1 00:00:08,000 --> 00:00:11,759 Speaker 1: I would estimate that somewhere between thirty and fifty percent 2 00:00:11,839 --> 00:00:15,839 of medical devices that are submitted to FDA today qualify 3 00:00:15,919 --> 00:00:18,960 as a cyber device per the Food Dragon Cosmetic Act. 4 00:00:23,800 --> 00:00:27,879 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 5 00:00:27,960 --> 00:00:31,600 Nate Nelson. I'm here with Andrew Ginter, the vice president 6 00:00:31,679 --> 00:00:35,719 of Industrial Security at Waterfall Security Solutions. He's going to 7 00:00:35,759 --> 00:00:39,759 introduce the subject and guest of our show today. Andrew, 8 00:00:40,000 --> 00:00:40,479 how are you. 9 00:00:41,000 --> 00:00:43,840 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 10 00:00:44,000 --> 00:00:47,840 Naomi Schwartz. She is the VP of Services at Medcrypt, 11 00:00:48,359 --> 00:00:52,920 and we're going to be talking about cybersecurity for medical devices, 12 00:00:53,280 --> 00:00:58,039 talking about regulations for cybersecurity and medical devices, everything from 13 00:00:58,240 --> 00:01:02,399 MRIs to pacemakers to the blood sugar testers that diabetic 14 00:01:02,439 --> 00:01:03,399 folks use every day. 15 00:01:04,000 --> 00:01:08,200 Speaker 2: Then, without further ado, here's your conversation with Naomi. 16 00:01:10,719 --> 00:01:14,040 Speaker 3: Hello Naomi, and welcome to the podcast. Before we get started, 17 00:01:14,079 --> 00:01:16,200 can I ask you please to say a few words 18 00:01:16,239 --> 00:01:18,879 of introduction about yourself and about the good work that 19 00:01:18,920 --> 00:01:20,000 you're doing in midcrypt. 20 00:01:20,640 --> 00:01:21,159 Speaker 4: Sure. 21 00:01:21,560 --> 00:01:24,200 Speaker 1: So, I'm Naomi Schwartz. I'm the vice president of Services 22 00:01:24,200 --> 00:01:28,400 at ncrypt. We are a medical device cybersecurity specialty firm. 23 00:01:29,120 --> 00:01:32,760 I joined Medcrypt two and a half years ago after 24 00:01:32,840 --> 00:01:35,000 a six and a half year stint at the FDA 25 00:01:35,200 --> 00:01:37,799 in the Center for Devices and Radiological Health here in 26 00:01:37,799 --> 00:01:41,359 the US. I was a former pre market reviewer and 27 00:01:41,400 --> 00:01:45,200 a consumer safety officer. Most people at FDA wear both hats, 28 00:01:45,599 --> 00:01:49,079 so you do pre market and post market management, and 29 00:01:49,200 --> 00:01:54,840 I had particular focus in software, cybersecurity, interoperability, and wireless 30 00:01:54,879 --> 00:01:59,280 coexistence for connected diabetes devices. I was a member of 31 00:01:59,319 --> 00:02:02,680 a team that received a large number of awards, including 32 00:02:02,719 --> 00:02:06,840 Commissioner's Special Citations and the Samuel Hyman Service to America 33 00:02:06,920 --> 00:02:10,560 Metals for Management Excellence because we took a very innovative 34 00:02:10,719 --> 00:02:12,919 approach to regulatory science. 35 00:02:12,599 --> 00:02:14,400 Speaker 4: In our review group. 36 00:02:15,120 --> 00:02:18,199 Speaker 1: I'm also a former defense contractor. I spent fifteen years 37 00:02:18,240 --> 00:02:23,120 developing complex radar systems and jammers for live field tests 38 00:02:23,159 --> 00:02:27,759 with operational DOOD assets. What that means is, I don't 39 00:02:27,800 --> 00:02:32,240 just bring a theoretical and an academic perspective to evaluating 40 00:02:32,280 --> 00:02:35,159 whether somebody has done a good job of testing their software, 41 00:02:35,520 --> 00:02:40,759 their hardware, software integration, their cybersecurity. I've actually built things, 42 00:02:40,800 --> 00:02:43,800 and those things are actually still in the operational phase 43 00:02:43,840 --> 00:02:44,639 of their life cycle. 44 00:02:44,840 --> 00:02:45,840 Speaker 4: In some cases. 45 00:02:46,680 --> 00:02:51,520 Speaker 1: So you know, from my own background an actual electrical 46 00:02:51,520 --> 00:02:54,000 and computer engineer, I was kind of a rare bird 47 00:02:54,080 --> 00:02:57,400 at FDA, which is largely comprised of more of the 48 00:02:57,479 --> 00:03:02,879 biological and chemical sciences in terms of staffing. But what 49 00:03:02,960 --> 00:03:05,479 I brought to FDA when I was there was a 50 00:03:05,520 --> 00:03:08,680 deep understanding of how to connect things in a way 51 00:03:08,759 --> 00:03:12,280 that makes them as secure as they can be given 52 00:03:12,319 --> 00:03:14,879 the constraints that we have in our supply chain today. 53 00:03:15,680 --> 00:03:19,319 As far as the company goes, Medcrypt was really exciting 54 00:03:19,560 --> 00:03:23,400 prospect for me when I considered leaving FDA, because I 55 00:03:23,520 --> 00:03:26,159 wanted to get out there and teach as many companies 56 00:03:26,280 --> 00:03:29,719 in the medical device space how to do cybersecurity well 57 00:03:29,759 --> 00:03:32,680 as possible, which meant not going to one large company 58 00:03:33,080 --> 00:03:36,039 or one small company, but working for a lot of companies. 59 00:03:36,080 --> 00:03:38,199 Speaker 4: And Medcrypt is really focused. 60 00:03:37,719 --> 00:03:42,280 Speaker 1: On improving the overall ecosystem and teaching everybody how to 61 00:03:42,360 --> 00:03:45,560 do it well, rather than just working with you know, 62 00:03:45,639 --> 00:03:50,599 individual company or too and focusing on improving their perspective. 63 00:03:51,879 --> 00:03:56,360 Speaker 3: We've never had anyone on talking about either medical devices 64 00:03:56,639 --> 00:03:59,919 or you know, the FDA regulations, which I know are 65 00:04:00,199 --> 00:04:04,120 are very important in the field of human consumables and 66 00:04:04,520 --> 00:04:08,680 medical stuff. Can I ask you, you know you're gonna 67 00:04:08,680 --> 00:04:12,120 you're gonna talk a bit about about medical devices. Can 68 00:04:12,159 --> 00:04:14,159 I ask you to to, you know, give us a 69 00:04:14,240 --> 00:04:17,600 high level intro? I mean, what are these devices? How 70 00:04:17,600 --> 00:04:19,759 do they work? You know? What? What are we talking 71 00:04:19,800 --> 00:04:23,279 about here? I've never had anyone explain this this space 72 00:04:23,360 --> 00:04:25,519 to me in one silver words. I mean, we were 73 00:04:25,519 --> 00:04:30,319 talking about the you know, pacemakers that are implanted inside 74 00:04:30,360 --> 00:04:32,680 the human body. Are we talking about MRIs that are 75 00:04:32,720 --> 00:04:34,639 as big as rooms? What? What are we talking about? 76 00:04:35,040 --> 00:04:35,839 And how do they work? 77 00:04:36,800 --> 00:04:37,120 Speaker 4: Sure? 78 00:04:37,240 --> 00:04:40,360 Speaker 1: So there's a huge range of what kinds of things 79 00:04:40,399 --> 00:04:44,279 are considered medical devices that are regulated by the U 80 00:04:44,439 --> 00:04:47,600 s f d A and quite frankly, by regulators worldwide. 81 00:04:48,120 --> 00:04:51,759 In most countries, they're separated and distinguished between in vitro 82 00:04:51,879 --> 00:04:56,360 diagnostic devices and all other medical devices. The FDA does 83 00:04:56,360 --> 00:05:00,639 not maintain that distinction, but there's some interesting and complicated 84 00:05:00,680 --> 00:05:03,040 reasons for it, and it relates back to how standards 85 00:05:03,040 --> 00:05:07,680 are written internationally to support the regulation of medical devices. 86 00:05:07,759 --> 00:05:12,160 But fundamentally, a medical device could be something as simplistic 87 00:05:12,279 --> 00:05:16,879 as a band aid or in other English terminology, plasters, 88 00:05:17,360 --> 00:05:19,199 as they may be referred to. But you know a 89 00:05:19,199 --> 00:05:22,240 bandage that you put on, a scrape on your knee 90 00:05:22,439 --> 00:05:25,959 that technically could be a medical device. It could be 91 00:05:26,120 --> 00:05:29,240 a scalpol for surgery. 92 00:05:29,279 --> 00:05:30,879 Speaker 4: This is a chunk of metal. 93 00:05:30,959 --> 00:05:33,199 Speaker 1: It is supposed to have a certain weight, it's supposed 94 00:05:33,199 --> 00:05:36,160 to have a certain grade. It's you know, the specific 95 00:05:36,160 --> 00:05:40,759 types of metals used are meant to reduce the reactivity 96 00:05:41,160 --> 00:05:43,920 between the patient and the metal component that's used on 97 00:05:43,959 --> 00:05:46,360 their body. Or it could be something as complex as 98 00:05:46,439 --> 00:05:51,639 a pacemaker as you mentioned, or an automated insulin dosing system, 99 00:05:51,639 --> 00:05:54,879 which is actually multiple medical devices put together into a 100 00:05:54,920 --> 00:05:59,240 system that functions in a particular way. So really, I 101 00:05:59,279 --> 00:06:01,839 mean in a deaf nition sense, a medical device is 102 00:06:02,199 --> 00:06:05,480 defined by the US law in the Food, Drug, and 103 00:06:05,519 --> 00:06:09,160 Cosmetic Act as a device or instrument or apparatus or 104 00:06:09,160 --> 00:06:12,600 implement or machine, contrivance, implant, in future reagion, or other 105 00:06:12,680 --> 00:06:16,839 similar or related article, which is intended for use in 106 00:06:16,879 --> 00:06:21,600 the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, 107 00:06:21,720 --> 00:06:24,879 or prevention of disease in man or other animals. And 108 00:06:24,920 --> 00:06:29,120 then you know there's some extensive language beyond that. It 109 00:06:29,240 --> 00:06:33,399 could affect the structure or function of the body of 110 00:06:33,480 --> 00:06:36,680 a human or other animals. And it doesn't achieve its 111 00:06:36,720 --> 00:06:40,000 primary intended purpose through chemical action, which would be a 112 00:06:40,079 --> 00:06:46,240 drug or within or on the body of man or 113 00:06:46,279 --> 00:06:50,360 other animals, So it's not dependent upon metabolization to achieve 114 00:06:50,399 --> 00:06:53,439 its primary intended purposes. Again, those would be drugs or 115 00:06:53,480 --> 00:06:58,040 biologics potentially, So a device here is a pretty wide 116 00:06:58,120 --> 00:07:02,639 category of things that used to diagnose, cure, mitigate, treat, 117 00:07:02,800 --> 00:07:06,879 or prevent diseases. And that's very broad. There are there 118 00:07:06,879 --> 00:07:09,639 are some limitations to that, but I don't want to 119 00:07:09,639 --> 00:07:13,199 complicate things by getting into you know, specific line items 120 00:07:13,199 --> 00:07:16,240 that are that are called out separately in the regulation. 121 00:07:17,399 --> 00:07:19,279 Speaker 3: No, I'm I'm I'm happy just to learn what the 122 00:07:19,360 --> 00:07:22,720 rule is not yet, not what the exceptions are, you 123 00:07:22,759 --> 00:07:25,439 know for someone Yeah, who's who's you know, at some 124 00:07:25,480 --> 00:07:27,439 distance from this. Let you know, let's let's stick with 125 00:07:27,480 --> 00:07:32,560 the basics. And you know, as important as as you know, 126 00:07:32,680 --> 00:07:38,519 scalpels are our focus here is industrial cybersecurity. And you know, 127 00:07:38,560 --> 00:07:41,199 I'm stretching industrial to include medical, but you know it's 128 00:07:41,319 --> 00:07:45,199 it's cyber physical, this is this is important stuff. And 129 00:07:45,319 --> 00:07:48,160 then you know, the keyword is cybersecurity. So when you're 130 00:07:48,279 --> 00:07:53,560 you're talking about cybersecurity concerns in medical devices, what are 131 00:07:53,600 --> 00:07:56,959 those concerns? What are what are the priorities? Uh, you 132 00:07:56,959 --> 00:07:59,879 know when I mean in a power plant, often the 133 00:08:00,079 --> 00:08:02,759 rist priorities don't kill anyone. The second one is keep 134 00:08:02,800 --> 00:08:05,079 the lights on, you know. The third one is do 135 00:08:05,160 --> 00:08:08,439 it all efficiently so we can afford the power. You know, 136 00:08:09,040 --> 00:08:11,800 what are what are we worried about cybersecurity wise in 137 00:08:11,839 --> 00:08:14,639 the medical device field, and what are the priorities over there? 