Shared Responsibility in Medical Device Cybersecurity with Greg Garcia | Ep. 28

In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Greg Garcia, the Executive Director of the Cybersecurity Working Group of the Health Sector Coordinating Council (HSCC). Mr. Garcia brings a wealth of experience from his previous roles, including serving as the nation's first Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security and working with the Financial Services Sector Coordinating Council. His expertise lies at the intersection of public policy, business operations, and technology, particularly concerning the security of the nation's critical infrastructure. The core of the discussion centers on the complex and pressing issue of cybersecurity within the healthcare ecosystem, with a special focus on medical devices. Garcia argues that securing this critical infrastructure is a "shared responsibility" that cannot be shouldered by any single entity, be it the medical device manufacturer (MDM), the healthcare delivery organization (HDO), or government regulators. He draws parallels between the current situation in healthcare and past challenges in the financial sector, where different parties would often blame each other for security lapses. This tendency of "finger-pointing" underscores the need for a collaborative framework where all stakeholders work together. The conversation highlights the significant risks posed by legacy medical devices, which may no longer receive security updates but remain active in hospital networks, creating a vulnerable "weakest link" that attackers can exploit. Throughout the episode, Garcia details the efforts of the HSCC to foster this necessary collaboration. He points to several key publications and initiatives, such as the Joint Security Plan (JSP) and guidance on managing legacy technology, which are developed by industry practitioners and offered as free resources to raise the security posture across the board. The discussion also acknowledges the economic realities and competing priorities that make cybersecurity a challenge. Smaller, resource-constrained hospitals often struggle to afford robust security measures, and innovators face market pressures to get products to market quickly and cheaply, sometimes at the expense of comprehensive security. The hosts and guest conclude that a fundamental cultural shift is required, moving from a reactive stance to a proactive one where cybersecurity is understood not as a technical cost center or a compliance hurdle, but as an essential and non-negotiable component of patient safety.

Trevor: Hello and welcome back to the Med Device Cyber podcast. I'm your co-host Trevor Slattery, our CTO with our co-host Christian Espinosa, the founder and CEO of Blue Goot. Today we're joined by a very special guest Greg Garcia from the Health sector coordinating Council. Trevor: I'd like to check in and just ask how everyone's doing today. Greg: Doing great. Glad to be here. Trevor: Fantastic. We're going to be going over some pretty exciting stuff. We're talking about rounding up some of the legacy devices that we've seen out in the wild that are facing some pretty nasty cyber security considerations, talking about what the industry as a whole is doing to try to drive cyber security forward and how we're making sure that medical devices are safe along with the steps that innovators should be taking. Christian: Awesome. Well, uh great, you want to maybe introduce yourself a little bit about uh what you do with your organization and uh some of the initiatives you your organization has going on. Maybe you're a background with Mettech. We always like to understand people's lenses are looking through with with Mettech cyber security and Mettech in general. Greg: Well, my experience with Medtech is that, um, like like like both of you and virtually everybody, I'm a patient. Greg: Um, but but at a at a technical level, um I'm not an expert in medical technology in fact. Um, as the executive director of the Cyber Security Working Group of the Health Sector coordinating Council, the the the the what I bring to this is a deep long background in technology generally cyber security specifically and the intersection of public policy, business and technology and our business and operations and technology. And I I I was in a similar role with the financial services sector coordinating council many years ago. Greg: I I was with a major American bank. Uh and before that I was with the Department of Home and Security. So I was the uh the nation's first assistant secretary for cyber security communications uh appointed by President Bush in 2006. and and you know, in that role coordinating our our national critical infrastructure, cyber security policy, um I was exposed to to really all of the nation's critical infrastructure sectors. Health care is just one of them. Telecommunications is another financial services, uh oil and gas, electricity, Greg: uh transportation, chemicals, water. everything that the public depends upon is considered critical infrastructure. And so, uh my role uh at the Department of Home and Security was try to coordinate the public private partnerships that were necessary for us to to work together to identify and mitigate Greg: systemic threats, systemic cyber threats to those critical sectors. So really I I I brought I bring to the health sector um since 2017 a background in information technology, in financial services, in uh the executive branch public policy and in Greg: the Congress. I spent some time in the Congress. in fact the the first bill I ever wrote um and the last bill I ever wrote was the Cyber