Cybersecurity for Medical Devices: Protecting Human Lives | Ep. 1

In this episode of The Med Device Cyber Podcast, host Christian Espinosa, founder and CEO of Blue Goat Cyber, is joined by his colleague Trevor, the company's Director of Medical Device Cyber Security. They delve into the critical importance of cybersecurity in the medical field, grounding the conversation in their own profound personal experiences where medical devices played a life-saving role. The discussion opens with Trevor recounting a severe case of tachycardia he experienced as a child, where his resting heart rate alarmingly reached 240 beats per minute. After undergoing heart surgery, he was required to wear a connected ECG monitor for two years. This device, which constantly tracked his heart's activity and transmitted the data to his doctor via a Bluetooth-connected phone and the cloud, was a crucial safety net. Trevor reflects on the irony and significance of now working professionally to secure the very type of technology that once protected his life, giving him a unique and deeply personal perspective on the stakes involved. Christian shares a similarly impactful story. As a physically fit Ironman triathlete, he dismissed severe leg pain as a simple muscle pull until a friend insisted he seek medical attention for potential blood clots. His skepticism was quickly dispelled when a portable Doppler ultrasound—a key medical device—diagnosed him with six life-threatening blood clots. Christian credits the device's rapid diagnostic capability with saving his life. These stories serve as the foundation for the episode's central argument: that medical device security is fundamentally different from traditional IT cybersecurity because it directly impacts patient safety. The hosts passionately argue that their mission is to ensure these vital technologies remain secure and available, as a cyberattack could lead to device recalls or malfunctions, ultimately preventing patients from receiving the care they need. The conversation then pivots to a detailed comparison between conventional and medical device cybersecurity. Trevor explains that while typical cybersecurity prioritizes confidentiality to prevent financial damage from data breaches, medical device security must prioritize integrity and availability. A loss of integrity, where an attacker alters patient data, could lead to a fatal misdiagnosis. A loss of availability, as seen during the WannaCry ransomware attacks that crippled hospitals, can delay critical treatment and lead to patient harm. They discuss how many medical devices run on common operating systems like Windows, making them susceptible to widespread attacks. The hosts reference historical examples, such as the vulnerability in former Vice President Dick Cheney's pacemaker which led to its replacement, and the pioneering research by Barnaby Jack who demonstrated hacking pacemakers and insulin pumps, to illustrate that these threats are not theoretical but pose a tangible, life-or-death risk.

Host: Hi, I'm Christian Espinosa. I'm the founder and CEO of Blue Goat Cyber. We do medical device cyber security. I'm here with Trevor today. Trevor, you want to do a quick intro of yourself? Guest: Sure. Hi, I'm Trevor. I'm the Director of Medical Device Cyber Security at Blue Goat Cyber. Host: Awesome. And medical device cyber security is one of our passions. And from what I understand, Trevor, you had some issue when you're younger where a medical device may have saved your life. Can you maybe dive into that a little bit? Guest: Definitely. So, when I was younger, around eight or nine, I had a pretty severe case of tachycardia. I had a resting heart rate at around 240 beats per minute. Host: 240, that's like super high, isn't it? I've never heard of that. Guest: It's really high. And it's pretty life threatening if you don't catch it early on. But I was able to catch it pretty quickly after it happened. Uh, I went through, underwent some heart surgery, got everything all sorted out. Now, the problem with tachycardia is it tends to just come back and there's no real way of predicting whether or not it will come back. And it can come back anytime from a week after surgery to a year, two years even. Guest: Two years is typically the upper limit. But as part of that, I would was wearing an ECG monitor the entire time. And this ECG monitor, I had all these electrodes hooked up to me 24/7 for two years. And I was monitoring anything to do with my heart. It was monitoring the, you know, pattern, if it went up too high, if it went down too low. Guest: And then, that was going to a phone with a Bluetooth connection. That was getting uploaded to the cloud and then my doctor was able to monitor that, see if anything was out of place. And then he was able to see if something was going wrong, something was coming back, he could let me know. Luckily, that never ended up happening. I went through the whole, you know, monitoring process and never came back. And then that's been quite some time now and I don't have anything to worry about there. Host: Yeah, and haven't we worked on some very similar devices in Blue Goat, and and made them secure? Guest: Yeah, we've worked on both ends of the process actually. We've done some stuff with the monitoring software up in the cloud, which is pretty interesting. That's taking in the ECG data feed and performing analysis, alerting clinicians. And then we've also been able to check on some of these devices, and so continuous ECG monitoring, some things of that nature. Guest: So it's kind of interesting to see every part of the process and each step. You know, this device that I'd seen so much as a kid, and now I get to know exactly how it works and get my hands on a bunch of them. Host: Yeah, that's pretty cool. I have a story as well with medical devices a couple of years ago, about two and a half years ago. I was like walking up the stairs and my leg was hurting severely. I had just worked out, did like a hundred burpees. I was pretty, pretty good shape back then. And I thought I just pulled a muscle, but a friend of mine told me to go to the hospital and said that I might have blood clots. And I'm like, whatever, I don't have