Medical Device Cybersecurity: How It’s Impacting Health Systems and the BMETs Serving Them

Keri Stephens:

Hello and welcome to the 24/7 podcast on the MEDQOR Podcast Network. I’m Keri Stephens, the chief editor of 24×7. Today I’m joined by excellent guest, Scott Trevino, who serves as Senior Vice President of Cybersecurity at TRIMEDX. Cybersecurity is certainly the issue that keeps 24×7 readers and listeners up at night most, I’m really excited to have an expert like Scott to talk about what’s new in medical device cybersecurity. Scott, welcome.

Scott Trevino:

Thanks for having me. Glad to be here.

Keri Stephens:

We’re really glad to have you too. Can you talk about your role at TRIMEDX and what you do exactly?

Scott Trevino:

Sure. I’m the senior Vice President for cybersecurity, I do a few different things. One, I try and stay on top of cybersecurity trends, in particular focused on medical devices. And I also am responsible for building out our latest solution on cybersecurity that we offer to our current and future clients.

Keri Stephens:

Great. I really want to get into the bulk of the podcast because cybersecurity is such a big health issue in healthcare, especially medical devices. And what things are you seeing right now in terms of healthcare, cybersecurity? What trends are you seeing and how are health systems seeing an impact?

Scott Trevino:

Cybersecurity is critical for healthcare. Of the critical infrastructure in the US, what I would say is healthcare is by far the furthest behind the least mature, and it’s evidenced by a number of trends I’ll hit on. Number one, and I’ll throw a few numbers out there, there’s a ton, the increase in ransomware attacks in the last five years is up over 200% in healthcare. You juxtapose that with some of the other macro trends that are happening in healthcare where you have staffing shortages, increased costs across the board, 33% of hospitals are operating on negative margins, you have a 200% increase in attacks on top of it. It’s a challenging environment. And one other piece I’ll highlight is if you put it into real terms that you can grasp real easily, how many attacks happen per week on a health system generally? From 2021 to 2022, it went up 86%.

Scott Trevino:

That’s 750 plus attacks a week to over 1400 attacks a week. And there’s a number of reasons for that I would say. Attackers wouldn’t be increasing their attacks if it wasn’t fruitful, if there wasn’t a return on the invested risk. The benefits there, the likelihood of success is, and you may say, “Well, why is that?” And we can go into that in a bit more detail. But I’ll just hit on a couple of things. One, medical devices haven’t been designed maybe as rigorously with cybersecurity in mind, even though the technology’s evolved to be networked and there hasn’t been a lot of enforcement of good design practices around that from a regulatory standpoint to date.

Scott Trevino:

We can talk about some changes there. The other piece I would say is it takes a robust combination of the right people process and that technology, both the devices as well as cybersecurity technology. At a high level, those are a couple of the key data points. And maybe I’ll just leave with one final one there. I said healthcare is the most attacked critical infrastructure, from a cyber standpoint, it’s also got the highest cost per breach at over $10 million per breach. There’s a real dollar impact here that’s significant. And if you extrapolate that, we’re talking, the latest state I have is almost $8 billion of impact to healthcare. That’s going on high level.

Keri Stephens:

How are these disruptions impacting patient care, the clinicians caring for them and the biomeds serving the hospitals?

Scott Trevino:

That’s an excellent question. At the highest level, what I talk about a lot is delay of treatment is a harm. And that’s one of the biggest disruptions from just a practical standpoint, rescheduling delays in treatment or test results. In fact, recent survey shows that of those attacked about 70% reported delays in treatment and test results. And what’s really significant about that is that’s directly correlated with a 30 plus percent increase in direct patient harm or complications with the procedure.

Scott Trevino:

There is a real patient impact and of that same group, about 65% reported an increase in rerouting patients. Just imagine you’re in an area where you need a level one trauma, support, you’re in an ambulance route and that facility suffered a ransomware cyber attack and had to shut down its ER, where are you going to go? You may have to settle for a less than level one treatment center, or you may have to take an extra hour, 40 minutes, 30 minutes, 20 minutes, every minute counts when you need that kind of support. Those are the type of impacts that I think paint the right picture for what cyber can do for the patient. And just imagine even the simple ones, if the operating technology in a hospital’s disrupted, can you move patients between floors if the elevators aren’t working? I think those paint a real picture.

Keri Stephens:

In your role of TRIMEDX, how are you seeing hospitals respond to these trends and challenges?

