By Andrew Tunnicliffe
If you’d asked a young Axel Wirth what he wanted to be when he grew up, it’s unlikely he would’ve mentioned becoming one of HTM’s heroes. But after almost four decades in the field, that is indeed what he has become. Not that he’s ready to hang up his hat yet. Wirth’s ultimate goal: to make healthcare a safer space by protecting patients from ever-growing cyber threats.
“There’s a lot happening in technology today; devices themselves and how we use them are fundamentally changing.” It’s a statement that, at first glance, seems obvious. It’s a statement many professionals could make, from any number of industries, and be accurate. However, it’s a statement that arguably holds much more weight coming from someone as knowledgeable as Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS.
An Industry Pioneer
Wirth has spent his entire career working, in some way, with medical equipment. Today he is one of the country’s most renowned cybersecurity experts specializing in healthcare. By his own admission, however, he’s worked in many and varied roles; but that’s understandable given that when he started out, clinical engineering as we know it today didn’t exist. In fact, he initially trained as an electrical engineer, graduating from the University of Applied Sciences in Dusseldorf, Germany.
His foray into medicine was the result of a chance glance at a newspaper. “After I got my degree, I had one of those ‘what to do next?’ moments. By coincidence, I read this article in the weekend paper about medical imaging, which back then was pretty much X-ray; advanced imaging technologies like CT and MRI didn’t even exist,” he says. And so it began, a career that commenced in the early ’80s and continues today.
After a short stint working in the U.S., Wirth returned to his native Germany before heading back to the states. That journey took him from working in electrical engineering in its traditional form—designing components—to research and eventually into product management and later business development.
In 2008, Wirth embarked on the next stage of his career—and the one’s he’s perhaps best known for: joining cybersecurity company Symantec. “I was actually offered to help develop their healthcare cybersecurity business, which I thought sounded pretty interesting,” he says. “Little did I know how interesting it would become.”
Around the same time Wirth was settling into his new role at Synamtec, Kevin Fu, then at UMass Amherst, and colleagues were highlighting medical devices’ vulnerabilities to cyberattacks. Fu, a true pioneer in the field, published the first medical device hack in 2008 and later warned: “Cybersecurity shortfalls in medical devices trace to decisions made during early engineering and design. The industry is now paying the cybersecurity ‘technical debt’ for this short-sightedness.”
Suffice it to say that these cyber concerns have grown—exponentially—since Fu identified them more than a decade ago. “Devices are moving out of the hospital and into the patient’s home,” Wirth says. “Devices and consumer systems like smartphones and fitness trackers, all of the sudden, have started to intermingle, crossing borders between regulated, traditional medical devices and consumer ones, with significant implications to cybersecurity.”
He believes those “very fundamental” changes are requiring all healthcare technology managers (HTMs) to “take a stake of their careers and see where they are going.” But, he adds, the profession and, indeed, the healthcare sector is changing. Specifically, it’s now dominated by more reliable, easier-to-maintain devices, according to Wirth. The emphasis for HTMs, therefore, he says, must be on the diversity of equipment and networks they occupy.
“As far as HTMs are concerned, I see two major changes going on right now: The foremost priority is to understand that your career is changing toward the direction of a systems engineer, as well as recognize the importance of cybersecurity in your career. Educate yourself; understand the topic,” Wirth urges.
In 2009 he saw the potential of flaws in cybersecurity and the impact they could have on patients and their caregivers. In his early days with Symantec, Wirth says a client fell victim to a major malware outbreak on a specific type of networked medical devices that forced the provider to fall back to manual process across multiple locations—an incident that first drew his attention to this important issue.
Today, that danger has only grown, albeit perhaps unintentionally. In fact, Wirth believes an attack that “coincidently” affects medical devices is more likely to occur; attackers might find a device that looks more favorable and easier to exploit, without realizing what the device actually is.
“They may then do something to the medical device like install ransomware or use it as a beachhead for an attack. That could harm a patient, even though it was not their intention,” he says. Evidence backs up his theory: “We have seen reports about medical devices being hacked into to gain access to the rest of the network,” Wirth says. “So, they’re not the target, but they were an easy entry point because of their relative insecurity.”