blood clots. I'm an Iron Man triathlete. I don't get blood clots. Things like this don't happen to people like me, you know? Host: That's what I thought, but I told him I'd go to the hospital, gave him my word. I went and the doctor told me I had six blood clots. And they were able to quickly diagnose that with a Doppler, it's like a portable Doppler ultrasound. And I think that, you know, if it wasn't for that device, I may not be here today because it was able to quickly diagnose the blood clots. And it wasn't just one, it was like six of my legs, so it was pretty severe. Host: Uh, so I I'm passionate about making sure these devices stay on the market, because if somebody hacks into these devices, you know, obviously they might get recalled or taken off the market or give a misdiagnosis. And, what interesting things about you, Trevor, is, uh, we both do extreme sports, and extreme sports is about reducing risk, and cybersecurity is about reducing risk, and ultimately we're trying to reduce the risk for medical device manufacturers and make sure these devices are secure and they can enhance, you know, patient care. Host: So it's, it's a little bit about Trevor. I met Trevor through, him and his dad rock climb and I met him through his dad. We were doing a rock climb together here in Arizona, so it's kind of interesting. You want to talk a little bit, Trevor, about like the difference in normal cybersecurity, as we like to say, versus medical device cybersecurity? We kind of talked about a little bit in terms of risk, but what would you say the differences between the two? Guest: I think one of the big distinctions is a typical cybersecurity risk is usually going to be the financial impact. So, what happens if, you know, XYZ company gets breached, they have data loss, uh, they can lose, you know, sensitive information to the company, they can get exposed to lawsuits, and often cyber events are extremely, extremely expensive, costing upwards of hundreds of millions of dollars for certain organizations. Guest: Now, the impact with a medical device can be life or death, and it can be life or death in immediate circumstances. If a life support system or a vital monitoring system goes offline because of a cyberattack, people can die very quickly. And, in the same way, you know, kind of going off of your blood clot example, if that device was not available, or if someone was able to manipulate the data coming in and out of it, you might not have been properly diagnosed in time, or if it was unavailable, you might not have been diagnosed at all, and that could have led to a lot of pretty bad circumstances. Guest: So the real impact can be extremely severe with a medical device. And of course, it can range pretty wildly, but that's part of what's so interesting about medical device security is how wide of a field it is, how many different devices there are, how much different functionality can be under a medical device. And as a result, knowing what different things you're going to have to secure there. Host: Yeah, and you hit it on the head there where ultimately the risk is greater with medical devices because the impact affects patient safety, which could result in a death. Whereas with normal cybersecurity, the impact typically is some loss of confidentiality, or a data breach or something along those lines. Like the MGM data breach might be a good example of that, versus WannaCry, which is a pretty good example in healthcare. Host: And a lot of people didn't understand WannaCry, and what are the things that happens with ransomware such as WannaCry. If it affects medical devices, or even a hospital environment, and the systems are inoperable, if a patient arrives, let's say with a heart attack via an ambulance, and they're delayed intake because their systems have ransomware on them in the hospital, that patient can die because every second counts if someone has a heart attack, or if the medical device is unavailable because it has ransomware that's used to help diagnose that patient, then that could have dire ramifications as well. Host: And didn't you do a lot of research on WannaCry? Guest: Yeah, it's a really interesting vulnerability. So that was a pretty prolific bug. Uh, it affected the Windows operating system, which is something that we see pretty commonly on medical devices and of course in medical intake. Um, Active Directory is used in 90%, I believe it's actually 98% of Fortune 500 companies. So Windows is definitely the, definitely the giant of the industry. Guest: And a vulnerability that effectively just targeted Windows, targets a lot of stuff. I mean, there are billions of devices out there running Windows. And for most of them, really, to be vulnerable to attack, including medical devices. It's pretty common for us to see diagnosis devices or life support devices running Windows operating systems. And understanding that those can be crippled by a ransomware attack and effectively just taken out with no easy solution. Guest: Uh, it's a pretty scary thought. And dealing with ransomware operators is never an easy process. It's an expensive, dangerous process to comply with the ransomware, propagates the problem. And to not comply, you don't know if you're going to get your information back. And so being able to make a device secure the first time and make a network secure the first time, so that you're not worrying about these attacks in the same way is pretty paramount to preventing this type of problem from happening. Host: Yeah, and I've been doing medical device cybersecurity since 2015 when I had my first cybersecurity business. And I remember a lot of the devices, and this is around, around the WannaCry era, uh, were running on Windows IoT. So these were embedded medical devices, but they were running a Windows operating system. Uh, and a lot of people don't think embedded devices run Windows, but Windows does have, you know, an embedded operating system, which was subject to the WannaCry, um, ransomware as well. Guest: Yeah, it's pretty— Host: Go ahead. Guest: It's pretty, pretty remarkable how widespread that one was. And I know, that was sort of the initial uptick of ransomware threats. Uh, of course, it's now anything, it's