138 00:08:16,480 --> 00:08:16,800 Speaker 4: Sure? 139 00:08:16,959 --> 00:08:19,839 Speaker 1: So you know from an FDA perspective, and you know, 140 00:08:20,000 --> 00:08:23,839 FDA is largely well harmonized with other regulators, So when 141 00:08:23,839 --> 00:08:27,279 I say FDA perspective, this largely applies to the rest 142 00:08:27,279 --> 00:08:30,279 of the world as well. The FDA is super focused 143 00:08:30,360 --> 00:08:34,200 on ensuring that medical device manufacturers are addressing what's called 144 00:08:34,240 --> 00:08:38,720 the CIA triad of confidentiality, integrity, and availability for their 145 00:08:38,759 --> 00:08:42,399 medical devices. Now, some medical devices, like a scalpel, don't 146 00:08:42,399 --> 00:08:46,360 have any software, they don't have any connectivity, they don't 147 00:08:46,399 --> 00:08:50,480 have any cybersecurity risks associated with them. But many other 148 00:08:50,559 --> 00:08:54,639 medical devices utilize software in one way or another. They're 149 00:08:54,679 --> 00:08:58,320 either software in the medical device that allows the user 150 00:08:58,399 --> 00:09:02,600 to operate the hardware and to facilitate user interactions with 151 00:09:02,799 --> 00:09:06,159 the hardware or its software. As a medical device, where 152 00:09:06,200 --> 00:09:09,639 the software performs the entire device function, and what FDA 153 00:09:09,759 --> 00:09:14,240 is looking for is that these medical device manufacturers have 154 00:09:14,840 --> 00:09:20,279 evaluated the potential for that software to be the cause 155 00:09:20,399 --> 00:09:22,480 of some kind of harm, whether it's harmed to the 156 00:09:22,519 --> 00:09:26,000 operator or harm to the patient, and whether they've done 157 00:09:26,000 --> 00:09:31,519 appropriate risk management. Historically, they achieved this through risk management 158 00:09:32,360 --> 00:09:36,159 aspects of the Quality system regulation, but that wasn't getting 159 00:09:37,320 --> 00:09:42,279 the industry to accelerate their cybersecurity posture fast enough, and 160 00:09:42,960 --> 00:09:48,600 FDA collaborated with the United States Congress to put together 161 00:09:48,799 --> 00:09:53,080 a regulation that would be passed by law rather than 162 00:09:53,919 --> 00:09:57,600 through rulemaking from the agency, and so they got what's 163 00:09:57,639 --> 00:10:00,639 called the Patch Act written into the Food Drug Cosmetic 164 00:10:00,679 --> 00:10:04,000 Act as an amendment in the Omnibus Act of twenty 165 00:10:04,039 --> 00:10:08,440 twenty three, that's the budget funding vehicle in Congress in 166 00:10:08,480 --> 00:10:13,039 the US, and that Act says, if you have software, 167 00:10:13,200 --> 00:10:15,960 and if it could be vulnerable, which usually goes along 168 00:10:16,000 --> 00:10:19,759 with having software, and if your device could be connected 169 00:10:19,799 --> 00:10:23,960 to the internet. These three things are added, you must 170 00:10:24,759 --> 00:10:28,559 provide cybersecurity documentation to FDA. If you have only two 171 00:10:28,559 --> 00:10:31,279 of the three things, you probably still have to but 172 00:10:31,799 --> 00:10:35,559 it's not literally required by law. But if those three 173 00:10:35,559 --> 00:10:39,759 things are true, FDA wants you to focus on confidentiality, integrity, 174 00:10:39,759 --> 00:10:44,440 and availability. Now, how are medical devices different than traditional 175 00:10:44,519 --> 00:10:50,000 IT security and maybe different than OT security in say power, 176 00:10:51,399 --> 00:10:54,720 They're not entirely different, right, There's a lot of similarities. 177 00:10:54,759 --> 00:10:58,399 But in IT security, confidentiality is usually king. It's your 178 00:10:58,399 --> 00:11:02,399 first focus because you protect client data, confidential data that 179 00:11:02,440 --> 00:11:07,279 could cost you reputationally and commercially if it's lost or shared. 180 00:11:07,600 --> 00:11:08,440 Speaker 4: When it shouldn't be. 181 00:11:09,080 --> 00:11:12,919 Speaker 1: In OT security, like embedded medical devices, as an example, 182 00:11:13,360 --> 00:11:16,679 you want to focus on integrity and availability first because 183 00:11:16,679 --> 00:11:20,000 you want to assure that the medical devices operate when 184 00:11:20,080 --> 00:11:23,039 you need them to, which is availability, and that they 185 00:11:23,080 --> 00:11:25,759 do what they're supposed to when they are operating, which 186 00:11:25,799 --> 00:11:30,120 is really what integrity is all about. Many medical devices 187 00:11:30,159 --> 00:11:34,360 don't contain any or not much personal health information or 188 00:11:34,399 --> 00:11:40,000 personally identifiable information PHI or PII, which are usually the 189 00:11:40,039 --> 00:11:44,240 focus of confidentiality. I don't want anybody to know that 190 00:11:44,320 --> 00:11:49,360 my seventy year old aunt is receiving whatever treatment. I 191 00:11:49,399 --> 00:11:53,639 don't want that information out there for example. So you're 192 00:11:53,679 --> 00:11:59,960 really thinking about protecting information that has some value POTENTI 193 00:12:00,399 --> 00:12:05,039 to some malicious actor. That's not as important in a 194 00:12:05,080 --> 00:12:10,519 medical device as making sure that your MRI, which is 195 00:12:10,519 --> 00:12:16,320 connecting to a picture archiving and communications or pack system 196 00:12:15,639 --> 00:12:20,120 is available when the doctors need to get the scan 197 00:12:20,360 --> 00:12:22,600 so that they can figure out, you know, do you 198 00:12:22,639 --> 00:12:26,000 have a brain bleed, for instance, and can I get 199 00:12:26,000 --> 00:12:28,080 that data into the hands of the doctor who's going 200 00:12:28,120 --> 00:12:31,080 to make treatment decisions. Maybe they need to go in 201 00:12:31,240 --> 00:12:34,360 and clear a clot out that's causing a backup in 202 00:12:34,399 --> 00:12:37,519 the brain and could lead to stroke. So you need 203 00:12:37,919 --> 00:12:41,080 to have availability of those systems, and you need to 204 00:12:41,080 --> 00:12:43,559 have integrity. You want to know that somebody can't go 205 00:12:43,600 --> 00:12:47,279 in and alter the data. But it might be a 206 00:12:47,279 --> 00:12:50,919 good example just to compare a couple different in vitro 207 00:12:51,000 --> 00:12:56,799 diagnostics to set up some context. So you might get 208 00:12:56,799 --> 00:12:59,440 a cholesterol test as part of your annual physical from 209 00:12:59,440 --> 00:13:00,759 your general practitioner. 210 00:13:01,600 --> 00:13:02,320 Speaker 4: Most people do. 211 00:13:03,000 --> 00:13:06,480 Speaker 1: If your results are dramatically different from your past test results, 212 00:13:06,519 --> 00:13:09,000 your doctor might request a retest in a few months. 213 00:13:09,559 --> 00:13:12,879 An extremely high or extremely low cholesterol result is typically 214 00:13:12,919 --> 00:13:15,759 not going to lead to some kind of immediate dramatic intervention, 215 00:13:16,399 --> 00:13:18,720 and a doctor's not going to say, oh, you had 216 00:13:18,720 --> 00:13:22,360 this nice linear progression where you were getting slowly increasing 217 00:13:22,919 --> 00:13:26,480 you know, total cholesterol levels, and suddenly your level is 218 00:13:26,840 --> 00:13:29,720 twice or three times as high, which probably will raise 219 00:13:29,720 --> 00:13:32,559 an eyebrow, but but not lead to, you know, prescription 220 00:13:32,639 --> 00:13:33,320 of a new drug. 221 00:13:33,519 --> 00:13:35,600 Speaker 4: They're they're they're not they're not going to. 222 00:13:35,639 --> 00:13:39,159 Speaker 1: Say, oh, wow, really big number, let's do something about it. 223 00:13:39,200 --> 00:13:43,600 They're going to say, that's inconsistent with past results, right doctors. 224 00:13:43,759 --> 00:13:46,799 Doctors do that kind of thinking, and that's that's what 225 00:13:46,840 --> 00:13:50,679 they're intended to do with it. So integrity loss with 226 00:13:50,759 --> 00:13:55,639 a cholesterol test is not a huge problem. It's not 227 00:13:55,919 --> 00:13:58,840 it's not ideal, right, you want to get the right results, 228 00:13:59,320 --> 00:14:01,200 but it's not the end of the world. On the 229 00:14:01,240 --> 00:14:04,080 other hand, if you're admitted to the emergency room and 230 00:14:04,120 --> 00:14:07,440 the medical team suspects damage to your heart muscle, like 231 00:14:07,559 --> 00:14:11,080 during a heart attack, they'll request a troponin test. This 232 00:14:11,120 --> 00:14:14,919 is another in vitro diagnostic. It's a different classification than 233 00:14:15,000 --> 00:14:19,320 cholesterol because of the risk profile, but that troponin test 234 00:14:19,360 --> 00:14:22,000 is intended to confirm the levels of troponin t or 235 00:14:22,039 --> 00:14:25,960 eye proteins, and they want repeated tests over time to 236 00:14:25,960 --> 00:14:30,519 see if there's a level detected and if it is increasing, decreasing, 237 00:14:30,679 --> 00:14:33,600 or staying the same. This is an indication of heart 238 00:14:33,679 --> 00:14:36,480 muscle damage and it can help them rule out or 239 00:14:36,559 --> 00:14:40,080 diagnose a heart attack or other cardiac conditions. They make 240 00:14:40,159 --> 00:14:44,600 decision making immediately when they see troponin levels that are 241 00:14:44,720 --> 00:14:48,080 very high and they decrease rapidly over time. So if 242 00:14:48,120 --> 00:14:51,559 you don't have availability, you may miss some of the 243 00:14:51,639 --> 00:14:54,600 signals and that may lead to a delay in treatment 244 00:14:54,679 --> 00:15:01,480 which could cause longer term heart damage that is not recoverable. Potentially, 245 00:15:01,799 --> 00:15:05,919 somebody could have a pretty serious health incident that leads 246 00:15:05,960 --> 00:15:09,440 to a need for a transplant, or worse, they may die. 247 00:15:09,759 --> 00:15:12,720 So availability of testing in that space is critical, and 248 00:15:12,759 --> 00:15:16,120 the integrity of the results has an immediate impact on 249 00:15:16,200 --> 00:15:18,240 decision making from your healthcare professional. 