Scott Trevino:

There’s an extreme amount of interest in cybersecurity for all the reasons I’ve mentioned. It’s real. When you’re getting an 86% increasing attacks on a weekly basis, people are feeling it. I would say folks are responding by assessing their current state, trying to understand what needs to be done based on where they are. And there’s a whole spectrum, as you would expect in a diverse industry and environment where you’ve got, from a continuum perspective, you may have those that are pretty rigorous with a robust cybersecurity program that covers the entire healthcare ecosystem, including medical devices to those that maybe are just beginning the journey. And it varies across the board. And what I like to say when talking to folks is to try and understand where they’re at, you meet them where they’re at because it’s a journey. It never stops. There’s no perfect security. It’s always an effort to move ahead and evolve. That’s what I like to share with folks, which is it’s not assessment of good or bad, where are you at and where can you get better and where should you get better.

Keri Stephens:

There’s obviously an interest in this topic at the federal level, what are you seeing and hearing in terms of legislation and what does this mean moving forward?

Scott Trevino:

Terrific. There’s a lot going on here. And I’ll paint a broad picture and then maybe get specific and maybe my teaser is this, there’s been recent legislation passed with the omnibus bill that really takes action on cybersecurity and empowers the FDA. But what I think is important to paint here is that in the recent years, going back to 2021 to today, there’s been four pieces of legislation passed recently. And prior to that, if we look at the timeframe from say 2000 through 2021, there’s only been less than only a few pieces of legislation about the same amount over a 10-11 year period. And in the last two years we see four significant pieces of legislation. There’s a true acceleration, I would say legislators, you probably see this on the news, you see this in the magazines or the articles you read that cybersecurity is top of mind and in particular in healthcare, you can’t shake a stick without seeing an article about cyber attacks or cybersecurity.

Scott Trevino:

The legislators are responding. And what I would say is the initial legislation over the past, from 2000 to 2021 or so have been really institutional, broad, cybersecurity legislation that puts in place the foundations for government working within government, basic requirements for reporting, allowing the creation of consensus standards, for instance, allowing for communication and requiring some basic standards within government and then how government works with private sector. Those are all good and important and required to grease the skids for work, but they’re not real tactical or what I’d like to say is practical. In the most recent couple of years, there’s been a few pieces of legislation that have done basically the same. I said there were four things passed in the last two years. There was the State and Local Government Cyber Act, which is again basically about the government, DHS, doing cyber assessments and providing assistance and some grants.

Scott Trevino:

There was CIRCIA, which is the Cyber Incident Reporting for Critical Infrastructure Act, which required reporting of attacks to CISA within 72 hours in ransomware payments reported within the last 24. And then strengthening the American Cybersecurity Act happened in 2022, which again is about critical infrastructure and mandates that not only do critical infrastructure after report to CISA, but civilian agencies as well. Those again, are all foundational things that don’t have a specific or immediate impact, direct impact on medical devices, although that as a critical infrastructure is involved.

Scott Trevino:

But this year, in 2023, the Consolidated Appropriations Act, that’s the fourth legislation that was passed among last two years or so, really put in some specifics around cybersecurity for medical devices. It empowered the FDA to act on these requirements. And these requirements at a high level require that OEMs ensure medical devices are secure as part of their pre-market approval process. When an OEM builds a new device, they submit it and have some requirements there. That paints sort of the landscape at a high level. And pause there, Keri, and see where we want to go next.

Keri Stephens:

I want to talk more about how the legislation’s impacting the healthcare provider. How exactly is it impacting the healthcare provider, the ISOs, the manufacturers? I know you get onto how it’s going to affect manufacturers with the new equipment and how much can health systems rely on legislations and regulations to guide their cybersecurity practices?

Scott Trevino:

That’s excellent. And if you could indulge me, I’ll give a little bit more detail on an overview of what the legislation is to highlight exactly what those impacts are to the healthcare providers. I mentioned FDA’s empowered to act, but what does that really mean? The FDA, when looking at these new submissions, we’ll look for requirements that show an SBOM for instance in the device, software bill of materials. Essentially it’s just like a bill of materials for when you receive something on your dock or at home. What’s in the box? And this is essentially the same thing, what is the composition of my device in terms of its software? What off the shelf software components? What open source code, what software of unknown provenance or soup is in there? That sort of stuff. That’s a requirement.

Scott Trevino:

A plan to address vulnerabilities in those devices to monitor, identify and respond is also another requirement. Those are pre-market requirements, part of the design of the device, but there’s also post-market requirements. The OEM needs to show how they’ll disclose vulnerabilities, they’re required to disclose and do it in a coordinated fashion and ensure devices are secure through updates and patches. Those are the pre and post market requirements that come in this, that FDA will enforce. There’s also some things where FDA is funded and required to provide new resources. The GAO, Government Accountability Office, is required to provide a report on the challenges in cyber across the board as well within the first year, and then an update to guidance on cyber. That paints the landscape to talk about the impacts.

