurity vulnerabilities.

No, the FDA is not another myth. The responsibility lies with the software design and changes. It lies with the manufacturer, the medical device manufacturer.

Yeah. So the ones that are making the device, they don't necessarily need to go get FDA approval. So if there's a vulnerability that's revealed about the device, they don't have to come up with a software patch, submit it for FDA approval, get through the regulatory hurdles that you know, are both necessary and also a pain in the butt.

But then go to market and say, okay, now the patch is available. They can patch the software vulnerability as soon as they can write a code that works and they can get that out to their devices in a reasonable way. Is that your understanding of it?

Yes. With the one added piece that not only do they write it, but they validate that right.

It is effective. Yes, that's correct.

All right. So the next myth is that healthcare delivery organizations cannot update or patch medical devices for cybersecurity.

That is a myth and I've heard this mentioned by several biomed. The reality is that you can update your operating system. You can update your antivirus.

The caveat is that if you're going to do that, you want to check with the manufacturer's device, the medical device manufacturer, and make sure that what you're doing is going to be appropriate for their their system. Now they may ask you not to do that till they validate. And so you need to take your steps to mitigate any risk at that time.

But most of the time you should be able to update that yourself unless there's a specific reason why the manufacturer says no. And I would offer this to you if you're out there and you're getting ready to buy equipment, that should be one of the questions that you're asking. The manufacturer is who's going to be doing the patching.

Who's gonna be doing the update. What can we do? And what can't we do that should be early on. You should know that right away and make sure that if you can do it, that you do it a lot of times an it department will put you into a lab where we can test the device to make sure that it's. you may pull a system that's currently not in use and you do your updates and then test it to make sure that it works correctly.

But no, you can take and do the updates. You can patch the equipment for cyber security for cyber security.

And I think that's an important piece to understand is that one of the best ways to lower attack service risk is by patching vulnerabilities. I mean, there's no if and or buts about it, whether it's a medical device or an it device or an IoT, any type of device that has a vulnerability patching that vulnerability is one of the best steps that we can take.

And now that may not be available or readily available, or even coming soon. But that's one of the things we have to be able to do. So if we can do it, if there's a patch that's there and we can get it installed. That's a pretty rapid step that we could take to make our entire environment safer. Would you.

Absolutely. And as I mentioned before for the biomed team, it's important that you try to find something that can help automate that process. Everybody knows that if you're gonna go out to XYZ manufacturer, determine if there are any updates or patches that need to occur, that can be a very painful process, but there are companies out there that do monitoring of equip.

Passively that allow you to know when there's a patch that needs to occur, an update that needs to occur, and they actually can help point you directly to the area that you need to get that patch or that update. And I think that's extremely important in going forward. So that, right away if you rely on the manufacturer to send you a notice, you could be months mm-hmm down the road before you actually get it.

The letter that comes from them may actually go to your administration and you may not get it until months, maybe even half a year down the road. And that's putting your organization at tremendous.

Yeah. So really the myth here is, hoping to help people take the action. Take the ownership of ensuring that devices are patched as much as is this physically or humanly possible?

I think would be the ideal state here. Okay. Here's one that I don't know if this is a hornet's nest or not Steve you, but the fact that, does the FDA test medical devices for cybersecurity reasons, do they perform those tests?

That is a terrible myth. No, they do not test it.

The FDA requires the manufacturer to do testing on their own for cybersecurity. And that's all supposed to be part of their pre-market testing for the medical devices when they send their documents forward to the FDA for approval. I have talked to the FDA. I won't mention her name. I've talked to a couple of 'em.

They're high up and they said, no, we don't have the resources to test. So we rely on the manufacturer and the fact that we're giving you the, these, this, these myths here. Sam, you can actually see these myths. And I don't know if you'll put that out there. This is actually a fact sheet that comes from the FDA.

So it's, it's not just Steve Rubino making these comments. This is the actual fact sheets coming from the manufacturer.

