October 25, 2024: Samantha Jacques (VP of Clinical Engineering at McLaren Health Care), a key leader in developing the "Managing Legacy Technology Security" (HIC-MaLTS document, shares insights on risk management, governance, and future-proofing medical devices. Can smaller healthcare systems keep up with these challenges, or are these solutions only accessible to larger organizations? And how can we shift from a device-centric approach to a holistic ecosystem view in healthcare security?
Key Points:
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong
Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.
Learn more at fortifiedhealthsecurity. com
Introduction
📍 Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
And now this episode of Unhack the Podcast.
Everyone, welcome to Unhack the Podcast. I'm your host Drex DeFord, and today we're going to talk about some of the completely free and really cool stuff that's produced by the Health Sector Coordinating Council Cybersecurity Working Group, and it's the government, and so there's a long acronym for this, but we'll just shorten that to CWG for today, Health Sector Coordinating Council Cybersecurity Working Group.
or CWG, is composed of more than 400 industry and government organizations that work together to develop strategies to address cyber challenges in the health sector. And one of the many things the CWG does through a task group process is that they develop these free resources that are focused on sound cybersecurity practices across a whole range of disciplines.
And today we're going to talk about some of those resources, one of those resources, and this one in particular is. under the banner of securing medical technology and joining me for that discussion today. Hi, Samantha. Thanks for being on the show.
How are you? I'm thrilled to be here. This is really important topic for us to be talking about.
So it's great to have the time to talk through it.
There's so much good stuff that comes out of the CWG. And as I talk to folks, And they ask, something comes up and I'm like, oh, there's a HSCC resource for that. There's a CWG resource for that. So while we produce this stuff, and I think a lot of people know about it, there's still a lot of people that don't know about some of those things.
But first, why don't you introduce yourself and talk a little bit about your background, because I think it's really interesting to hear about your background, and then we'll go on from there.
Sure. So for everybody that doesn't know me, hi my name is Dr. Sam Jacques. I am the Vice President for Clinical Engineering at McLaren Health which is a 13 hospital system in Michigan.
I also sit on the Executive Committee for the Health Sector Coordinating Council. And Drex is right. We do awesome work to bring together a really diverse group of constituents to try and put best practice guidance out there for individuals that work in the health sector, and it doesn't particularly matter what part of the sector you're in.
I happen to be in, the hospital portion of it, but, the manufacturers if you're in the government section the payers, it doesn't matter where you are. These guidance documents that we put together are really great resources for you to go ahead and use.
It's a really great point.
The other thing I want to say, , are you AIME board, too?
I do. I also sit on Amy's board.
Oh my gosh. I don't know how you do this. How do you do all this amazing stuff? And thank you if, no one's told you for all the stuff that you do to try to help make healthcare better and safer.
Oh, thank you.
Yeah, so more broadly, so you're doing all of this stuff. At some point, you became involved in the Health Sector Coordinating Council Cybersecurity Working Group. How'd that happen?
So it was actually when we started this project, oh God, now four or five years ago. I had a colleague who wanted some individuals who knew about medical devices, right?
And hospital CISOs know enough to be dangerous about medical equipment, but they're not what I would call subject matter experts, right? And so they were looking for individuals a little bit more knowledgeable on the medical devices. And so obviously I'm relatively engaged in bunch of different organizations.
And somebody tapped me on the shoulder and said come look at what we're doing in the HSCC and see if this is something interesting you'd want to be involved in. And so I got involved in this document we're going to be talking about today and eventually over the years made my way up through the leadership organization of HSCC and now obviously sit on the executive committee.
Yeah, so that's great. So you're one of the leaders on the team that's created what is probably one of the most, I'm not trying to try not to fanboy out here too much, but it's one of the most extensive documents in the CWG library. It's called Managing Legacy Technology Security. The acronym is HICMALTS, and you and a lot of other folks, all volunteers, you put a lot of time into sort of building this resource.
Why did HSCC and you feel this was such an important topic? And then we'll talk about the document.
Sure, so part of the issue that occurs in the medical device world is that hospitals and health systems have a lot of technology. And that technology is not necessarily supported, right? Medical devices that exist in the healthcare environment exist there for a very long time,
if you're in the IT world, there tends to be a very good life cycle around computers and servers, and we put a lot of money into that life cycle. On the medical device side, the life cycle of those devices is much longer, we may keep a device 7, 8, 10, 12 years and that causes issues, obviously, when we're talking about things like operating systems and IT security items that we need to go ahead and try and secure.
And so we have a lot more legacy devices, right? And managing those gets to be very complicated. And so Understanding different alternative ways that you can secure your technology when they're not actually supported is something that was very important for us to put some guidance around,
we know organizations need to go ahead and replace some of this technology, but it's also a huge financial, logistical, and operational burden, and they can't necessarily. Do it at the pace that our manufacturers really need them to do it. So this guidance really helps both sides of the aisle understand exactly what we can do to ensure that our healthcare organizations and that our entire ecosystem stay secure.