Scott Trevino:

And I’ll take the second question first, which is can we rely on this legislation and providers should they rely on it? And I would say this is an awesome step forward in the right direction, but one of the challenges here is it’s focused entirely on new product authorizations and approvals. It’s a great start, but if we were to solely rely on this, it would take decades to turn over the install base with these requirements. And I say that based on experience where I’ve looked in some of my past looked at installed bases of devices for a broad spectrum of devices to say if we were to replace hypothetically the install base, how long would that take to turn over all the devices? And as we all know, medical devices have extended life spans, they’re usable for periods of time that are maybe greater than initially thought or even considered.

Scott Trevino:

We’re talking about decades before this would turn over if this law’s only applied to the pre-market. When we say can we rely on that, I would say it’s a great start, we should support it, but we should push for broader application. All of these things are great, but it seems ideal that once you set up an SBOM or a disclosure standard and requirement that you would apply it not only to the new devices, but to the predicate devices or predecessor devices because you’ve got a known way to go. And it would be fairly easy to do that. Nonetheless, I would say you can’t rely on it and you need to act. How this law though does impact, I would say the healthcare providers in particular, what I would say is, upfront, I highlighted a complex set of challenges that are out there.

Scott Trevino:

You got that going on in the background or as the context, I would say, you also have legacy devices. Your new devices when you purchase them, I think one thing to consider is what has been the history of your experience with whomever you’re purchasing these devices from in terms of cybersecurity and responsiveness, the disclosure of information patches? Are patches free? How responsive are they? Those are all things that should be considered that should get better, but you’re still dealing with legacy devices, existing vulnerabilities and the increasing threat landscape and cyber attack incidents. I think from a healthcare delivery organization standpoint, those are all things to consider. You can’t rely on the legislation to have an immediate impact, should support it. It’s a great thing. New purchases, certainly it should impact those things, but you really have to consider acting today and assessing what your current state is and address that while reaping some of the benefits that will trickle down from this legislation.

Keri Stephens:

You’ve been getting into this, but I really want to get into more best practices. I know our 24×7 listeners and readers are really, they want tangible best practices. Can you talk about some best practices or solutions and healthcare systems can take to feel more cyber secure?

Scott Trevino:

Sure, absolutely. I think I talk a lot about the real simple concept of people, process and technology. And one of the things that’s a challenge out there today, talking about the people perspective is a talent shortage. There’s a huge talent shortage for cyber professionals. I think it’s estimated at over just over 700,000 people in the US alone, over 3 million globally. You need talent, you need the right people, you need IT or cybersecurity professionals that’s traditionally at IT or InfoSec type of background. But you also need those folks that have biomed capability and understanding how to service and maintain medical devices. And we have a shortage there as well. When you look at getting somebody with both skills, I always say looking for a unicorn. And you got to deal with that. I think there’s some best practices there in terms of what I would say is work to provide training, support, certification, expand the biomed portfolio of tools in your biomed shops with broadened IT skillset and look to maybe there’s folks with traditional IT backgrounds that are interested in the biomed.

Scott Trevino:

There’s cross pollination opportunities. And what I find is upskilling and training your teams is a terrific way to go. It’s a great retention mechanism. People feel valued, you’re investing in them. It’s a rewarding experience. Certainly you need to recruit with those things in mind, I think. You need those right people. You also as a best practice should look at how do you integrate and cross pollinate those people across organizations between IT and the biomed teams so they work together well. And then the other pillar here on a process standpoint, you got to have the right people and then certainly the right process, I would say in a lot of cases, certainly there’s a spectrum of where different organizations land, but in a lot of cases there aren’t robust processes in place between those organizations, for medical device cybersecurity. For instance, are there documented processes or standard processes for how patching’s done?

Scott Trevino:

Who does it? When and how do you decide? How do you apply or determine what’s the appropriate compensating controls to apply them a medical device? Which gets outside of just the application of a validated patch. In many cases, one of the challenges here as a quick aside, is in our experience, more than 60% of devices do not have a validated patch that are vulnerable. And to throw another incredible number out there is the FBI estimates that 53% of active medical devices have a known critical vulnerability that’s not addressed. That’s just the critical vulnerability. You’ve got an incredibly challenging environment out there and not only do you have a challenge, you have a challenge getting patches, which means your devices are critically vulnerable, which necessitates the need for a compensating control and processes by which to create and implement those. And a compensating control is simply what it sounds like, it’s a mitigation, it’s not a remediation.