250 00:15:21,360 --> 00:15:25,080 Speaker 2: You know in past episodes, depending on the industry and 251 00:15:25,080 --> 00:15:29,159 the application of what we're talking about, Andrew, it feels 252 00:15:29,240 --> 00:15:34,879 like there are consistently considerations that are prioritized above others 253 00:15:34,919 --> 00:15:38,679 in certain orders, like for example, safety systems. Whenever they're 254 00:15:38,720 --> 00:15:42,480 relevant tends to take first billing, and then you start 255 00:15:42,519 --> 00:15:47,759 talking about you know, reliability, availability of systems, and then 256 00:15:47,960 --> 00:15:50,440 however lower you get on the tone and pull, you 257 00:15:50,480 --> 00:15:54,960 get to like business efficiency considerations. It feels like with 258 00:15:55,039 --> 00:16:01,159 regard to medical devices, this ordering is pretty dream in that. 259 00:16:01,120 --> 00:16:04,720 Speaker 3: Regard to a degree. Yes, I mean what I heard 260 00:16:04,840 --> 00:16:08,440 Naomi say is that there's enormous variation in the field 261 00:16:08,519 --> 00:16:11,799 about you know, what different devices do, how urgent things 262 00:16:11,840 --> 00:16:16,960 are in different circumstances. But yeah, in you know, critical infrastructure, 263 00:16:16,960 --> 00:16:19,919 which is sort of my bread and butter, we talk 264 00:16:20,159 --> 00:16:23,799 about safety first, don't kill anyone, don't cause an environmental disaster. 265 00:16:24,000 --> 00:16:27,240 Reliability second, keep the lights on, keep drinking water in 266 00:16:27,279 --> 00:16:30,279 the taps, and efficiency. Third, it does no good to 267 00:16:30,320 --> 00:16:32,399 have drinking water in the taps if nobody can afford 268 00:16:32,399 --> 00:16:38,120 to consume it. And confidentiality. Occasionally it sounds to me 269 00:16:38,360 --> 00:16:40,720 like and you know, Naomi is using sort of the 270 00:16:41,320 --> 00:16:46,440 first generation confidentiality, integrity, availability language that I think speaks 271 00:16:46,440 --> 00:16:52,399 to the same priorities. And you know what I heard 272 00:16:52,399 --> 00:16:54,720 her say, and she didn't quite use these words, but 273 00:16:54,759 --> 00:16:57,200 what I heard her say was safety first. You know, 274 00:16:58,000 --> 00:17:00,399 the device has to be safe, you can't can't kill 275 00:17:00,440 --> 00:17:06,119 your patient, and it has to produce a reliable result. 276 00:17:07,279 --> 00:17:12,079 But you know, in my understanding, confidentiality, you know, she said, 277 00:17:12,079 --> 00:17:14,759 it's often the third priority. You know, first priorities don't 278 00:17:14,839 --> 00:17:20,240 kill anyone. But the confidentiality, in my understanding of her 279 00:17:20,279 --> 00:17:24,680 description of it, is sort of a higher priority for 280 00:17:25,640 --> 00:17:28,079 the medical world than it is in let's say a 281 00:17:28,119 --> 00:17:31,160 power plant, where you know, I'm sorry, there's not a 282 00:17:31,240 --> 00:17:34,440 lot of secrets. The you know, the the temperature or 283 00:17:34,440 --> 00:17:37,799 the boiler. The steam boiler is the same temperature everybody 284 00:17:37,880 --> 00:17:42,160 uses worldwide. It's it's a well understood phenomenon. So so yeah, 285 00:17:42,319 --> 00:17:44,559 it's it is a little bit different. The other thing 286 00:17:44,599 --> 00:17:47,279 that I'm reminded of is our discussion I don't know 287 00:17:47,279 --> 00:17:52,640 a few years ago with the head of ot security 288 00:17:52,680 --> 00:17:55,880 at Airbus, and I asked him this question about priorities, 289 00:17:56,279 --> 00:18:00,599 and he was representing a manufacturer. Now in NAIMI is 290 00:18:00,640 --> 00:18:03,039 getting into the manufacturing space a little bit later on, 291 00:18:03,359 --> 00:18:07,160 but in the manufacturing space, he said, the number one 292 00:18:07,200 --> 00:18:10,240 priority is not the safety of the people in the plant. 293 00:18:10,880 --> 00:18:14,960 You go, really, he said, no, the number one priority 294 00:18:15,079 --> 00:18:19,599 is product quality. If you mess up a critical component, 295 00:18:19,720 --> 00:18:22,759 aircraft fall out of the sky and hundreds of people die, 296 00:18:23,440 --> 00:18:27,200 that's the top priority product quality. So we're talking about, 297 00:18:27,559 --> 00:18:29,799 you know, medical devices, we're going to get into that, 298 00:18:29,839 --> 00:18:33,480 but that's something to keep in mind is, yes, the 299 00:18:33,519 --> 00:18:36,759 safety of people producing the devices is important, but the 300 00:18:36,839 --> 00:18:40,039 number one priority is not, you know, to avoid producing 301 00:18:40,079 --> 00:18:42,400 a device that's going to kill you know, a large 302 00:18:42,400 --> 00:18:47,599 fraction of his users. You know, it's it's a more 303 00:18:47,640 --> 00:18:51,160 complicated space than I thought. It's it's always humbling having 304 00:18:51,200 --> 00:18:53,440 a subject matter expert on in a new domain. You 305 00:18:53,480 --> 00:18:56,160 find out inevitably that the world is a more complicated 306 00:18:56,160 --> 00:18:59,599 place than we thought. But I remember, you know, the 307 00:18:59,759 --> 00:19:02,880 the topic here is, let's ask you about the FDA 308 00:19:03,279 --> 00:19:07,440 rules for medical devices. I remember, as long as thirty 309 00:19:07,519 --> 00:19:10,599 years ago, I was working with a pharmaceutical company that 310 00:19:10,880 --> 00:19:14,559 manufactured drugs, and the sense that I had back then 311 00:19:14,680 --> 00:19:16,920 was that the rules they were dealing with were not 312 00:19:17,079 --> 00:19:20,039 so much you must do X, Y and Z, but 313 00:19:20,400 --> 00:19:22,839 rules that were very general, saying you must follow industry 314 00:19:22,920 --> 00:19:25,759 best practice. And then the FDA would publish a best 315 00:19:25,839 --> 00:19:29,160 practice guideline that well, everybody followed religiously because it was 316 00:19:29,400 --> 00:19:32,279 the best practice, and they would update these things regularly 317 00:19:32,400 --> 00:19:34,519 rather than pass new laws. It was just a faster 318 00:19:34,599 --> 00:19:37,720 process of updating the guidelines than updating the laws. Is 319 00:19:37,720 --> 00:19:40,160 that still how it is? What's it looked like today? 320 00:19:40,720 --> 00:19:43,519 Speaker 1: Well, so drugs and devices are a little bit different, 321 00:19:43,599 --> 00:19:50,279 but it's not dramatically different. Today, FDA wants manufacturers, whether 322 00:19:50,279 --> 00:19:53,680 it's of drugs or devices or food quite frankly, to 323 00:19:53,839 --> 00:19:58,160 follow what are called good manufacturing practices, but there's a 324 00:19:58,200 --> 00:20:01,799 lot of diversity in how that's actually implemented. So the Food, 325 00:20:01,839 --> 00:20:07,960 Drug and Cosmetic Act has specific regulations that talk about, 326 00:20:08,079 --> 00:20:12,039 you know, what is in a good manufacturing practice, what 327 00:20:12,079 --> 00:20:14,960 does it mean? And part of that is part eight twenty, 328 00:20:14,960 --> 00:20:19,160 which is the quality system regulation today. That's going to 329 00:20:19,319 --> 00:20:22,839 change in the next year or so. The FDA is 330 00:20:22,880 --> 00:20:26,960 moving to an internationally recognized standard ISO thirteen for eighty 331 00:20:27,039 --> 00:20:29,839 five to cover quality system regulation. 332 00:20:31,039 --> 00:20:32,799 Speaker 4: But FDA, through the. 333 00:20:32,759 --> 00:20:37,000 Speaker 1: Food, Drug and Cosmetic Act, has specific areas like cybersecurity, 334 00:20:37,680 --> 00:20:39,680 where they can go a little bit deeper and be 335 00:20:39,759 --> 00:20:44,640 a little bit more prescriptive because good manufacturing practices are 336 00:20:44,680 --> 00:20:50,680 evolving very rapidly, and standards don't evolve as rapidly as 337 00:20:51,279 --> 00:20:55,319 you know, the threat environment and the practices do, so 338 00:20:55,759 --> 00:21:00,599 standards aren't necessarily keeping up and is getting a little 339 00:21:00,599 --> 00:21:04,519 more prescriptive, partly through guidance but partly through the explicit 340 00:21:04,559 --> 00:21:09,559 statutory authority. They now have to ensure that cybersecurity implementation 341 00:21:10,079 --> 00:21:14,880 and documentation are adequate to ensure safety and effectiveness of 342 00:21:14,920 --> 00:21:19,279 medical devices. So it's not dramatically different. FDA tries to 343 00:21:19,319 --> 00:21:23,680 not get specific about how to implement, but they do 344 00:21:23,720 --> 00:21:28,039 want to ensure that you do implement security. Getting prescriptive 345 00:21:28,119 --> 00:21:31,839 is problematic because again, the best practices are changing and 346 00:21:31,920 --> 00:21:34,640 evolving with a threat environment, which can be on a 347 00:21:34,720 --> 00:21:41,279 daily basis. But the overall approach and the understanding of 348 00:21:41,759 --> 00:21:47,279 how to do secure product development can be generalized nicely 349 00:21:47,400 --> 00:21:51,319 and is written into several standards and is largely what 350 00:21:51,519 --> 00:21:54,279 FDA is pointing to when they tell you what you 351 00:21:54,400 --> 00:22:00,440 should do versus what you must do rulesices. 352 00:22:01,480 --> 00:22:04,279 Speaker 3: Something you said earlier is bugging me at the back 353 00:22:04,319 --> 00:22:09,240 of my head. You talked about Internet connected devices. How 354 00:22:09,279 --> 00:22:12,839 many of these medical devices nowadays are connected to the Internet. 355 00:22:12,839 --> 00:22:17,400 Speaker 1: How at risk are we The numbers are not explicitly 356 00:22:17,559 --> 00:22:21,559 tracked or shared publicly by the Center for Devices in 357 00:22:21,599 --> 00:22:26,240 the US. However, I would estimate that somewhere between thirty 358 00:22:26,279 --> 00:22:29,240 and fifty percent of medical devices that are submitted to 359 00:22:29,559 --> 00:22:34,119 FDA today qualify as a cyber device per the Food 360 00:22:34,160 --> 00:22:38,359 Dragon Cosmetic Act. That is, they contain software, they can 361 00:22:38,480 --> 00:22:41,319 be connected to the Internet, and the software that they 362 00:22:41,400 --> 00:22:44,160 contain could make them vulnerable. It may be higher than 363 00:22:44,200 --> 00:22:47,279 fifty percent, it may be quite a bit higher than 364 00:22:47,319 --> 00:22:50,400 fifty percent. But there's a difference between a device that's 365 00:22:50,440 --> 00:22:54,599 intended to be connected to the Internet and is explicitly 366 00:22:54,799 --> 00:22:58,759 sending data over the Internet by design, and a device 367 00:22:58,799 --> 00:23:01,559 that can be made to do so but wasn't intended 368 00:23:01,599 --> 00:23:05,839 for that purpose. And that's important because the words in 369 00:23:05,880 --> 00:23:09,359 the Act actually states can be connected to the Internet, 370 00:23:10,160 --> 00:23:13,480 and a lot of manufacturers say, well, we're not connecting 371 00:23:13,480 --> 00:23:16,039 it to the Internet, so it's okay, but they have 372 00:23:16,079 --> 00:23:20,440 a USB port. Now this may sound a little bit 373 00:23:20,640 --> 00:23:24,640 out there and sci fi e, but it's not a 374 00:23:24,720 --> 00:23:30,119 person who wants to play around with your device who 375 00:23:30,160 --> 00:23:32,799 finds that you have an open USB port that they 376 00:23:33,000 --> 00:23:35,640 have access to, that they have physical access to without 377 00:23:36,079 --> 00:23:38,440 drilling into the case or opening it up or anything. 