Yeah. So let's talk about the document. I want you to walk me through some of the highlights, but I think start with a very important point that you make early in the document. I've read through it again last night and I've obviously I've read it before, but you have this.
distinction about technology versus devices. And you start there and I think it lays out the whole framework for the rest of the document.
So when we started this project we started it several years ago, and ultimately we thought it was going to be a very easy quick six, eight month type of project to build.
It ended up being a two year project because we started out to your point, as a device centric kind of document. We wanted to talk about devices. As we talked through a lot of the implications of exactly what happens with a legacy device, we really came to the realization that we weren't talking about.
Devices. We were talking about technologies, right? And so in reality, when you implement Really complex technologies and health system. It's not just the physical thing you're implementing. It's the rest of the ecosystem that goes along with that thing, right? I may have an infusion pump. That infusion pump is one end point device that I do need to manage.
But I also have to care about, The network it sits on, I have to care about the server it talks to, I have to care about the application that sits on that server, I have to care about how that talks then back to the manufacturer, that ecosystem becomes incredibly complex. And I have to care about securing not just my infusion pump, but the entire chain of that technology.
And ensuring that technology chain is secure, but also ensuring that technology works in the way that's intended from an FDA medical device kind of perspective. Throughout this process this multi year process we went through to create this document, we changed our language. And to your point, we actually talked about it very early in the document.
We no longer use legacy device in the document. We use legacy technology because we intend to For the readers and for people who implement solutions to secure technology, to think about the entire ecosystem, not just the endpoint device from a security perspective.
Yeah. The holistic approach. I like it.
Are there other things in the document that you think you would like to talk to folks who are listening? Talk to them about that's in there, things that could help them specifically in this. I've been struggling with this. I feel like sometimes since I was a little kid. It's been a challenge for a while.
So it has. I think the other thing that we really try and hit Really early on in the document is just a basic terminology, so if you've been in a medical device world for a while There's a lot of terms that are thrown around that get interchanged that do not mean the same thing so an end of life is not the same as end of support, which is not the same as end of guaranteed support.
And so we tried to align our nomenclature to the IMDRF, which is the International Regulators guidance document. Before this document came out, the International Regulators Forum actually created a guidance document that had definitions in it for these different terms. We've aligned to them to try and help not only hospitals, but also the medical device manufacturers that are usually multinational corporations, so that we are all speaking the same language.
And I hate to say, but we are. The fundamental nature of speaking the same language is really foundational to all of us understanding exactly what we're talking about. And really using the same terminology helps us set a ground level expectation for each other when we're getting into negotiations, when we're talking about work.
What to expect or how to put support plans together, we all have to have the same expectations of what these terms mean.
Also it lays the groundwork for the collaboration between what often can be a very much a grind between the security team and health information technology team.
The clinical engineering team, and then the IT group itself. Sometimes. There's some tough relationships that are going on there, and speaking the same language makes a big difference, makes it easier.
It does, and I think having a understanding, again, if you go back to the overarching global view of the actual ecosystem also helps in that mechanism as well, right?
This document also has an entire section around governance which is exactly what you're talking to. Whose roles and responsibilities are what pieces of the technology solution, right? My team in clinical engineering may be responsible for the end user device, but maybe my team is not responsible for patching the server, right?
Maybe there are different roles and responsibilities within those organizations. Understanding the governance is actually one of the foundational pieces we talk about when bringing in technology from a an organizational perspective. That governance becomes incredibly important when that device becomes legacy, right?
So now your device is end of support, right? It's no longer supported by the manufacturer whose role and responsibility is what with regards to the overall ecosystem that that device lives in.
Yeah, talk about patching. I mean that, as part of this, obviously one of the things that we all struggle with is just the patching issue.
Yeah, and obviously when a device becomes legacy it's no longer supported by the manufacturer. So patching goes away. You no longer have the ability to patch the device. And so you need to find alternate methods to continue to secure the device, the document really talks about a lot of risk management strategies, other ways you can look at securing the device, how do you risk rank the device based on what it does and where it is, and how else you can secure it within your environment.
It also talks about how you can transfer risk, so there's a risk transfer framework in the document that talks about a unique way, and I'm going to say unique because it's actually not documented anywhere else in any other document we're aware of, but a way that you can actually transfer risk from the medical device manufacturer to the health system, should the health system want to patch devices without validation of the patches by the medical device manufacturer.
And there are large health systems who have the capability of testing patches locally, and actually sending patches out to those devices without the medical device manufacturer doing that validation and verification. If you as a health system are listening to this and you want to continue patching with standard Microsoft patches There is a framework in this document that you could look at and I would recommend that you evaluate to determine whether or not you want to take that risk on as a healthcare organization.