Although not deliberately targeted, the UK’s National Health Service (NHS) became victim to the WannaCry attack in 2017. WannaCry, which wreaked havoc for many days after the global ransomware attack, cost the NHS upwards of £92 million, according to UK government estimates. As well as hitting hospital IT systems, the attack was also believed to have affected a handful of medical devices. “Again, that was not because anybody was targeting medical devices or, in this example, not even targeting healthcare or the NHS,” says Wirth. “But NHS IT systems and medical devices were caught up in it because they fit the profile of the attack.”
Given these challenges, as well as the ever-growing complexities of the HTM field, Wirth believes an appetite to learn is a “career-determining factor.” For his part, he says he’s committed to bringing his vast cybersecurity knowledge to the profession—a goal he will no doubt accomplish in his new role at MedCrypt. Wirth joined the start-up healthcare technology security firm in September, taking the reins as chief security strategist.
“I’m at a point in my career where I can take my entire background, my experience, and apply it to the industry with the purpose of making it more secure and, therefore, a safer place for patients,” Wirth says. He feels that although cybersecurity awareness is increasing, it doesn’t yet receive the attention it deserves—something he hopes to address through his teachings, writings, and presentations to his fellow HTM professionals.
Life-Long Learning
Wirth’s career has, by his own admission, had several distinctly different phases—each with its own set of challenges: “I’ve been through many career switches, from health technology to cybersecurity, hardware to software, from Germany to the U.S., from engineering to business roles; those were all unique challenges. But, in the end, I think they made me who I am today. They instilled in me an appreciation of life-long learning and understanding that with every challenge comes an opportunity to grow.”
Judging by his record, however, he’s risen to every challenge, gaining respect and acknowledgement from the industry he loves. Some of the accolades Wirth has received include winning the ACCE-HIMSS Excellence in Clinical Engineering and IT Synergies Award, as well as ACCE’s Clinical Engineering Advocacy Award. He has also been named a Fellow by AAMI and HIMSS, honors he describes as moments of professional pride.
Wirth seems to have passed on the healthcare gene to his kids. Living just outside of Boston, Wirth’s two adult children work in life sciences—his daughter as a nurse and his son as a biologist—and his wife works in the mental health field. Not that it’s all work and no play in his household. To exercise the “non-technical” part of his mind, as he puts it, Wirth enjoys hiking, biking, and walking his beloved dogs. Cooking is another passion of his.
Vocation-wise though, Wirth believes his career has come “full circle” in recent years. “I started out designing medical devices, then transitioned to IT and cybersecurity, and all of a sudden I was back to dealing with the device problem; that topic has been with me pretty much ever since,” he says. Laughing, he recalls the very first piece of software program he wrote during his college days, using punch tape technology to program a room-filling mainframe. “I’ve been around a little bit,” he intones.
With such an extensive background, one might think he’s ready to slow down a bit. Not at all. Aside from the passion with which he speaks of his new role with MedCrypt, he also teaches a medical device cybersecurity course for clinical engineering graduate students at the University of Connecticut.
And, Wirth believes there is still more to do, for him personally and for the industry as a whole. MedCrypt, Wirth says, aims to help medical device manufacturers design proactive security solutions into their devices. “We have been trying to change the paradigm in the industry, to really move toward more secure devices rather than a reactive behavior of response to incidents and vulnerabilities,” he says.
To that end, he calls on the HTM industry to do more. He urges it to become proactive and really challenge manufacturers to deliver more secure equipment, rather than viewing security as something you deal with later. “You need to build good working relationships with the manufacturers and you need to be ready to challenge manufacturers if you don’t get the support you need,” Wirth says.
His biggest hope: “That we, as an industry, arrive at a more secure place where cybersecurity is addressed on a practical, technical, and tactical level.” Of course, he concedes, security risks can never be zero; but he believes that by working together to provide more secure devices and training users how to properly handle them, hospitals may be able to thwart future attacks.It’s imperative, Wirth says. After all, “we are all patients.”
Andrew Tunnicliffe is a contributing writer for 24×7 Magazine. Questions and comments can be directed to chief editor Keri Forsythe-Stephens at [email protected].