378 00:23:39,079 --> 00:23:43,880 They can plug a commercially available product like the Flipper 379 00:23:44,000 --> 00:23:47,599 zero to the USB port. It may require some kind 380 00:23:47,640 --> 00:23:49,720 of a connector in order to connect to the USB 381 00:23:49,799 --> 00:23:52,240 type that you have on your device, but they can 382 00:23:52,240 --> 00:23:56,400 connect it, and that Flipper zero or similar piece of 383 00:23:56,440 --> 00:23:59,960 hardware can actually give them the ability to connect us 384 00:24:00,079 --> 00:24:03,759 or medical device to the Internet when you didn't intend 385 00:24:03,759 --> 00:24:07,759 for that to be possible. There are cybersecurity controls you 386 00:24:07,799 --> 00:24:10,519 can put in place to prevent such activity, but if 387 00:24:10,519 --> 00:24:13,079 you didn't think about it and you didn't plan for it, 388 00:24:13,319 --> 00:24:17,000 you probably didn't implement those controls, and now your device 389 00:24:17,000 --> 00:24:19,519 that was not intended to be connected to the Internet 390 00:24:19,839 --> 00:24:22,839 may actually be connected to the Internet, which can make 391 00:24:22,880 --> 00:24:27,200 it vulnerable and can also give people an opportunity to 392 00:24:27,319 --> 00:24:31,759 explore your device over the Internet and try to determine 393 00:24:31,799 --> 00:24:34,480 if they can exploit it or reverse engineer it. So 394 00:24:34,559 --> 00:24:38,519 there is a risk there. I'm not terribly concerned that 395 00:24:38,559 --> 00:24:41,440 people should all stop using medical devices today because of 396 00:24:41,480 --> 00:24:46,000 cybersecurity risks. In fact, quite the opposite. But I do 397 00:24:46,079 --> 00:24:50,519 think that people need to be aware that cybersecurity is 398 00:24:50,559 --> 00:24:54,480 a consideration in many aspects of their lives that they're 399 00:24:54,480 --> 00:24:57,559 somewhat taking for granted today, and that they should be 400 00:24:57,599 --> 00:25:01,880 aware that the Food Drug Administration and other such regulatory 401 00:25:01,920 --> 00:25:06,200 bodies are out there diligently trying to protect them from 402 00:25:06,240 --> 00:25:07,359 these risks. 403 00:25:08,599 --> 00:25:10,079 Speaker 4: Of which they're barely aware. 404 00:25:13,240 --> 00:25:16,279 Speaker 2: You know, there's a risk in what Naomi does that 405 00:25:16,440 --> 00:25:20,599 I imagine isn't quite as relevant in most industries that deal 406 00:25:20,640 --> 00:25:24,799 with OD security. And I'm wondering, if you have the 407 00:25:24,839 --> 00:25:31,799 answer to this, can people outside of organizations in the 408 00:25:31,799 --> 00:25:35,759 medical field, hospitals and so on, how difficult is it 409 00:25:36,279 --> 00:25:41,000 to obtain one's own medical device that would be deployed 410 00:25:41,039 --> 00:25:43,519 in a hospital. I know there are certain devices that 411 00:25:43,559 --> 00:25:46,279 are more you know, consumer oriented, and that you can 412 00:25:46,319 --> 00:25:49,720 buy them. But what I'm getting at here is that 413 00:25:50,240 --> 00:25:54,640 if you could theoretically obtain for yourself one of these 414 00:25:54,680 --> 00:25:59,440 medical devices that we're worried about being hacked, then presumably 415 00:25:59,720 --> 00:26:03,000 you can can spend all day and night reverse engineering 416 00:26:03,039 --> 00:26:06,599 it such that you know, you could design malware specifically 417 00:26:06,680 --> 00:26:10,759 for such a machine, stick a USB into into you know, 418 00:26:10,839 --> 00:26:15,519 whoever's you want to attack. It strikes me as more 419 00:26:15,880 --> 00:26:18,720 risky than in industries where you know you have most 420 00:26:18,759 --> 00:26:22,599 of your machinery and a closed off plant. Otherwise, it's 421 00:26:22,640 --> 00:26:25,720 hard for me to imagine a case scenario where you 422 00:26:25,720 --> 00:26:29,880 know some malicious nurse has the technical knowledge to hack 423 00:26:29,960 --> 00:26:33,079 a device or you know, a device isn't public enough 424 00:26:33,079 --> 00:26:35,400 in a hospital that they even could pull that off, 425 00:26:35,440 --> 00:26:37,559 Like how you would really do that in the wild 426 00:26:37,599 --> 00:26:38,279 in real time? 427 00:26:39,119 --> 00:26:43,759 Speaker 3: Two answers there, One is you know, the three answers. 428 00:26:43,799 --> 00:26:46,599 Maybe in the industrial space you suggested it might be 429 00:26:46,640 --> 00:26:48,400 hard to get hold of the equipment. It might be 430 00:26:48,440 --> 00:26:50,200 hard to get hold of the physical equipment. I mean, 431 00:26:50,240 --> 00:26:52,519 if you want to get hold of a I don't know, 432 00:26:52,559 --> 00:26:56,480 a two tongue valve into your garage, that it's just 433 00:26:56,759 --> 00:26:59,519 logistically physically difficult to get hold of such a thing. 434 00:26:59,519 --> 00:27:01,480 And yeah, I don't I don't know, you know, if 435 00:27:01,519 --> 00:27:03,880 you can buy these on any kind of secondary market, 436 00:27:05,759 --> 00:27:10,200 but industrial researchers, you know, buy stuff on eBay all 437 00:27:10,240 --> 00:27:14,039 the time. What's available there, you know old plc's I mean, 438 00:27:14,079 --> 00:27:16,279 if you want to shell out the money new PLCs, 439 00:27:16,680 --> 00:27:20,279 it's not the physical equipment that they test. It is 440 00:27:20,319 --> 00:27:24,559 the automation components, remote terminal units, flow computers. You know, 441 00:27:24,680 --> 00:27:27,640 these these computers do tend to be available on the 442 00:27:27,720 --> 00:27:31,440 secondary market for you know, reasonably affordable prices, and they 443 00:27:31,440 --> 00:27:34,640 do get pen tested, you know, check for vulnerabilities, et 444 00:27:34,640 --> 00:27:40,079 cetera all the time. In the medical space. Again, I 445 00:27:40,119 --> 00:27:44,400 don't I don't know. I didn't ask Naomi, but I 446 00:27:44,400 --> 00:27:47,640 would imagine that some of the smaller equipment is available 447 00:27:48,880 --> 00:27:52,200 just because the space is so huge. There's there's millions 448 00:27:52,200 --> 00:27:55,160 of these I don't know, dosing devices, you know, thousands 449 00:27:55,200 --> 00:27:59,160 in in in every large hospital. I would imagine, or at 450 00:27:59,160 --> 00:28:01,759 these hundreds in every large hospital, and there's thousands of 451 00:28:01,759 --> 00:28:04,960 hospitals around the world. So I would expect that some 452 00:28:05,000 --> 00:28:08,680 of the equipment, the smaller stuff, is straightforward to get 453 00:28:08,680 --> 00:28:11,400 on a secondary market. But that's that's just me guessing. 454 00:28:12,279 --> 00:28:15,039 What I am also guessing is that the really big stuff, 455 00:28:15,039 --> 00:28:18,319 you know, the controllers, you know, forget PLCs, but the devices, 456 00:28:18,359 --> 00:28:23,000 the control boards built into MRIs, I mean MRIs are 457 00:28:23,119 --> 00:28:27,359 multi ton devices. You can't even get them out of 458 00:28:27,359 --> 00:28:31,039 the room they're in without taking them to pieces. So 459 00:28:31,240 --> 00:28:32,880 the big stuff, I would imagine it is harder to 460 00:28:32,920 --> 00:28:35,440 get hold of. But you know, sort of to the 461 00:28:35,720 --> 00:28:38,440 last point you raised, you know, getting hold of something 462 00:28:38,440 --> 00:28:41,240 on the secondary market and trying to figure out how 463 00:28:41,240 --> 00:28:46,000 to attack it, you know, versus someone malicious plugging a USB. 464 00:28:46,160 --> 00:28:48,960 And to me, the big risk is not that someone 465 00:28:49,039 --> 00:28:52,119 malicious is going to plug a USB, WiFi nongle into 466 00:28:52,160 --> 00:28:55,519 my MRI or into you know, a diagnostic device whatever. 467 00:28:57,359 --> 00:29:01,880 To me, the risk is that well meaning people in 468 00:29:01,960 --> 00:29:04,559 the hospital, in the medical profession are going to do 469 00:29:04,640 --> 00:29:07,680 this because they think they're doing a good thing, because 470 00:29:07,680 --> 00:29:10,160 they think they're going to make the information available to 471 00:29:10,200 --> 00:29:14,000 the physician who's on vacation and wants to monitor the patient. 472 00:29:14,400 --> 00:29:16,240 You know, they think they're doing a good thing and 473 00:29:16,279 --> 00:29:20,640 they really don't understand the cybersecurity implications of what they're doing. 474 00:29:20,680 --> 00:29:23,480 So to me, that's the big risk, not a malicious 475 00:29:23,759 --> 00:29:27,160 umus be being plugged in, but you know, a benign 476 00:29:28,559 --> 00:29:34,319 intent leaving the device, walking away and leaving it exposed 477 00:29:34,359 --> 00:29:36,680 to the Internet for who knows how long because they 478 00:29:36,680 --> 00:29:38,880 think they've done a good thing and have in fact 479 00:29:38,880 --> 00:29:44,559 put patients at risk thereby. So you talk generally about 480 00:29:44,759 --> 00:29:49,960 the FDA regulations, can you drill down in a little 481 00:29:50,000 --> 00:29:52,920 more detail. I mean, I'm familiar with NURKSI it's got 482 00:29:53,160 --> 00:29:57,720 you know again, the law gives FIRK the authority to 483 00:29:57,839 --> 00:30:04,400 regulate cybersecurity in electric sector. It FIRK delegates that authority 484 00:30:04,440 --> 00:30:08,799 to NIRK, who produces the regulations. The regulations go through 485 00:30:08,799 --> 00:30:12,359 a long, painful process. They have to be proposed by 486 00:30:12,440 --> 00:30:15,720 NIRK back to FIRK has to accept them or reject them. 487 00:30:16,319 --> 00:30:18,880 But when they come down, the regulations say things like 488 00:30:18,920 --> 00:30:21,480 your passwords have to be this long and that complicated, 489 00:30:21,799 --> 00:30:25,480 you need firewalls here, you need intrusion detection there. They're 490 00:30:25,519 --> 00:30:29,559 really quite specific. Is that the case with what the 491 00:30:29,640 --> 00:30:30,599 FDA is telling. 492 00:30:30,440 --> 00:30:34,400 Speaker 1: Us, it is a little bit different. For one thing, 493 00:30:34,839 --> 00:30:38,480 what's written into the statute for five twenty four B 494 00:30:38,680 --> 00:30:42,000 in the Food, Drinke and Cosmetic Act has only one 495 00:30:42,279 --> 00:30:45,000 requirement that is that explicit, and that is that you 496 00:30:45,119 --> 00:30:49,680 must submit to FDA a software bill of materials and 497 00:30:49,759 --> 00:30:53,119 it is expected to be machine readable. The other elements 498 00:30:53,240 --> 00:30:57,200 that you're managing postmarket cybersecurity vulnerabilities and things like that 499 00:30:57,640 --> 00:31:01,240 are more general, but a guidance document that's associated with 500 00:31:01,279 --> 00:31:06,000 this spells out in more detail what that means. Additionally, 501 00:31:06,240 --> 00:31:11,079 the FDA today manages the quality system following what is 502 00:31:11,400 --> 00:31:13,920 called Part eight twenty of the Food, Drug and Cosmetic Act, 503 00:31:13,960 --> 00:31:17,279 or the Quality System Regulation, but in about a year 504 00:31:17,559 --> 00:31:21,599 they are migrating to following an internationally harmonized standard. 