the only thing that you hear about in the news about cybersecurity now is ransomware, after like earlier you mentioned MGM when basically all their casinos were ransomed. People couldn't even get into their hotel rooms because the locks were connected to— Host: That's right. Guest: Yeah, the locks were hooked up to their Active Directory, which is, you know, everything is connected to the internet. And I think people really realized that during WannaCry, they saw just how bad a ransomware attack can be and how much stuff can get taken out. And that's part of what has led to increased cybersecurity awareness and, you know, increased efforts for security, transparency, and closer efforts around keeping a system or a device secure. It's just not something that was always addressed before. Host: Yep, 100%. And with traditional cybersecurity, we're we're always concerned with the CIA, we like to say, the confidentiality, integrity, and availability. Uh, and the primary focus with traditional cybersecurity is on confidentiality, making sure protected information or personally identifiable information isn't leaked like credit card numbers. Host: And with medical devices, the main focus is on integrity and also availability because if the data can be altered on a medical device, it could cause a misdiagnosis, or if the data is unavailable, it could ca- call delayed, cause delayed treatment, which could cause patient harm. So the focus is a little bit different because often times the C or the confidentiality sort of has a lower priority with medical devices. Would you agree with that? Guest: Yeah, and it's, there's a lot that can go into the integrity part. Kind of like you said, if you're able to tamper with current or previous results, that can lead to a whole bunch of problems. If you can say that a person doesn't have sepsis when they actually do, and they have a matter of hours to get treated or die, and a doctor's not aware of it, it's not going to be the doctor's fault, it's the device's fault. The device is not accurately portraying information because it was breached by an attacker. Guest: And even with confidentiality, there's still plenty of different medical device systems, uh, medical device data systems, even some just pure medical devices that will process patient information that, you know, under HIPAA has to be protected, and lots of stuff can, lots of stuff can go wrong there with data getting breached, loss of information, but certainly the integrity and availability are really big focus points since accurate and quick diagnosis is often a life or death situation. Host: Yeah. For sure. And there's been a couple incidents with medical devices, there's been more than a couple. Uh, one of them that I wrote about in my first book, actually, the book 'The Smartest Person in the Room' is about Dick Cheney. And a lot of people don't think about things like implantables, but an implantable, such as a pacemaker, which is what Dick Cheney had, was susceptible, and some of them are, they've been recalled, was susceptible to somebody wirelessly connecting to it and being able to shock the person over and over and over. Host: So Dick Cheney actually had his pacemaker removed because he was so concerned about the threat because imagine if you have a pacemaker and somebody from a couple hundred feet away with a high-powered antenna can wirelessly connect to it and cause you, cause your heart to be shocked over and over and over. Obviously, that could cause pretty severe consequences, especially if your heart is already compromised. Host: Uh, and there was actually a Homeland episode about that, which is kind of interesting because a lot of the, the things in, in TV are based on reality and vice versa. So I thought that was interesting. And then have you heard about that guy Barnaby Jack, Trevor? Do you know anything about him? Guest: Yeah, he was doing a lot of research on kind of similar situations like that, like with the pacemaker. He was kind of making a case for assassination attempts with a pacemaker. Host: Yeah, he also did some research on insulin pumps, and if you could increase the flow rate of insulin, you could kill somebody. Uh, and I think he did some research on drug infusion pumps as well. There's a vulnerability in drug infusion pumps for a while where somebody again wirelessly could connect to it and increase or increase or decrease the flow rate. Host: So if you're being administered a drug such as morphine because you're under pain management, and I max the flow rate of morphine through the drug infusion pump, you can cause somebody to OD. So there's again, dire consequences. And what's interesting about the Barnaby Jack story, he was about to give a presentation at Black Hat, I think it was 2013, and mysteriously or maybe not mysteriously, but ironically, um, or coincidentally the week before the presentation where he was supposed to tell the world about all these Medtech vulnerabilities he uh, OD'd in his hotel room. Host: So I thought that was, you know, not to be a conspiracy theorist, but a little bit of interest with the timing of that, you know. Guest: Yeah, there are a lot of really interesting stories kind of around different timing. Um, I know there was a similar story around Mimikatz, which is a tool that we use, you know, talking about how common Windows operating system is on devices, we use that tool all the time. And the only reason it was ever released to the public is because one of the researchers who developed it, a French guy, was at, I believe it was Black Hat. It was a conference, I think it was Black Hat in Russia, and someone broke into his hotel room and stole a copy of the tool. And so he figured the only responsible thing to do was to immediately reveal it to the world at Black Hat. So it's kind of interesting how many shady things happen around that conference. Host: Yeah, I hadn't heard about that. Thanks for joining us on our first podcast. And the second podcast, we're going to go over a little bit deeper dive on some of the vulnerabilities of medical devices and a little bit about the regulatory landscape as well and what the industry as a whole is doing about it. Hope to see you there.