Well, we see that across. Yeah. We see that in other industries as well. I know a lot of like Boeing getting certified on the new airplane. They submit a lot of the testing to the FAA which the FAA does, they validate or they do their best, but you know, it's a resource constraint issue.

That's understandable. But no, the FDA does not specifically go to medical devices and test them for cybersecurity whether they should or should not. That's a question far above my pay grade, but I thought puts the onus back on. The individual hospital, the individual biomedical team, the individual security teams to make sure that their devices, that they're bringing in have a level of security that's commensurate with the amount of risk they wanna take,

and I would offer this to the audience and that's that Think about all the different environments, the different healthcare delivery organizations that are out there, and they all have their own different network type, their own different way. They do business and stuff. And for the FDA to sit there and try that to test for every environment is literally impossible.

So the best they could do is ask the manufacturer to do the most general. Process for validating, cybersecurity, realizing that the healthcare delivery organization, which will include your security team, your it, and your biomed, that they're gonna have to do their due diligence. They're gonna have to do their technical review to make sure that what they're getting ready to put onto their network is going to be safe and secure.

All right. The last myth we wanna share with the people today is that companies use manufacturer off the shelf software and medical devices. Those companies that are using off the shelf software and medical devices are responsible for validating the. The secure use of that software in their medical device.

So basically the way to say it would be a company makes a medical device, they're using a component software piece and their responsibility, where is their responsibility? Making sure that component software piece is secure and does not present risk to the hospital.

So in there, the manufacturer that is responsible for testing of any of the off the shelf software that they use and hardware that they use and making sure that it's secure for the healthcare delivery organizations one of the things that we are wanting to push.

Manufacturers to do is, to I call it a SBO, S B O N a software bill of materials that's embedded in their device or clinical systems. You're buying a CT scanner. It could have an iPad to operate. It can have an AP an access point. It could have specific off the shelf.

Communication within the system to send images and stuff forward. So there's a lot of stuff that goes on and I would like to, see them actually put that in our technical review. So we understand what off the shelf software is actually being used and we can track.

Well, I know that would've been a huge deal with the log for J recent thing log for J using the Apache struts undercarriage stuff.

The lot of, I mean, that's used almost everywhere, but so knowing which devices were affected by that having a software bill of materials, would've made that task a lot easier for a lot of it professionals. So you're saying the same thing on a medical device, and I'll join you in standing up and saying, we need.

The published S spam that need the published software bill of materials so that we can better understand the component parts of each of these medical devices. It better track the inherent risk from some of these parts, so we can make better decisions about em,

and think about if, if you have an attack, if you have a ransomware, an attack and they're using one of the off the shelf software.

That's in there. How do you go find it in your machines? Because if you don't know, it's there, it's impossible to find and you could be really vulnerable to something that wasn't patched or a an OTs software that is not highly secure. You could really be vulnerable. I'd really like to know about it before I buy the equipment.

And before I put it into my environ, I'd like to know exactly what's there and have it reviewed by my security team and have it reviewed by my it team to make sure that we're comfortable with what's going in, that we're in control of. I,

I may completely agree with you on that. The software bill materials is foundational to good security practice.

Being able to know what's actually there. Well, Steve I'm grateful for you sharing a little bit of this time with us. I know something we've talked about before the best healthcare is very holistic and involves a wide range of specialties and disciplines and people all coming together with the common goal.

And what I'm hearing you talk about today is that. Cybersecurity for these devices is also very holistic and comprehensive. It needs it, it needs security and it needs the biomedical engineers. And so I'm grateful for you sharing bit of the knowledge that you've experienced and accumulated over your very long and illustrious career with the folks listening today.

Hey, thank you very much. I enjoyed it. I hope it helps everybody.

I love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. If you want to support the show, let someone know about our shows. They all start with This Week Health and you can find them wherever you listen to podcasts. Keynote, TownHall, Newsroom and Academy. Check them out today. And thanks for listening. That's all for now.