505 00:31:21,640 --> 00:31:24,799 Speaker 4: Is so thirteen for eighty five and. 506 00:31:24,720 --> 00:31:28,759 Speaker 1: That's designed for organizations involved in design, production, installation, and 507 00:31:28,799 --> 00:31:34,599 servicing of medical devices and related services. The transition period, 508 00:31:34,640 --> 00:31:38,640 though between when FDA made this announcement of moving from 509 00:31:38,640 --> 00:31:42,200 eight twenty to thirteen forty eighty five means that manufacturers 510 00:31:42,839 --> 00:31:46,480 who have product in multiple markets have to be maintaining 511 00:31:46,839 --> 00:31:50,519 a quality system under Part eight twenty until the transition 512 00:31:50,559 --> 00:31:53,640 of thirteen forty five for US and under thirteen for 513 00:31:53,720 --> 00:31:55,680 eighty five for the rest of the world. So you're 514 00:31:55,680 --> 00:31:59,920 managing two separate quality systems in addition to all the 515 00:32:00,079 --> 00:32:04,640 cybersecurity material and that's really burdensome right now. That means 516 00:32:04,680 --> 00:32:07,000 that a lot of companies are doing double duty and 517 00:32:07,440 --> 00:32:12,319 having people do two sets of documentation to cover these 518 00:32:12,319 --> 00:32:18,319 two different areas of regulatory visibility into what they're doing, 519 00:32:19,279 --> 00:32:21,279 rather than being able to do it once and be 520 00:32:21,359 --> 00:32:25,640 done with it. And that's that's really challenging for manufacturers 521 00:32:25,680 --> 00:32:29,480 because they're now adding all of these cybersecurity expectations on 522 00:32:29,559 --> 00:32:35,599 top of just documenting their overall approach to quality, which means, 523 00:32:36,319 --> 00:32:40,759 you know, reproducible, reliable, repeatable production of whatever the product 524 00:32:40,839 --> 00:32:44,079 is with you know, consistent performance. 525 00:32:45,559 --> 00:32:48,640 Speaker 3: Let me ask you, I mean you work with medical 526 00:32:48,640 --> 00:32:52,279 device manufacturers. You see a lot of different kinds of devices. 527 00:32:52,839 --> 00:32:56,200 How exposed are we how you know in practice? How 528 00:32:57,200 --> 00:32:58,839 I don't know? How much trouble are we in How 529 00:32:58,839 --> 00:32:59,880 hard is this problem? 530 00:33:00,680 --> 00:33:02,640 Speaker 4: It's an interesting question. 531 00:33:02,799 --> 00:33:06,960 Speaker 1: There's a lot of medical devices that are in use 532 00:33:07,000 --> 00:33:11,119 today that have been in use for twenty or thirty 533 00:33:11,279 --> 00:33:18,440 and sometimes more years. Those devices have more exposure. Hospitals 534 00:33:18,680 --> 00:33:22,920 that use those devices often but not always, implement it 535 00:33:23,160 --> 00:33:28,839 security measures to try to contain those systems. An excellent example, 536 00:33:29,039 --> 00:33:33,960 University of Vermont Healthcare System had a ransomware attack that 537 00:33:34,079 --> 00:33:41,480 happened through email that affected their entire network. Their imaging 538 00:33:41,519 --> 00:33:46,039 systems were subnetted. Because these are older systems, they're not 539 00:33:46,519 --> 00:33:51,519 typically patchable, they're not well trusted, and they shouldn't be 540 00:33:51,519 --> 00:33:53,880 because they're very old and they don't have any security 541 00:33:53,920 --> 00:33:58,519 by design. And those systems stayed online and available throughout 542 00:33:58,599 --> 00:34:04,759 the ransomware attack because they were subnetted and basically put 543 00:34:04,839 --> 00:34:08,079 in their own little sandbox and not allowed to play 544 00:34:08,119 --> 00:34:12,119 with other elements in the hospital ecosystem. The same thing 545 00:34:12,199 --> 00:34:16,519 happened with their in vitro diagnostics equipment for very similar reasons. 546 00:34:16,960 --> 00:34:20,360 Some of it is older equipment. It hasn't been designed 547 00:34:20,360 --> 00:34:24,360 with security in mind. It is not very trustworthy. Some 548 00:34:24,440 --> 00:34:27,159 of these systems are very vulnerable if they are connected 549 00:34:27,159 --> 00:34:30,719 to the network without additional protective measures, but because they 550 00:34:30,719 --> 00:34:37,000 were subnetted off because the hospitals don't trust them for cybersecurity, 551 00:34:37,599 --> 00:34:42,239 especially for HIPO violations, for privacy violations, those systems were 552 00:34:42,280 --> 00:34:47,039 available throughout the downtime. The rest of the hospital ecosystem 553 00:34:47,280 --> 00:34:53,280 was impacted rather heavily and required quite some time to remediate. 554 00:34:53,400 --> 00:34:56,920 So there's some exposure here. Some of it is managed 555 00:34:56,920 --> 00:35:00,880 by hospital infrastructure, some of it is managed by small doctor's. 556 00:35:00,519 --> 00:35:01,159 Speaker 4: Offices, etc. 557 00:35:02,039 --> 00:35:06,039 Speaker 1: But there is not enough resourcing in the overall ecosystem 558 00:35:06,480 --> 00:35:10,079 to protect against all these problems. And that really means 559 00:35:10,159 --> 00:35:13,639 that newer medical devices that are produced today must be 560 00:35:14,079 --> 00:35:18,239 designed to have security today and to be maintainable to 561 00:35:18,320 --> 00:35:22,360 be secure in the future as the threat environment involves. 562 00:35:23,440 --> 00:35:25,320 Speaker 4: So let's dig a little bit deeper. 563 00:35:25,000 --> 00:35:29,199 Speaker 1: Into those imaging systems that I just mentioned. An MRI 564 00:35:29,440 --> 00:35:32,840 system today that is being delivered and installed in a 565 00:35:32,880 --> 00:35:36,760 hospital is actually built on site. If you've ever been 566 00:35:36,800 --> 00:35:41,480 in an MRI machine, these are really significantly sized machines 567 00:35:41,559 --> 00:35:44,840 they don't fit through a standard doorway when they are 568 00:35:44,880 --> 00:35:51,079 completely built. They're very heavy and they are extremely complex systems, 569 00:35:51,320 --> 00:35:54,519 so they're built on site. When you have to implement 570 00:35:54,559 --> 00:35:56,960 a brand new system like that and you are putting 571 00:35:57,000 --> 00:36:00,320 it into your facility, you want to know that it 572 00:36:00,400 --> 00:36:03,760 is in good shape to operate today and that you 573 00:36:03,840 --> 00:36:07,880 can maintain it for a long time. Because it's capital equipment. 574 00:36:08,039 --> 00:36:11,800 It is a huge expenditure, and you do not want 575 00:36:11,800 --> 00:36:14,559 to have to replace it in three years because some 576 00:36:14,599 --> 00:36:18,079 component is out of date and not secure anymore. So 577 00:36:18,119 --> 00:36:21,760 you want security by design from the day it's built, 578 00:36:21,840 --> 00:36:25,320 and you want it to be capable of dealing with 579 00:36:25,400 --> 00:36:28,719 new threats over time, so you want it to be updateable. 580 00:36:28,960 --> 00:36:32,719 You want a secure patching mechanism that allows you to say, 581 00:36:34,079 --> 00:36:38,280 this system is built around Windows ten. Windows ten is 582 00:36:38,320 --> 00:36:41,119 about to go end of support at the end of 583 00:36:41,119 --> 00:36:43,559 twenty twenty five. I want to know that I can 584 00:36:43,599 --> 00:36:47,480 patch this to a newer operating system version like Windows eleven. 585 00:36:48,400 --> 00:36:50,800 And while I use that as an example, it's you 586 00:36:50,840 --> 00:36:53,639 know a fact many of these devices are using commercial 587 00:36:53,679 --> 00:36:56,960 operating systems, so you do want to have a secure 588 00:36:56,960 --> 00:36:59,800 patching mechanism. You also don't want somebody to be able 589 00:36:59,840 --> 00:37:04,559 to roll back a patch that is intended to ensure cybersecurity. 590 00:37:05,000 --> 00:37:08,239 So there has to be a rollback prevention mechanism. Once 591 00:37:08,280 --> 00:37:12,000 I patch this to a new and approved, updated version, 592 00:37:12,239 --> 00:37:15,679 I can't go backwards in time and backwards in version 593 00:37:15,880 --> 00:37:18,960 to something that is vulnerable and possibly exploitable. 594 00:37:22,159 --> 00:37:24,960 Speaker 3: So, Nate, just a quick comment on the incident that 595 00:37:26,000 --> 00:37:28,880 Naomi talked about. You know, to me, it's ironic that 596 00:37:29,159 --> 00:37:33,719 the most vulnerable equipment in the hospital, that is it 597 00:37:33,760 --> 00:37:37,719 by ransomware, the most vulnerable equipment was the least impacted. 598 00:37:38,159 --> 00:37:41,559 And it's because the hospital knew that this equipment was 599 00:37:42,519 --> 00:37:46,199 vulnerable and so put you know, what they call compensating measures, 600 00:37:46,239 --> 00:37:49,639 put secondary protections in place to you know, if there's 601 00:37:49,639 --> 00:37:51,719 an incident in the hospital, keep the bad stuff away 602 00:37:51,760 --> 00:37:56,320 from this equipment. You know, the equipment that was arguably 603 00:37:56,760 --> 00:38:01,119 more secure, but also thereby more exposure because hospital didn't 604 00:38:01,159 --> 00:38:03,599 think it needed to be to be you know, protected 605 00:38:03,599 --> 00:38:09,599 to that degree, was more affected. You know, I mean, 606 00:38:10,079 --> 00:38:14,159 Naomi is we're talking here about medical devices and manufacturing 607 00:38:14,159 --> 00:38:18,519 medical devices. Hospitals use medical devices. But you know, maybe 608 00:38:18,519 --> 00:38:21,000 we need to get somebody on in the hospital. To me, 609 00:38:21,119 --> 00:38:26,159 this scenario suggests that that you know, hospitals know how 610 00:38:26,239 --> 00:38:29,440 to put you know, at least basic cybersecurity in place, 611 00:38:29,639 --> 00:38:32,840 they know how to put effective cybersecurity in place, and 612 00:38:32,920 --> 00:38:38,000 if they use that knowledge more routinely, more extensively, we 613 00:38:38,079 --> 00:38:42,719 would have fewer outages affecting equipment in hospitals. But so 614 00:38:43,280 --> 00:38:46,639 that you know that, I guess we need a different 615 00:38:46,639 --> 00:38:49,960 guest to talk about hospitals. We should we should you know, 616 00:38:50,000 --> 00:38:54,440 come back to the medical devices here. A big thing 617 00:38:54,480 --> 00:38:57,440 that's happening in the world of industrial cybersecurity is something 618 00:38:57,440 --> 00:39:01,119 called cyber informed engineering. And one of the principles, there's 619 00:39:01,119 --> 00:39:03,159 many principles in sovereign front of engineering. One of the 620 00:39:03,159 --> 00:39:09,840 principles is wherever practical, have an unhackable and electro mechanical 621 00:39:10,599 --> 00:39:14,559 safeguard as sort of your last line of defense between 622 00:39:14,559 --> 00:39:18,519 you and disaster. And so, you know, if I apply 623 00:39:18,639 --> 00:39:22,000 that thinking to let's say, you know, a medical device 624 00:39:22,079 --> 00:39:25,119 like let's say a pacemaker or something, you know, I 625 00:39:25,119 --> 00:39:28,800 would naively imagine that, you know, inside the body, you 626 00:39:28,840 --> 00:39:31,880 could route I don't know, a wire from the heart 627 00:39:32,280 --> 00:39:34,960 to somewhere close to the you know, just under the 628 00:39:34,960 --> 00:39:36,559 surface of the skin. You don't want to break the skin. 629 00:39:36,599 --> 00:39:40,239 That's an infection risk, is what I assume. But you know, 630 00:39:40,280 --> 00:39:41,880 you might have a little switch in there so that 631 00:39:42,000 --> 00:39:44,360 if you want to, I don't know, reprogram the pacemaker, 632 00:39:44,679 --> 00:39:47,039 the doctor has to touch you, touch your skin, press 633 00:39:47,079 --> 00:39:50,880 the switch under the skin, activate the wireless component in 634 00:39:50,920 --> 00:39:53,880 the in the pacemaker so that they can reprogram it. 635 00:39:54,360 --> 00:39:56,480 And the rest of the time is physically got no 636 00:39:56,639 --> 00:39:59,840 power and cannot communicate with you. To me, that would 637 00:39:59,840 --> 00:40:03,760 be CIE. That would be sort of engineering grade protection. 