Security Research and Development Act of 2002. So, I got to sit on the house floor, of the House of Representatives and watch the bill that I had worked on so heavily, um, get passed into law. So that was that was cool. So, um, you know, now with the health sector, I'm less an expert on on health care and medical devices. Greg: I've certainly learned a lot over the past seven years that I've been here. Um, but this role is more about making making those connections between, um, health care as a business and as a delivery mechanism with the technology that's used for that, the public policy and the operations, all of these, all of these interdependent, interconnected issues are part of this this larger constellation, and uh then I rely on the thought leadership, um, of our, of our membership. Um, the Cyber Working Group now consists of about 470, uh, or healthcare organizations from across the spectrum, uh, spectrum. Greg: The the the health care providers, like the hospitals and the clinics, the medical device companies, the health IT companies, like Cerner and Epic and and others, uh, the the plans and the payers, the pharmaceutical, the labs, um, the blood, uh, organizations, all of them are part of this interconnected ecosystem. So they are the owners and operators. They are the ones who are responsible for for securing this critical infrastructure and and in understanding those interdependencies, those interconnexions between all of those sub sectors and and you know, how, um, you know, together they recognize that cyber threats, uh, those cyber threats are a shared challenge across all of those subsectors and therefore a shared responsibility. So that's what brings us all together. Christian: And what do you think with Medtech? I know there's um you were recently involved with I think testifying against so about some of the legacy devices that are already out there and I know the FDA changed their guidance in September of 2023 to really up the anti from a cyber security's perspective. Christian: What what is your thoughts generally on like the legacy problem uh and what we can do about it? Uh and then also do you think we're heading in the right direction? Greg: Um, okay. So, yes, the the the whole medical technology, issue in healthcare is is a fascinating one. and it's it's it's more severe, but but um not dissimilar from what I experienced in the financial services sector. That is two different sub sectors, two different sectors, the banking industry and the telecommunications industry. In those days, um the banks were sort of yelling at the at the Telcos, the ISPs quit quit sending all this malware, all these viruses through your networks into our systems. Greg: And the Telcos would say, look, uh we can't just throttle all traffic. Uh we'd be violating terms of service and other things and trying to identify all malicious traffic is nearly impossible. But by the way, banks, want you fix your crappy architecture because, you know, you have tools at your disposal to uh uh to detect and protect against that kind of malware. So um there is a circular finger pointing that was go going on and when I came into the health sector, the same kind of circuit of finger pointing and and mutual recriminations was taking place between the the the health care systems or the HDOs and the MDMs, the medical device manufacturers, who's responsible? Who's accountable for medical devices for the security of medical devices? Greg: And um, you know, I was sort of you know, in in the crossfire where there would be a lot of um, you know, myths and precep being tossed against the other side, um, about um about fault, um about accountability. and a lot of it was true and legitimate and a lot of it was just myths. And so, um, the the value of the sector coordinating council, the cyber security working group as a cross sector body is that um you first have to start with the recognition, with the acknowledgment that this is a shared responsibility, that cyber security does not rest solely in the hands of one set of stakeholders like the medical device companies or the hospital systems that it's a shared challenge. And if you acknowledge that then you say, okay then what do we have to do together? How do we need to listen to each other a little bit more closely and find out and sus out really who who's accountable for this and who's accountable for that and start a negotiation process. And I think, um, the joint, the medical device and health IT joint security plan which was first published by us in January of 2019 was uh, co-chaired Greg: by Becton Dickinson, medical device company, by the Mayo Clinic, and by FDA. So you had three really big important actors as the leaders of um a task group which is trying to develop a secure by design, secure by default, total life cycle product security management system. Um, and it's becomes a negotiation. What are the expectations? Greg: Um and you know, when you have those, you know, the representatives from those three major stakeholder groups. If you're a chair, you want to succeed. And to succeed, what you have to do? You have to get you have to get task group members to start listening to each other. And with listening comes mutual understanding. With mutual understanding comes the ability to compromise. And when you compromise, then you get consensus. Greg: So that's the model. Um, and so the the joint security plan and a followup JSP2, um, and many other um the uh many other medical device products, publications that we have have uh put out over the past several years, um, all have followed that model of bringing together the stakeholders who don't