Scott Trevino:

It reduces the risk of that vulnerability by doing things like changing the configuration, segmenting, taking it off the network, that sort of thing. That’s an example of a process. There’s also processes to manage OEM relationships for the reasons I just mentioned. There’s an incredible threat landscape out there, a huge amount of vulnerabilities and vulnerable devices. You need to understand which devices are affected, how they’re affected and what the remediations are in working with the OEMs. Similarly, you need to have processes and people in place to monitor threats in the wild and sources of new intelligence around the new vulnerabilities and affected devices. And those things need to be integrated and documented. The other piece here too to consider is incident response, continuity of service. These are traditional procedures and are in place in almost every hospital. But what I’ve seen is, if you dig into the details of the question is to what extent do you have that for cyber incidents and how is biomed’s role and our clinical engineering team’s role identified in that and is that part of our HTM program?

Scott Trevino:

That’s the process piece. And then finally the technology, which is critical. It’s critical to really make most efficient the people doing the work and the processes that are employed. And one of the things I see oftentimes is investment in technology without investment in the other two becomes shelfware or very limited in benefit. That’s one key piece to consider. It’s not unique to cybersecurity or medical devices, but it’s really evident in medical device cybersecurity. And what I would say here from a technology standpoint, and it’s a landscape standpoint, is that there’s huge inventory inaccuracies or another way to say it, there’s huge opportunity to improve our inventory accuracy and technology can help with that through deploying a medical device security platform that passively perceives what devices are on the network, identifies them, profiles the behavior for anomalous behavior.

Scott Trevino:

And deploying that technology is a great best practice and integrating that with the people and processes you have really helps you improve your inventory accuracy and determine not only what you have but what’s impacted when something known vulnerability exists. Because one of the tricky parts about medical devices and vulnerability management is understanding which devices are truly impacted. And a traditional inventory, let’s say traditionally from a clinical engineering program standpoint, does not capture the attributes necessary to really get down to the level of detail and precision of what the device is and if it’s truly affected or not. Without that, you can create a lot of rework, not a true understanding of your risk profile. I think technology can help with that considerably. What I would say finally on the tech side is integration of like a security platform with CMMS, plugging into a SOC, security operations center, that may be monitoring, detecting threats and responding on a 24 by seven basis are all critical best practices.

Scott Trevino:

And at the highest level, I’d say the best practice is to assess where you are across those three pillars from a cyber standpoint, your healthcare technology management program, assess where you are and then identify your biggest risks and start to put a plan in place and execute on improving across those pillars. And there’s not a one size fits all because each group’s risk profile is typically unique. However, the approach I think can be standard, as I say, look at it in the ways I just mentioned, identify those issues and assess them. And you can use the NIST cybersecurity framework as a great place to do that if you want a reference point to take a standard, well accepted, best practice for medical devices, in my opinion, and approach to assess your current state. And it’s really about people processing tech.

Keri Stephens:

With all that we’ve discussed today, I hear that in addition to the advanced solutions you have available to your clinical engineering clients, TRIMEDX has worked to develop and release a similar cyber offering for hospitals without TRIMEDX as clinical engineering service solutions. Can you tell us about that right now?

Scott Trevino:

Yeah, absolutely. We’re very excited to be releasing a product called Vigor, which is exactly that. It’s a cybersecurity solution without the TRIMEDX CE program. We come in and are able to work with the existing biomed teams, really upskill and drive cybersecurity solutions for medical devices, but also help the collaboration and work with the IT team to really coordinate between those two groups, as we talked about before, to ensure a comprehensive cybersecurity solution for medical devices hitting on all points that I mentioned before. And what the solution does is come in and assess current state of your cyber program, risk prioritizes where we focus and work together to help drive improvement on that risk continuum to address your biggest threats, improve your inventory accuracy, and manage your vulnerabilities amongst other things, as well as improve your processes and capabilities.

Keri Stephens:

When will this be available to hospitals?

Scott Trevino:

It’s available today and you can find out more at trimedx.com/cybersecurity, where you can get in contact with us and we’ll provide more information and have a conversation, understand what your needs might be and how we might be able to help.

Keri Stephens:

Thank you so much, Scott. This has been so informative and I know our listeners will agree. And to our listeners, thank you for joining us today. As always, be sure to subscribe to the MEDQOR Podcast Network to keep up with the latest 24×7 podcast episodes and be sure to check out 24x7mag.com for the latest industry news. Until next time, take care.