638 00:40:04,639 --> 00:40:07,239 Is there such a concept in the world of medical devices? 639 00:40:07,960 --> 00:40:13,719 Speaker 1: There are very similar concepts electro mechanical safety backstops like 640 00:40:13,760 --> 00:40:17,119 that could be problematic on a person because you could 641 00:40:17,159 --> 00:40:23,719 accidentally bump your body and trip off the electro mechanical backstop. However, 642 00:40:24,559 --> 00:40:28,400 you know, historically what was done with implantable pacemakers, as 643 00:40:28,440 --> 00:40:32,679 an example, was that you had to do something specific 644 00:40:32,719 --> 00:40:35,599 to activate their programming mode. So you would send them 645 00:40:35,599 --> 00:40:37,760 an RF signal and they would have to wake up, 646 00:40:39,239 --> 00:40:42,320 you know, and then they would enter an interactive mode 647 00:40:42,360 --> 00:40:45,840 where you could go in and reprogram them. Now, a 648 00:40:45,920 --> 00:40:48,840 pacemaker is intended to make a slow heart beat faster 649 00:40:49,320 --> 00:40:53,440 if you shut off the pacing for patients who are 650 00:40:53,519 --> 00:40:59,000 pacemaker dependent that their heart isn't working quite properly and 651 00:40:59,079 --> 00:41:01,840 it's not eating at a high enough rate for them 652 00:41:01,880 --> 00:41:05,960 to retain consciousness. If you increase their heart rate too high, 653 00:41:06,320 --> 00:41:08,840 you can actually be causing some kind of muscle damage 654 00:41:09,119 --> 00:41:11,320 to the heart. So there's a balance in there, and 655 00:41:11,360 --> 00:41:13,800 you do want to protect it, and you want that 656 00:41:14,400 --> 00:41:18,159 programming mode to be exclusive to people who are authorized 657 00:41:18,639 --> 00:41:21,519 to engage it. But there are new ways. 658 00:41:21,360 --> 00:41:21,760 Speaker 4: To do that. 659 00:41:21,840 --> 00:41:23,960 Speaker 1: It used to be we just sent an RF signal 660 00:41:24,239 --> 00:41:26,400 and the thing would say, okay, I'm ready, tell me 661 00:41:26,880 --> 00:41:28,199 my reprogramming mode. 662 00:41:28,840 --> 00:41:32,719 Speaker 4: And if you were nearby and happen to have. 663 00:41:33,239 --> 00:41:36,800 Speaker 1: RF sniffing equipment, which is not that complicated to procure 664 00:41:37,360 --> 00:41:40,679 and not that complicated to operate, you could collect the 665 00:41:40,840 --> 00:41:46,559 entire interaction between these two components and potentially replay it, 666 00:41:46,840 --> 00:41:50,880 and then potentially modify it and replay that and put 667 00:41:51,079 --> 00:41:54,519 the system into a reprogramming mode and then reprogram it 668 00:41:54,519 --> 00:41:56,719 in a way that's not in the best interest of 669 00:41:56,760 --> 00:42:01,920 the patient. Today that has been moved from broader RF, 670 00:42:02,480 --> 00:42:05,519 which you can do from thirty forty feet away potentially 671 00:42:06,039 --> 00:42:11,119 to near field communication modes or inductive activation modes where 672 00:42:11,440 --> 00:42:15,679 you have to bring a strong magnet or a device 673 00:42:15,840 --> 00:42:19,400 into really close proximity to the body. We're talking tens 674 00:42:19,440 --> 00:42:23,400 of centimeters or less in order to activate the programming mode. 675 00:42:23,719 --> 00:42:27,519 But even then I'm that close to you on the subway. 676 00:42:28,960 --> 00:42:32,360 You don't want somebody who happens to have the right 677 00:42:32,400 --> 00:42:35,639 equipment and the right know how to activate your programming 678 00:42:35,639 --> 00:42:38,960 mode on the subway. So you want some additional measures, 679 00:42:39,000 --> 00:42:43,320 some added layers of complexity and cybersecurity in there. So 680 00:42:43,320 --> 00:42:46,880 you put in measures to authenticate and to ensure that 681 00:42:46,920 --> 00:42:50,599 only an authorized user is actually trying to make this 682 00:42:50,679 --> 00:42:54,920 connection to get the pacemaker first into programming mode and 683 00:42:54,920 --> 00:42:58,599 then to accept the commanding it's getting. So it's a 684 00:42:58,679 --> 00:43:02,320 defense in depth constant in medical devices that is very 685 00:43:02,360 --> 00:43:06,320 similar to cyber informed engineering, but not reliant on electro 686 00:43:06,400 --> 00:43:10,159 mechanical safety switches that could be jostled or bumped as 687 00:43:10,199 --> 00:43:13,760 part of your normal daily operating as a human body, 688 00:43:13,920 --> 00:43:18,559 right because you know, unlike critical infrastructure, where you have 689 00:43:19,119 --> 00:43:23,239 static pieces of hardware mechanically active pieces of hardware, but 690 00:43:23,280 --> 00:43:26,719 they're largely separated from each other and they're not moving 691 00:43:26,719 --> 00:43:29,800 into each other. The human body is moving around a lot, 692 00:43:29,880 --> 00:43:34,480 and maybe you're bumping your arm where you have an implant. 693 00:43:34,559 --> 00:43:38,880 There are implantable cgms that if you bump them, they 694 00:43:38,920 --> 00:43:41,119 continue to operate because they're under the skin. But the 695 00:43:41,159 --> 00:43:43,400 component that sits on the outside of the skin that 696 00:43:43,480 --> 00:43:46,880 pulls the data off of them inductively, that can be 697 00:43:46,960 --> 00:43:49,800 knocked off. You can pull it, you know, pull it out, 698 00:43:49,920 --> 00:43:51,719 take the glue off, and put it back on your arm. 699 00:43:52,599 --> 00:43:56,800 But you don't want that to be the electro mechanical 700 00:43:56,800 --> 00:44:00,519 safety backstop because you can bump it and and at 701 00:44:00,519 --> 00:44:02,559 some point you will and that could cause harm as well. 702 00:44:03,599 --> 00:44:06,119 Speaker 3: You know, we talked a lot about manufacturing the devices, 703 00:44:06,119 --> 00:44:09,440 but I'm curious, is there anything in the medical field, 704 00:44:09,480 --> 00:44:12,039 in the FDA field that is analogous to the new 705 00:44:12,119 --> 00:44:16,960 European CRA. I even forget what it stands for, but 706 00:44:17,000 --> 00:44:19,480 it's the rule that one of the rules in the 707 00:44:19,519 --> 00:44:28,760 CRA regulation applicable Europe wide is that manufactures of devices 708 00:44:28,960 --> 00:44:33,480 that contain software. In my understanding, are you will starting 709 00:44:33,480 --> 00:44:35,480 I don't know, twenty twenty seven or something when the 710 00:44:35,559 --> 00:44:39,679 rule comes into effect, will be required to provide security 711 00:44:39,719 --> 00:44:44,519 updates for free for the life of the product. You know, 712 00:44:44,760 --> 00:44:48,360 is there such a concept about sort of lingering obligations 713 00:44:48,360 --> 00:44:49,559 on the part of the manufacturer. 714 00:44:50,320 --> 00:44:56,000 Speaker 1: Absolutely so. The European Cyber Resilience Act is intended to 715 00:44:56,119 --> 00:45:00,239 ensure that products are secure when they're delivered initially and 716 00:45:00,280 --> 00:45:04,440 that they're maintained for the lifespan of the device, whatever 717 00:45:04,480 --> 00:45:08,559 that may be, commercial product or otherwise. The FDA has 718 00:45:08,920 --> 00:45:11,239 a pre market guidance that tells you what to do 719 00:45:11,280 --> 00:45:14,239 to make sure it's secured by design, when it's made 720 00:45:14,639 --> 00:45:17,840 and when it's sold, but they have a post market 721 00:45:17,880 --> 00:45:21,880 guidance that says you need to do certain things to 722 00:45:22,119 --> 00:45:25,320 ensure that this system is not only safe and effective 723 00:45:25,360 --> 00:45:28,519 and secure on the day it's delivered, but it's safe, 724 00:45:28,519 --> 00:45:31,760 in effective and secure for the lifespan of the device, 725 00:45:31,800 --> 00:45:35,320 which may be to your shelf span in ten days 726 00:45:35,320 --> 00:45:36,960 after you start it operating and. 727 00:45:36,880 --> 00:45:37,920 Speaker 4: You activate it. 728 00:45:37,920 --> 00:45:40,480 Speaker 1: It may be to your shelf life and a twenty 729 00:45:40,559 --> 00:45:45,800 year lifespan after it is activated and in use. So 730 00:45:45,920 --> 00:45:52,360 you need to account for today's cybersecurity threat environment with 731 00:45:52,400 --> 00:45:56,079 your security. You need to account for a secure patching 732 00:45:56,159 --> 00:46:00,079 mechanism to ensure that the product can be maintained of 733 00:46:00,079 --> 00:46:03,760 that lifespan, and you need to have some tools and 734 00:46:03,800 --> 00:46:10,119 some processes that enable you to identify new security threats 735 00:46:10,199 --> 00:46:14,360 that exist, new vulnerabilities in the system as you've designed 736 00:46:14,360 --> 00:46:19,159 and built it, and to react to those, to make 737 00:46:19,199 --> 00:46:23,159 decisions about software patches that need to be applied, hardware 738 00:46:23,199 --> 00:46:25,760 components that maybe need to be switched out, that you 739 00:46:25,760 --> 00:46:28,519 have an appropriate supply chain and you can actually handle 740 00:46:29,440 --> 00:46:33,480 these kinds of changes in software or hardware. And really 741 00:46:33,519 --> 00:46:36,840 the call to action to industry then is design your 742 00:46:36,880 --> 00:46:40,079 systems to be patchable from day one. Design them to 743 00:46:40,119 --> 00:46:44,599 be secure at the time that you are delivering them, 744 00:46:44,800 --> 00:46:49,280 but secure a ble over that longer term span, and 745 00:46:49,320 --> 00:46:51,599 that's not necessarily easy. 746 00:46:51,679 --> 00:46:52,920 Speaker 4: That means you also need to. 747 00:46:52,880 --> 00:46:57,480 Speaker 1: Find vendors and tooling that enable you to monitor your 748 00:46:57,559 --> 00:47:00,159 software bill of materials, your hardware bill of materials, and 749 00:47:00,199 --> 00:47:03,800 make decisions about patching. That means that you need to 750 00:47:03,880 --> 00:47:08,519 have good cryptographic methods to secure your patching itself, signing 751 00:47:08,599 --> 00:47:12,719 your software, making sure that you have authentication and authorization 752 00:47:12,840 --> 00:47:16,440 in place, and that you're monitoring that software build of materials, 753 00:47:16,519 --> 00:47:21,079 reacting to new vulnerabilities, determining whether or not they affect you, 754 00:47:21,760 --> 00:47:24,960 making decisions about patching when you determine that they affect you. 755 00:47:25,039 --> 00:47:29,360 That's an entire risk management process that needs to exist, 756 00:47:29,760 --> 00:47:32,360 and a lot of companies are struggling with this. They 757 00:47:32,360 --> 00:47:35,599 don't have good tooling. My company has developed some tools 758 00:47:35,679 --> 00:47:40,000 for that. They don't have good processes. Companies out there 759 00:47:40,679 --> 00:47:44,280 are struggling to figure out how to write a good policy. 