And so the Hickmoth's document, beauty of it is, You don't have to reinvent the wheel. There's a lot of stuff in here that you can go and look at and use. And the other thing I will say is that I was talking to Errol Weiss earlier. So many of the documents that are in the HSCC CWG collection in the library, including this one anyone can use, not just healthcare organizations, other industries who Take a look at this.
If you just take out the word healthcare, you have legacy problems. You have these legacy challenges. So the document is really valuable to them too. One of the things you call out in here is smaller and mid sized organizations, and they're Challenges and different approaches to this compared to the larger organizations.
Talk a little bit about that.
Sure. So we all understand that there are haves and have nots, from an organizational perspective, large organizations have a lot of resources that are able to do some really unique things from a security perspective. Small and mid sized organizations may not have those resources.
And I really think that this document helps all of those organizations based on whatever resource capabilities that they have. I think some of the foundational items that we talk about in this document, like communications they benefit everybody, right? You should have the appropriate Coordinated Vulnerability Disclosure Program.
You should be talking about technology life cycle. You should have a risk management program. It doesn't matter what size organization you are, here are the foundational things that you guys should be working on, right? And it helps small and mid size organizations prioritize those things that they need to be focused on.
If you are a larger organization that has more resources here are some advanced things that and implement and look at to see if it's something that you guys want to go ahead and take advantage of. I will say that this document obviously was built on all kinds of discussions, not only with small, medium, and large healthcare organizations, but I do want to highlight that we have, as part of the HSEC, also medical device manufacturers, right?
And they were included in this document. In these discussions, as we built HICMALTS and I'm going to lean on the communications section again as we're talking about communications and we're talking about how MDMs and HDOs should be communicating with one another. In there is best practice guidance on what those communications should look like, right?
And so it doesn't matter if you're a large organization or a small organization. How should we communicate end of life information? How should we communicate vulnerability disclosures, right? How should we communicate basic information on risk management? That's all useful information regardless of the size of your organization.
in planning for future cybersecurity spending, in planning for equipment replacement all of those things should be planned into or built into those conversations, so I love that. What else haven't I asked you about in the document that you want to? talk about
the other thing that we tried to do in this document is we tried to create a model for future proofing legacy devices, right?
So we all know legacy is a massive issue right now. We all know that there's tons of technology currently implemented that no longer is supported. But one of the thoughts that we had is we want to get rid of the legacy problem going forward. So there's an entire section in this document that talks about future proofing.
And so this really is a way for organizations to try and think forward when you're building or when you're buying IoT. New technology to try and mitigate the future legacy issue, And so again, it doesn't matter if you're a small organization or a large organization, it talks about how you should assess a product, how you should acquire a product, how you should put together contractual obligations and support that product throughout its lifecycle to mitigate the issues you have when a product goes to a legacy status.
And so I think that's also a unique aspect of this document. thought that we could potentially in the future get rid of the word legacy is really astonishing. Obviously it's too soon for us to say that's been successful, but I think trying to future proof this problem is one of the ways we're going to get out of this issue that we have,
there's no easy solution for the legacy problem, but if we continue to try and mitigate the issues that we have going forward, we can try and resolve the issues that we're seeing in a future State.
I wish we would have done that better. Four years ago.
I wish we would have thought more about this four years ago. But even if you think five or six or, seven or eight years ago, like a lot of this stuff didn't happen. We didn't have the cybersecurity challenges in the form that we have today. We didn't have, sometimes we didn't have the networks or infrastructure that we have today.
The best time to try to figure this out now is going forward. How do we keep these things squared away? And the opportunities there with Hickmalt's language, good examples, all of that.
It is. And I will say, for those of you that are picking up the document for the first time, the document will seem slightly overwhelming to you.
It is. A hundred plus pages of information. I will tell you that it is broken down in a way that you don't have to read all of it at once, and you don't have to linearly take in the information all at once. Look at the table of contents, look at the topic that you guys are struggling with at this point, And just jump to that section.
We built the document in a very modular format so that you can use what is important to you today and continue going back to it in the future as you need additional topics. It is a wealth of information, but I can see in some instances and some people have provided feedback that it is slightly overwhelming because it is a very large and robust document.
Yeah. It is when you open it up, it is scary, but like you said, the way that you've written it and the language that you've written it in actually is very approachable and thanks for being a part of that. All this is available for free to healthcare organizations, right? They can get their hands on the document.
We'll post the link to the Health Sector Coordinating Council, Cybersecurity Working Group, CWG, all of the documents and this one in particular, when I air this episode. Hey, thanks for being on the show today. I appreciate it.
Anytime, I'm happy to talk about the HSCC and all the wonderful work that it's been doing.
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.