Episode 13 · October 15, 2024 · 14m listen · 2,784 words · ~14 min read

Cybersecurity for Medical Devices: Protecting Human Lives | Ep. 1 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 13 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, host Christian Espinosa, founder and CEO of Blue Goat Cyber, is joined by his colleague Trevor, the company's Director of Medical Device Cyber Security. They delve into the critical importance of cybersecurity in the medical field, grounding the conversation in their own profound personal experiences where medical devices played a life-saving role. The discussion opens with Trevor recounting a severe case of tachycardia he experienced as a child, where his resting heart rate alarmingly reached 240 beats per minute. After undergoing heart surgery, he was required to wear a connected ECG monitor for two years. This device, which constantly tracked his heart's activity and transmitted the data to his doctor via a Bluetooth-connected phone and the cloud, was a crucial safety net. Trevor reflects on the irony and significance of now working professionally to secure the very type of technology that once protected his life, giving him a unique and deeply personal perspective on the stakes involved. Christian shares a similarly impactful story. As a physically fit Ironman triathlete, he dismissed severe leg pain as a simple muscle pull until a friend insisted he seek medical attention for potential blood clots. His skepticism was quickly dispelled when a portable Doppler ultrasound—a key medical device—diagnosed him with six life-threatening blood clots. Christian credits the device's rapid diagnostic capability with saving his life. These stories serve as the foundation for the episode's central argument: that medical device security is fundamentally different from traditional IT cybersecurity because it directly impacts patient safety. The hosts passionately argue that their mission is to ensure these vital technologies remain secure and available, as a cyberattack could lead to device recalls or malfunctions, ultimately preventing patients from receiving the care they need. The conversation then pivots to a detailed comparison between conventional and medical device cybersecurity. Trevor explains that while typical cybersecurity prioritizes confidentiality to prevent financial damage from data breaches, medical device security must prioritize integrity and availability. A loss of integrity, where an attacker alters patient data, could lead to a fatal misdiagnosis. A loss of availability, as seen during the WannaCry ransomware attacks that crippled hospitals, can delay critical treatment and lead to patient harm. They discuss how many medical devices run on common operating systems like Windows, making them susceptible to widespread attacks. The hosts reference historical examples, such as the vulnerability in former Vice President Dick Cheney's pacemaker which led to its replacement, and the pioneering research by Barnaby Jack who demonstrated hacking pacemakers and insulin pumps, to illustrate that these threats are not theoretical but pose a tangible, life-or-death risk.

Key takeaways from this episode

Personal experiences with life-saving medical technology, such as ECG monitors and Doppler ultrasounds, provide powerful motivation for ensuring robust cybersecurity.
Medical device cybersecurity fundamentally differs from traditional IT security, as the primary risk is not financial loss but direct harm to patient safety.
The focus of medical device security must be on integrity and availability to prevent misdiagnosis and ensure devices are functional when critically needed.
Many medical devices run on common operating systems like Windows, making them vulnerable to widespread malware and ransomware attacks like WannaCry.
The connectivity of modern medical devices, from the device to the cloud, creates a complex ecosystem where every component must be secured.
The potential for remote hacking of implantable devices like pacemakers and insulin pumps is a proven threat that could have lethal consequences.
Securing medical devices is crucial to prevent recalls and ensure that life-saving technology remains available to patients who depend on it.

Full episode transcript

Host: Hi, I'm Christian Espinosa. I'm the founder and CEO of Blue Goat Cyber. We do medical device cyber security. I'm here with Trevor today. Trevor, you want to do a quick intro of yourself? Guest: Sure. Hi, I'm Trevor. I'm the Director of Medical Device Cyber Security at Blue Goat Cyber. Host: Awesome. And medical device cyber security is one of our passions. And from what I understand, Trevor, you had some issue when you're younger where a medical device may have saved your life. Can you maybe dive into that a little bit? Guest: Definitely. So, when I was younger, around eight or nine, I had a pretty severe case of tachycardia. I had a resting heart rate at around 240 beats per minute. Host: 240, that's like super high, isn't it? I've never heard of that. Guest: It's really high. And it's pretty life threatening if you don't catch it early on. But I was able to catch it pretty quickly after it happened. Uh, I went through, underwent some heart surgery, got everything all sorted out. Now, the problem with tachycardia is it tends to just come back and there's no real way of predicting whether or not it will come back. And it can come back anytime from a week after surgery to a year, two years even. Guest: Two years is typically the upper limit. But as part of that, I would was wearing an ECG monitor the entire time. And this ECG monitor, I had all these electrodes hooked up to me 24/7 for two years. And I was monitoring anything to do with my heart. It was monitoring the, you know, pattern, if it went up too high, if it went down too low. Guest: And then, that was going to a phone with a Bluetooth connection. That was getting uploaded to the cloud and then my doctor was able to monitor that, see if anything was out of place. And then he was able to see if something was going wrong, something was coming back, he could let me know. Luckily, that never ended up happening. I went through the whole, you know, monitoring process and never came back. And then that's been quite some time now and I don't have anything to worry about there. Host: Yeah, and haven't we worked on some very similar devices in Blue Goat, and and made them secure? Guest: Yeah, we've worked on both ends of the process actually. We've done some stuff with the monitoring software up in the cloud, which is pretty interesting. That's taking in the ECG data feed and performing analysis, alerting clinicians. And then we've also been able to check on some of these devices, and so continuous ECG monitoring, some things of that nature. Guest: So it's kind of interesting to see every part of the process and each step. You know, this device that I'd seen so much as a kid, and now I get to know exactly how it works and get my hands on a bunch of them. Host: Yeah, that's pretty cool. I have a story as well with medical devices a couple of years ago, about two and a half years ago. I was like walking up the stairs and my leg was hurting severely. I had just worked out, did like a hundred burpees. I was pretty, pretty good shape back then. And I thought I just pulled a muscle, but a friend of mine told me to go to the hospital and said that I might have blood clots. And I'm like, whatever, I don't have blood clots. I'm an Iron Man triathlete. I don't get blood clots. Things like this don't happen to people like me, you know? Host: That's what I thought, but I told him I'd go to the hospital, gave him my word. I went and the doctor told me I had six blood clots. And they were able to quickly diagnose that with a Doppler, it's like a portable Doppler ultrasound. And I think that, you know, if it wasn't for that device, I may not be here today because it was able to quickly diagnose the blood clots. And it wasn't just one, it was like six of my legs, so it was pretty severe. Host: Uh, so I I'm passionate about making sure these devices stay on the market, because if somebody hacks into these devices, you know, obviously they might get recalled or taken off the market or give a misdiagnosis. And, what interesting things about you, Trevor, is, uh, we both do extreme sports, and extreme sports is about reducing risk, and cybersecurity is about reducing risk, and ultimately we're trying to reduce the risk for medical device manufacturers and make sure these devices are secure and they can enhance, you know, patient care.

1 / 4