always agree. and they're able to talk it out. And too many cases not too many cases in many good cases, I've heard both sides say, I see, okay, I didn't know that. Greg: Okay, I I got okay, so I understand what we need to do now. Um, and that is what that kind of of of mutual understanding and compromise led us to additional publications like the um, uh managing legacy technology security or Malt. Greg: Uh, malt, hict, the health industry cyber security managing legacy technology security. Um, that's about 120 page document. And it's written out in a modular format. Greg: Um, your healthcare provider and you need to be able to secure legacy medical devices that are no longer being supported or are soon not to be supported by the operating system company or by the medical device company. What do you do? But you can't afford 10 million dollars in a new fleet of medical devices. Greg: How are you going to maintain the security of those devices when naturally 10 15 years later, you're not being supported anymore. You're a medical device company. How are you going to provide assurances? How will you how you will transfer risk in an orderly way, Greg: in a predictable way to your hospital systems so that they can plan for that point at which there's no longer support. Greg: So, you know, um that was the result of really the the bigger, the the major Mettech and health provider organizations really working together to say what can we be held, what can each of us be held accountable to? Um and what can we make commitments for? And the same with the model contract. We developed a model contract. What are what are 85% of the most common cyber security terms and conditions in a contract between an MDM and an HDO. You know, when you start talking about legal language, oh my goodness, it's it it gets really um it gets sticky. Greg: um, but we worked through that and that that model contract has been used um all across um uh much of the sector because they want something that's sort of uniform and coherent, you don't have to rewrite it every time. If the big guys can say, yeah, we can be accountable to this, then, you know, the middle, the mid-size and the smaller organizations can say, well if it's if it's it's good enough for uh, you know, the big guys, we can figure out how to make this work. Um, so, uh, you know, that's that's our method of working. How do I, you know, I think the last part of your question was, where do you think we're headed or how how are we doing? Um, the level of awareness I think is really increasing the imperative that cyber safety is patient safety. Greg: That you cannot have patient safety without having cyber security built into medical devices, cyber security built into enterprise networks and data. Greg: Um, the the awareness is is rising and but of course the the um the hardest issue is of course is resources. So, you know, when you look at implementing the JSP, for example, well a lot of the big Mettech companies are already doing something like that. Greg: But it's a lot it's all the others down the chain that are less resource and maybe aren't thinking about cyber security in as high a level of priority as the others are. They're just trying to meet their minimum requirements by FDA and get on with it and get their product to market quickly and cheaply. Greg: And so that can be, you know, that can be one of the main stumbling block is to instill this sense of urgency um across the industry that um there is there is no no stakeholder in the industry that should be absolved of responsibility. Um, the the the Medtech security issue, thankfully, there are very few reports of medical devices being the primary attack vector of a cyber attack that resulted in patient harm. Greg: Most often the cyber attacks are successfully being perpetrated, getting getting into the networks or email fishing or uh unpatched um apps, internet-facing apps. um, but medical devices are are less so, but you know, security people are paid to be paranoid. So let's let's not let all of these vulnerabilities just let's not just sweep them under the carpet. We've got to we've got to figure out how to do this better. Trevor: And in our experience interacting with medical devices is they aren't usually going to be an entry point, but they can be a weak link in the chain. And so even if you have your patch management across any workstation covered, you're trying to maintain the latest version of anything as far as the rest of your hospital infrastructure, introducing an insecure medical device can act as kind of the foothold that an attacker needs to start pivoting out into the network. Trevor: And that's when we start talking about considerations for, you know, ransomware attacks. That initial access getting a low-level user credential can be one thing, then what are you going to do with it? You need to find a way to start making further compromise from there. You need to jump and keep escalating your privilege until eventually you can compromise something really sensitive or the whole network. Trevor: And obviously, there need to be a lot of steps. There can be a lot of steps in that kill chain from entering the network to trying to encrypt the entire network. and you definitely don't want your medical device to be one of those steps. Greg: Yeah, and and that's that's absolutely right. Um and and that you know, that can be the the principal complaint of the HDOs, um Greg: is that you know they can acknowledge that it it generally is not the medical devices that um are the entry point. Um, but they also um need to be able to, you know, any self-respecting who doesn't want to get fired next