760 00:47:44,360 --> 00:47:49,599 These are things that can be put together, can follow standards, 761 00:47:50,039 --> 00:47:53,920 which means you're using best practices, but sometimes you need help. 762 00:47:54,559 --> 00:47:57,800 And so the really the strong recommendation is if you 763 00:47:57,920 --> 00:48:01,599 don't have internal staff that can handle this, find yourself 764 00:48:01,639 --> 00:48:05,880 a qualified vendor with the appropriate expertise so that you're 765 00:48:05,880 --> 00:48:11,519 managing your quality system obligation of vendor qualification and you're 766 00:48:11,559 --> 00:48:15,440 getting cybersecurity experts who actually know how to implement things 767 00:48:15,480 --> 00:48:18,119 properly to help you build out your program. 768 00:48:19,199 --> 00:48:23,920 Speaker 3: So that sounds good in theory. I'm curious though, and 769 00:48:24,039 --> 00:48:26,239 I haven't got a good answer for this for the 770 00:48:26,280 --> 00:48:30,480 cra I'm curious. In the medical field, Let's say we 771 00:48:30,599 --> 00:48:34,639 have a device that usually has a twenty year lifespan. 772 00:48:35,880 --> 00:48:39,119 You know, the manufacturer sells the device, and five years 773 00:48:39,159 --> 00:48:43,840 later the manufacturer goes bankrupt, and vanishes. What you know, 774 00:48:43,920 --> 00:48:46,599 does the FDA require all of the hospitals that use 775 00:48:46,639 --> 00:48:49,679 the device to throw it out because nobody's issuing patches 776 00:48:49,719 --> 00:48:52,239 for it? You know, are consumers who use the device 777 00:48:52,239 --> 00:48:55,000 supposed to throw it out? Now? What happens when these 778 00:48:55,119 --> 00:48:58,360 vendors that are supposed to provide service for the life 779 00:48:58,360 --> 00:48:59,880 of the product vanish. 780 00:49:00,599 --> 00:49:03,239 Speaker 1: Oh, that's a great question. That is a conundrum in 781 00:49:03,320 --> 00:49:07,280 any industry. That's a conundrum whether you're talking about commercial 782 00:49:07,320 --> 00:49:14,400 products or or something more complex and less easily obtained 783 00:49:14,480 --> 00:49:17,639 like a medical device. The short answer is that FDA 784 00:49:17,719 --> 00:49:22,360 does not regulate what hospitals do. They can't, they're not authorized, 785 00:49:22,760 --> 00:49:26,920 and they shouldn't because that's not really their space. When 786 00:49:26,960 --> 00:49:31,320 they regulate medical devices, they're regulating them for today and 787 00:49:31,480 --> 00:49:35,599 ensuring that they're patchable long term. But there's no impact 788 00:49:35,679 --> 00:49:40,039 whatsoever in there no ability to impact what happens with 789 00:49:41,280 --> 00:49:45,559 economics and whether a company goes bankrupt and stops selling 790 00:49:45,599 --> 00:49:49,599 their product. So that comes back to the contracts that 791 00:49:49,639 --> 00:49:54,239 are written between the vendor and the procureur and whether 792 00:49:54,360 --> 00:49:57,840 or not they have some kind of protective measure in place. 793 00:49:58,360 --> 00:50:00,880 But there's not a lot of protection for a hospital 794 00:50:01,400 --> 00:50:05,079 that's procuring, you know, an MRI from a vendor, just 795 00:50:05,320 --> 00:50:08,639 like you know, consumer goods. If you bought a computer 796 00:50:08,760 --> 00:50:12,559 from Compac a decade ago, that company may not be 797 00:50:12,639 --> 00:50:14,119 selling any products. 798 00:50:13,679 --> 00:50:14,800 Speaker 4: Today under that brand. 799 00:50:15,159 --> 00:50:19,599 Speaker 1: They may have been acquired by somebody else, and maybe 800 00:50:19,599 --> 00:50:23,599 that company has promised to maintain those those pieces of hardware, 801 00:50:24,400 --> 00:50:27,119 but they they aren't necessarily on. 802 00:50:27,119 --> 00:50:29,119 Speaker 4: The hook anymore because they don't exist. 803 00:50:30,280 --> 00:50:33,239 Speaker 1: You know, I can think of dozens of computer companies 804 00:50:33,519 --> 00:50:36,199 where that has been the case over the years, and 805 00:50:36,559 --> 00:50:39,480 the consumer is kind of out of luck with a 806 00:50:39,559 --> 00:50:44,639 hospital that's procured a piece of MRI equipment. Oftentimes, small 807 00:50:44,679 --> 00:50:48,880 companies pop up like mushrooms after the rain, offering to 808 00:50:48,960 --> 00:50:54,880 maintain these systems and have procured some of the residual 809 00:50:54,960 --> 00:50:58,960 hardware that was sold off. As these companies undergo bankruptcy 810 00:50:58,960 --> 00:51:03,280 and you know, try to deal with their assets and 811 00:51:03,440 --> 00:51:06,920 balance sheets, so you end up with vendors who are 812 00:51:06,960 --> 00:51:10,079 non oem who are trying to maintain these things. 813 00:51:10,719 --> 00:51:13,119 Speaker 4: But that ends up being a cost plus problem. 814 00:51:13,239 --> 00:51:16,719 Speaker 1: Right the hospital invested in the component and now they 815 00:51:16,719 --> 00:51:20,320 have to separately invest in a new vendor to maintain it. 816 00:51:20,440 --> 00:51:22,719 That's still cheaper than buying a brand new one from 817 00:51:22,760 --> 00:51:26,280 a different vendor. But that's part of the vendor qualification 818 00:51:26,400 --> 00:51:29,519 process at a hospital is making those decisions. Do we 819 00:51:29,559 --> 00:51:32,360 trust that this company will be around for a long time? 820 00:51:33,920 --> 00:51:36,000 And if we're not sure about it, does that make 821 00:51:36,039 --> 00:51:38,400 it us less likely to buy from them then from 822 00:51:38,480 --> 00:51:44,880 competitor A or B. So when you talk about security, though, 823 00:51:45,880 --> 00:51:49,440 you know cybersecurity maintenance of these products comes back to 824 00:51:49,719 --> 00:51:53,760 largely to software but also to hardware, and you want 825 00:51:53,800 --> 00:51:57,800 to know that the security that's built into the system 826 00:51:58,000 --> 00:52:00,639 is reactive to all the software component And many of 827 00:52:00,639 --> 00:52:02,960 these are off the shelf or open source and may 828 00:52:03,079 --> 00:52:07,639 eventually stop being maintained. You want your vendors to give 829 00:52:07,639 --> 00:52:11,719 you some confidence that, hey, if Windows stops maintaining an 830 00:52:11,760 --> 00:52:16,159 operating system, you can either update the operating system or 831 00:52:16,840 --> 00:52:19,519 you can take over maintenance of it. Now, do you 832 00:52:19,599 --> 00:52:23,079 really want to maintain the source code from Microsoft operating systems? 833 00:52:23,159 --> 00:52:26,519 Probably not, but there are people who can and do 834 00:52:26,679 --> 00:52:30,960 that as a service. So procurement decisions need to be 835 00:52:31,079 --> 00:52:35,719 driven by cybersecurity awareness, and there's some methods to do that. 836 00:52:35,760 --> 00:52:40,639 There's some model contract language for medical device cybersecurity out there, 837 00:52:40,639 --> 00:52:45,679 it's actually called the MC two that enables procurers to 838 00:52:45,719 --> 00:52:51,039 make those kinds of decisions about medical device cybersecurity. 839 00:52:54,199 --> 00:52:57,039 Speaker 2: If I recall, I use this analogy in our last 840 00:52:57,039 --> 00:53:00,559 episode maybe or a recent episode, but it goes back 841 00:53:00,599 --> 00:53:05,039 to the refrigerator analogy, Andrew what you guys were just 842 00:53:05,039 --> 00:53:08,519 talking about in the interview. If I have a refrigerator, 843 00:53:08,559 --> 00:53:12,039 it sits in my kitchen for over a decade, the 844 00:53:12,079 --> 00:53:14,480 company goes out of business in the meantime, am I 845 00:53:14,519 --> 00:53:20,280 still expected to patch? I mean what Naomi said, I 846 00:53:20,280 --> 00:53:23,719 think the analogy she used was like other companies sprout 847 00:53:23,760 --> 00:53:26,760 out to fill the gap, like mushrooms in the rain. 848 00:53:27,440 --> 00:53:30,440 Is that? But that also requires effort on my part 849 00:53:30,480 --> 00:53:33,599 to like find those companies. And it's just a weird situation. 850 00:53:34,400 --> 00:53:37,199 Speaker 3: It is a weird situation, and it's different for consumers 851 00:53:37,480 --> 00:53:44,159 versus hospitals versus you know, industrial operations for consumers. You know, 852 00:53:44,199 --> 00:53:46,639 I don't think the question has been answered. The CIRA, 853 00:53:47,119 --> 00:53:51,199 you know, tries to protect consumers, but bluntly, when was 854 00:53:51,239 --> 00:53:53,480 the last time any of us patched our fridge? You know, 855 00:53:53,559 --> 00:53:57,440 it's not done. These patches have to be automatic or 856 00:53:57,599 --> 00:53:59,400 they're not going to happen. If the vendor goes out 857 00:53:59,400 --> 00:54:02,400 of business, who's going to take over the automatic patching system? 858 00:54:02,679 --> 00:54:07,119 You know, if I have a fridge, If I don't, 859 00:54:06,960 --> 00:54:08,800 I currently my fridge is very old. If I had 860 00:54:08,800 --> 00:54:11,800 a fridge that was Internet connected and the vendor went 861 00:54:11,840 --> 00:54:16,119 out of business, I would probably you know, but this 862 00:54:16,159 --> 00:54:18,239 is me. I'm a cybersecurity guy. I would crawl behind 863 00:54:18,239 --> 00:54:20,199 the fridge and rip out the antenna so that it 864 00:54:20,679 --> 00:54:23,760 cannot be reached by the Internet anymore, because I don't 865 00:54:23,760 --> 00:54:29,440 need anybody sabotaging my fridge. Well, other consumers do that, 866 00:54:29,519 --> 00:54:33,559 probably not, but we're not talking consumers here. We're talking hospitals. 867 00:54:34,719 --> 00:54:38,000 And you know, hospitals have people on staff with some 868 00:54:38,079 --> 00:54:43,159 degree of you know, industrial cybersecurity knowledge. Take the example 869 00:54:43,199 --> 00:54:47,840 of the hospital that was hit by by ransomware and 870 00:54:47,880 --> 00:54:50,800 the imaging equipment, the most vulnerable equipment had been secured 871 00:54:51,119 --> 00:54:55,639 with secondary defenses and was the least affected by the incident. 