Recently, Seth Carmody left his post as cybersecurity program manager in the Office of the Center Director, Emergency Preparedness/Operations & Medical Countermeasures, within the U.S. FDA’s Center for Devices and Radiological Health, to join San Diego-based healthcare security provider MedCrypt Inc. In his new role as new vice president of regulatory strategy at MedCrypt, Carmody is responsible for engaging with and bringing in new customers while establishing long-term client relationships.
Here, Carmody sits down with 24×7 Magazine to discuss how the medical device sector is faring from a cybersecurity perspective and what he wants to tell device manufacturers about being more cyber-secure.
24×7 Magazine: You recently made the jump from an eight-year career with the FDA to a tech startup. What urged this move?
Seth Carmody: While it was hard leaving a place where I worked with amazing people and had a tangible impact on public health, I’m a big believer in the power of technology. The tech community provides an opportunity to solve cybersecurity problems at scale, and I wanted to be a part of that. Rather than trying to make everyone cybersecurity experts, it’s swifter to use tech to make cybersecurity easier for the builders of innovative products, so that our healthcare community can focus on delivering optimal healthcare.
24×7: What will your new role with MedCrypt entail? What goals have you set?
Carmody: Security is hard, and I want to make it easier. As a society, we build and rely on technology where security is an afterthought. Moving upstream in the supply chain provides me the opportunity to solve a vexing economic question that’s plagued all of software development: How do we make security an economic no-brainer?
24×7: In your opinion, whose responsibility is it to keep healthcare technology secure?
Carmody: The responsibility is shared across the industry, yet there are certain players that can have a larger impact on the state of cybersecurity if they make it a top priority. When cybersecurity is built directly into medical devices, no other group or organization has to worry about the matter once it’s shipped from the device vendor.
24×7: What do you believe we can expect to come next from the FDA in terms of cybersecurity guidelines for medical devices?
Carmody: When I was at the FDA, we sought to continually raise the bar for security by building innovative policy, sound legislation, and impactful partnerships. The FDA has a dedicated and passionate team and I expect the bar to continue to rise. More specifically, I think we can expect an update to the premarket cybersecurity guidance in 2020 and an increased focus on adequate cybersecurity for premarket devices.
24×7: At this moment, how prepared is the industry to face malware attacks on medical devices? If not “very,” what needs to happen to get sufficient protection?
Carmody: Unfortunately, not very. Healthcare has brilliant, dedicated, and hard-working folks and we as a society have put them at a disadvantage. The attack surface is too large and not sustainable, leaving physicians unable to focus 100% of their attention on patients and patients on getting better. Everyone in the healthcare tech supply chain must step up for us to see impactful and widespread improvement.
24×7: What is the No.1 piece of advice you would give to a medical device vendor looking to ramp up its cybersecurity?
Carmody: Security has no panacea. Some vendors will choose to gamble that the FDA and their customers won’t notice an inattention to security, yet they’ll lose. It requires unbreakable commitment from the board to the engineers, and the timing is right for medical device vendors to build security in and avoid delays to market.