week, uh, wants to be able to Greg: to buy technology and medical devices that that are secure by design, secure by default, and they don't want to have to spend a lot of money doing the kinds of um uh testing pen testing and and other risk assessments associated with every purchase, it gets very expensive. Um, and so they would like to see um a more um uh structured and and uniform set of uh security offerings that go along with the medical device sales. So, um, you know, and then on the other side of the medical device companies that you know, they're they're constantly their competitive pressure is quicker to market, lower costs. Greg: Um in many cases they will say, look uh we're we're meeting FDA premarket guidance. We're we're meeting the guidance. Greg: Um and if there's more that's that's needed, it has to be demanded but we're not getting the demand because the demand ultimately is going to cost more. Greg: Um, we just published today, just today, um, a report on underserved on the on the resource constrained health care providers, rural critical access, um, small clinics, FQCs, all of those health providers across the country that Greg: um you know talk to them about talk to them about about third-party risk management or medical device security, they just throw up their hands. Um, look, I have a hard enough time just hiring and keeping a nurse. How am I supposed to hire an IT security person or medical device security person to manage this? Greg: They don't have the resources. So, um, that's that is an existential problem really, not just for the smalls, not just for the resource constrained, but all all the way. I mean obviously some of the largest health care providers, they have large budgets and staff to deal with this. Greg: um, but you know, in most cases margins are raised or thin. So, um, yeah, it's a it's a difficult problem and what we're trying to do in the cyber working group is try to build that culture of security, uh, to raise the awareness up to the C suite, to the board level of the imperative of of good cyber security as um, as not just one element of enterprise risk management, but as an essential part of patient care. Greg: Um and that's, you know, culture change takes time. Trevor: Yeah, 100%. And you bring up a really good point on, you know, if there are other budgetary problems, cyber security is going to be at the front of no one's mind. Trevor: Cyber security, I feel like most organizations if they could do away with it, they would. It's expensive, it's time-consuming and it isn't something that adds immediate visible value to your product, to your service. But I kind of refer to it uh ironically as being involved in cyber security as the necessary evil. Trevor: You have to bring in penetration testing, you have to bring in all of these systems and processes in place to ensure that your network and your devices are hardened. But I think a big issue, it just ties all back into awareness. People aren't aware of why it's so important. They don't know Trevor: how big of a deal cyber security is until they're the victim of a cyber security incident. You know, and then as soon as there's a problem, then, oh they're really excited to try to figure out whatever the solution is, but at that point it's too late. You know, dealing with Trevor: the repercussions of a ransomware attack or dealing with the repercussions of patient records getting stolen and exfiltrated is always going to be exponentially more complicated and more expensive as opposed to preventive action. Trevor: And so that's why it's so important to have this preventative action in place, but, you know, you bring up the perfect point. If they're already raise or thin margins, if um HDO is having trouble just dealing with their core focus, their core mission, which is obviously delivering healthcare, then cyber security is going to be something difficult to work into. And so it's a difficult problem to solve in that regard. Greg: Yeah, and I'll tell you what, you know, from this um, do do look at the at the publication that we put out today. Um, this this involved um, interviews uh from our from our side, our our task group um leads to of them and myself. uh interviews with 40 executives from underserved providers across the country in 30 states. Greg: and we we asked them a set of questions about cyber security and um, how do you how do you equate cyber safety with patient safety? Do you know who's managing your cyber uh security program? How much you're putting into it? What about your insurance? Um, and you know, finally uh with the expectation that the government is potentially going to regulate more, is going to demand more Greg: um minimum cyber security requirements, regulatory requirements on health providers. What you know, what what kind of help should the government be giving you? They can't just regulate and walk away. Greg: What kind of support from the government, from your peer networks within a region, from other private sector hospitals. What kind of support would be meaningful? And you know, the responses we got back was was actually surprising that many of these people interviewed said, no, no, our board, our board of trustees, um, they're very aware of cyber security and they're very worried about it and they give us as much as they can relative to all the other priorities that the hospital has to deal with. Um, but in none of the interviews did we did we experience a sense of um a lack of awareness, or a lack of Greg: prioritization of cyber. But again, you still have to make those those critical resource decisions. So, um, you know, I think I think the the case