872 00:54:55,679 --> 00:55:00,280 This is commonplace in the industrial world. I'm hope it's 873 00:55:00,360 --> 00:55:03,719 commonplace in the world of hospitals. If you have something 874 00:55:03,760 --> 00:55:06,639 where you know the vendor's gone out of business, you know, 875 00:55:07,280 --> 00:55:10,320 you know it's not going to get patched anymore. It 876 00:55:10,480 --> 00:55:15,000 sounds like hospitals already know enough to put secondary defenses 877 00:55:15,039 --> 00:55:16,800 in place. I'm not sure they need to go to 878 00:55:16,840 --> 00:55:19,400 a secondary market to buy patches. I'm not sure it's 879 00:55:19,639 --> 00:55:22,960 practical to buy those patches. You know, secondary vendors might 880 00:55:22,960 --> 00:55:26,199 pop up like mushrooms in the rain. But it's one 881 00:55:26,199 --> 00:55:28,480 thing to take the source code and say, oh, here's 882 00:55:28,480 --> 00:55:30,480 a vulnerability. Let me change the source code so that, 883 00:55:30,559 --> 00:55:32,519 you know, I check for the size of the buffer 884 00:55:32,519 --> 00:55:35,280 before I write into it. It's another thing to say, okay, 885 00:55:35,320 --> 00:55:38,199 I've changed the source code. Now the device is still secure. Rather, 886 00:55:38,239 --> 00:55:42,320 it's still safe. Well, you have to test the device. Well, 887 00:55:42,360 --> 00:55:44,599 do you have the hardware? Do I have an MRI 888 00:55:45,000 --> 00:55:49,000 in you know? Can I go to the the business 889 00:55:49,000 --> 00:55:50,760 that's gone out of business and buy all of their 890 00:55:50,880 --> 00:55:53,719 MRIs and set them up in my garage so I 891 00:55:53,719 --> 00:55:57,199 can test the software before I release it and say 892 00:55:57,199 --> 00:56:01,360 it's safe. You know it it starts to fall apart 893 00:56:01,400 --> 00:56:05,239 and again in the industrial world, we routinely apply secondary 894 00:56:05,280 --> 00:56:13,880 defenses bluntly. In a lot of industries. Yeah, the law 895 00:56:14,000 --> 00:56:17,320 might require the vendor to produce patches hither and yon, 896 00:56:18,320 --> 00:56:22,519 and those patches never get applied because long ago the 897 00:56:22,559 --> 00:56:25,800 industry said nuts to this. These devices, you know, even 898 00:56:25,880 --> 00:56:29,559 if they're fully patched, are still too sensitive, and so 899 00:56:29,639 --> 00:56:33,000 they put additional layers of defenses in. They put Uni 900 00:56:33,000 --> 00:56:36,119 directional gateways, they put firewalls, they put encryption, they put VPNs, 901 00:56:36,639 --> 00:56:39,920 and make the devices just that much harder to compromise 902 00:56:40,000 --> 00:56:43,880 through these secondary defenses. You know, it's frustrating for vendors 903 00:56:44,039 --> 00:56:46,599 to produce patches that no one's ever going to use. 904 00:56:46,920 --> 00:56:49,840 I don't think the question has been answered. It sounds like, 905 00:56:49,960 --> 00:56:51,920 you know, what Naoma's telling us is that there's this 906 00:56:52,039 --> 00:56:56,760 same tension, the same debate, if you like, to some 907 00:56:56,880 --> 00:56:59,280 extent or another, going on in the medical device industry 908 00:56:59,320 --> 00:57:03,519 as there is in every other industry that patches physical 909 00:57:03,880 --> 00:57:09,679 physical devices. Thank you so much Naomi for joining us. 910 00:57:10,400 --> 00:57:12,320 You know, before I let you go, can I ask you, 911 00:57:12,320 --> 00:57:13,880 you know, can you sum up for our listeners? What 912 00:57:14,239 --> 00:57:16,480 are the key lessons here in the world of medical 913 00:57:16,480 --> 00:57:17,639 device cybersecurity. 914 00:57:18,679 --> 00:57:21,199 Speaker 1: So there are a couple of key takeaways. The first 915 00:57:21,199 --> 00:57:25,239 one is when you're designing new medical devices, or if 916 00:57:25,280 --> 00:57:27,639 you're in the middle of designing a medical device today 917 00:57:27,719 --> 00:57:32,840 and you're partly into the development timeline. Have you thought 918 00:57:32,880 --> 00:57:37,119 about security. Have you designed security into your medical device? 919 00:57:38,280 --> 00:57:41,639 It's never too late to add security, but it's really 920 00:57:41,760 --> 00:57:45,440 best done at the beginning of the design process. It 921 00:57:45,559 --> 00:57:49,840 is more functional and more operational and more effective if 922 00:57:49,880 --> 00:57:53,679 it's designed in from day one. You can tack it 923 00:57:53,719 --> 00:57:57,800 on towards the end, but it's not ideal that in 924 00:57:57,880 --> 00:58:00,639 that way. If you're struggling to understand and how to 925 00:58:00,719 --> 00:58:03,320 do that, if you're a very small company and you 926 00:58:03,360 --> 00:58:08,000 don't have any security staff, find help. Get help in 927 00:58:08,119 --> 00:58:11,599 understanding how to secure your devices. Get design help, get 928 00:58:11,639 --> 00:58:17,440 implementation help, get documentation help. Because this reduces your company's 929 00:58:17,559 --> 00:58:20,760 overall risk in the long term. It reduces the risk 930 00:58:20,840 --> 00:58:24,920 to your users, to the patients who are affected, and 931 00:58:25,079 --> 00:58:28,679 it reduces your reputational and your business risk, and these 932 00:58:28,679 --> 00:58:32,880 are all important things. Documenting your approach well is especially 933 00:58:32,960 --> 00:58:36,880 important because regulatory bodies are really ramping up their scrutiny. 934 00:58:37,360 --> 00:58:39,920 Before you can go to market, you have to convince 935 00:58:40,400 --> 00:58:44,480 not only the US FDA and Health Canada, but the 936 00:58:44,719 --> 00:58:48,760 notified bodies under EUSE MDR or IVDR that you have 937 00:58:49,079 --> 00:58:53,079 actually done secure by design and that you can maintain 938 00:58:53,159 --> 00:58:56,599 this thing for its lifespan, so it's pre market and 939 00:58:56,679 --> 00:59:01,199 it's also post market. What other things can you think about? 940 00:59:01,960 --> 00:59:05,199 Speaker 4: Educate yourself. You can download white. 941 00:59:05,000 --> 00:59:09,000 Speaker 1: Papers at medcrypt dot com. We have a YouTube channel. 942 00:59:09,360 --> 00:59:12,920 Just search on YouTube from medcrypt. We have an entire 943 00:59:13,239 --> 00:59:16,840 span of webinars that we have offered. They are free. 944 00:59:17,360 --> 00:59:20,519 We want to educate people, so the information is out 945 00:59:20,519 --> 00:59:25,599 there and available no paywall, so that people understand what 946 00:59:25,760 --> 00:59:28,679 is expected by the regulatory body, what is expected by 947 00:59:28,719 --> 00:59:32,880 your customers, the hospitals out there that are really sophisticated 948 00:59:32,960 --> 00:59:37,559 or asking difficult questions during procurement. Make sure you've got 949 00:59:37,559 --> 00:59:40,960 your device secure today and that you can maintain it, 950 00:59:41,400 --> 00:59:45,000 because if you can't maintain it security, you could be 951 00:59:45,800 --> 00:59:51,480 subject to liability issues, and you could have patient data breaches, 952 00:59:52,000 --> 00:59:54,239 and all of these things lead to other risks with 953 00:59:54,360 --> 00:59:56,159 other regulatory bodies. 954 00:59:55,800 --> 00:59:56,840 Speaker 4: Than the FDA. 955 00:59:57,000 --> 01:00:00,840 Speaker 1: So really secure your systems. If you need help, find somebody, 956 01:00:00,920 --> 01:00:03,760 find a professional who can help you do it. If 957 01:00:03,800 --> 01:00:07,679 you need to educate your staff and your stakeholders, pull 958 01:00:07,760 --> 01:00:12,719 from our vast repo of webinars, white papers, blog posts 959 01:00:13,119 --> 01:00:16,320 and learn about it and understand what is possible. 960 01:00:19,679 --> 01:00:22,480 Speaker 2: So that just about does it Andrew for your interview 961 01:00:22,559 --> 01:00:26,000 with Naomi as usual. Is there a word you would 962 01:00:26,039 --> 01:00:27,400 like to take us out with today? 963 01:00:27,800 --> 01:00:32,679 Speaker 3: Yeah, I mean a few things. Regulations in the space seem, 964 01:00:33,719 --> 01:00:37,159 on the surface, seem rather more intense than I see 965 01:00:37,320 --> 01:00:44,119 in other industries and critical infrastructures. So I kind of 966 01:00:44,159 --> 01:00:47,760 expected that, but you know that, you know, Naomi's confirmed that. 967 01:00:49,840 --> 01:00:52,440 I heard Naomi use and you know, echo the language 968 01:00:52,440 --> 01:00:56,639 and the regulations talking about confidentiality, integrity, availability, that is 969 01:00:56,679 --> 01:01:00,199 sort of first generation terminology, and the industrial securities is 970 01:01:00,199 --> 01:01:04,159 we've since moved on saying, you know, it's not primarily 971 01:01:04,199 --> 01:01:07,440 information that's the asset, it's the physical asset. What we 972 01:01:07,519 --> 01:01:10,679 need to assure is safe, reliable and efficient operation of 973 01:01:10,760 --> 01:01:17,000 the physical asset. And you know cybersecurity is essential to 974 01:01:17,119 --> 01:01:22,280 that operation. You know, I would I would have, you know, 975 01:01:22,519 --> 01:01:24,880 to me, it would make more sense if you had 976 01:01:25,039 --> 01:01:28,440 terminology like that in the medical space as well. And 977 01:01:28,480 --> 01:01:31,039 I actually heard and I only say something earlier in 978 01:01:31,039 --> 01:01:33,800 the in the interview that I wanted to repete here. 979 01:01:33,880 --> 01:01:37,880 She talked about, you know, medical devices must be safe, 980 01:01:38,599 --> 01:01:43,800 effective and secure. So safe, yes, you know, the hypocritical 981 01:01:44,119 --> 01:01:48,000 you know, first cause no harm, effective, is sort of 982 01:01:48,079 --> 01:01:51,239 the domain of the FDA. You're not allowed to sell devices. 983 01:01:51,239 --> 01:01:52,800 You're not allowed to be a quack and be out 984 01:01:52,800 --> 01:01:56,360 there selling a magic elixir that does nothing. If you 985 01:01:56,400 --> 01:01:58,360 want to sell a medical device, it has to be 986 01:01:58,440 --> 01:02:01,840 effective for the purpose that you advertise it. That that 987 01:02:01,880 --> 01:02:07,800 makes sense, and secure sort of wraps up. It's sort 988 01:02:07,800 --> 01:02:10,280 of a recursive definition. But you know, I understand that 989 01:02:10,320 --> 01:02:15,760 there's elements of confidentiality, there's elements of you know, sabotage prevention. 990 01:02:15,880 --> 01:02:20,239 We've got to prevent sabotage that renders the device unsafe 991 01:02:20,719 --> 01:02:25,239 or that you know, deliberate misoperation that renders the device ineffective. 992 01:02:25,840 --> 01:02:28,719 To me, that language makes more sense, So I would, 993 01:02:28,840 --> 01:02:34,039 you know, I would you know, hope that over time 994 01:02:34,079 --> 01:02:36,760 that the the the industry evolves their language as well 995 01:02:36,800 --> 01:02:40,039 to make sense to tow meremortals like me. But you know, 996 01:02:40,280 --> 01:02:42,280 she did, she did say those words. That's something I've 997 01:02:42,280 --> 01:02:44,920 been I've been pondering. So that's what I took away 998 01:02:44,920 --> 01:02:47,320 from it there. You know, it's it's an intense environment. 999 01:02:47,360 --> 01:02:50,639 Cybersecurity is important. There's a lot of similarities, especially on 1000 01:02:50,679 --> 01:02:53,000 the patching side, with debates that are going on in 1001 01:02:53,039 --> 01:02:56,960 the industrial space, and you know, safe, effective and secure 1002 01:02:57,079 --> 01:02:59,480 is is something I'm going to think about, as you know, 1003 01:03:00,400 --> 01:03:03,559 should these really be these the right guiding principles? Is 1004 01:03:03,559 --> 01:03:06,559 this debate even happening in the space? You know, I look, 1005 01:03:06,800 --> 01:03:09,400 if there's other practitioners out there, reach out. I'm on LinkedIn. 1006 01:03:09,840 --> 01:03:12,880 You know, we'd love to have other perspectives on the show. So, 1007 01:03:13,000 --> 01:03:14,719 you know, thank you to jaying Me, thank you to you. 1008 01:03:15,079 --> 01:03:17,960 Speaker 2: Yeah, thank you to Naomi and Andrew, thank you. 1009 01:03:17,960 --> 01:03:20,400 Speaker 3: As always, it's been a great pleasure. Thank you. 1010 01:03:20,840 --> 01:03:25,079 Speaker 2: This has been the Industrial Security podcast from Waterfall. Thanks 1011 01:03:25,079 --> 01:03:26,920 to everyone out there listen