is being made. In fact, I testified last year to another committee, um, that was the uh Senate Homeland Security Committee. And sitting next to me was one of our member organizations and she was the she was the so of a small critical access hospital in Northern Vermont. Greg: And when the subject of regulation came up, she said, Greg: Yeah, yeah, you have to regulate us. because if you don't tell us to do it, we're not going to do it. And we're not going to do it because we have other resource priorities. Greg: So, we understand that we are um cyber poor. I mean, we're resource poor and we're cyber poor. Greg: But if we are actually going to move the needle and protect ourselves against ransomware attacks, existential ransomware attacks that can put us out of business, then, yeah, we we better be told, give us a minimum set of mandatory requirements and then help us comply. Greg: Um you know, and I you know, and then I turn it over to the medical device guys and um, you know, when FDA was given that additional um authority by the Congress in 23 as as um, as Christian mentioned, to start, you know, the the the so-called Patch Act um which now which now equates or or um includes cyber security in the consideration of medical device um quality and safety. Greg: the security good security is indicative of good quality, um, and safety. Greg: So, that is, you know, that was a paradigm shift and I think a lot of the more forward leaning medical device companies, um, went along with it. They, you know, they understood that that is, you know, that is their responsibility. Um, um, but at the same time, you know, the the health care systems, the hospital providers also need to do their they have they have to manage their data, their architecture, their networks uh, in a way that minimizes um, uh, risk to not just the medical devices, but um, but but their data and other network endpoints. Christian: Well, I think one of the challenges that I have noticed, uh because we've done penetration testing against hospitals or HDOs, we also work with Medtech companies. And I think the healthcare delivery organization, HDOs find it frustrating that they've got these devices on their environment that they really have no control over from the cyber security perspective. It shows up from the, you know, the medical device manufacturer and there's a lot of assumptions that this device is secure, but yet they really can't do anything to validate it. Christian: Uh but they could segment it. I I know a lot of them don't put it on a segmented network and that is part of the problem, but it's it's kind of like like you mentioned earlier, it's like pointing the finger. We're going to blame them and they're going to blame us, but if we can collaborate a little bit better and work on this to better together then um I think the whole industry and health care would do better. Greg: Oh, absolutely. And you know, I I was you know, as I was as I was looking at at Blue Goat Cyber uh before I came on to this to this podcast. I really like um your vision, which is I'm reading it here a future where every connected medical devices secured, secure, trusted and resilient, protecting patients, enabling innovation and earning regulatory confidence. Um, I would say also earning patient confidence, but um, you know, that is aligned Greg: very directly to, you know, we have a five-year cyber security strategic plan. uh for the cyber security working group and that really aligns with um strategic objective number one, which I will read to you. Develop and adopt and and demand safety and resilience requirements for products and services offered from business to business as well as health systems to patients with the concept of secure by design and secure by default. Greg: And I will say that um, you know, the the frustration that HDOs feel about medical devices, um, you know, part of that will have to come down, I suppose, if if more is needed, then it's going to come down to the Congress to give the FDA more regulatory authorities. Um, Greg: and hopefully to leave it to FDA to figure out how specifically that would work. Um, you know, one of the things we could say is, you know, make the JSP mandatory. Uh, you know, someone's going to say that because the JSP really does lay out a road map for how to do this well. Greg: Um, but but similarly one of the things we've looked at um is one of our one of our strategic priorities right now is what we're calling the sytemic risk mapping exercise with the smart task group. uh sector mapping and risk template. and that comes right out of change healthcare. Um the change healthcare attack um like many other critical functions and services. Uh there there's many critical functions and services that support the Greg: healthcare environment. Um, whether it's, you know, retail pharmacy, prescriptions and payments or medical device, image, blood, um, uh, blood supply and distribution, many other major workflows that depend on software, technology, communications platforms to execute the tasks that need to be that need to be executed. But, um, Greg: there are many of these services and functions that are not regulated. They are IT systems, they're in the high tech industry, they're not regulated. Yet, you know, and that goes with, you know, um, APIs that plug into uh patient data systems so that I can Greg: you know, I can I can plug my Garnet watch um into um my medical provider and have all my vital information about heart rates and um and uh you know other uh vital signs available to my doctor. Um yet some of these some of these apps are simply not and therefore vulnerable. Well what do we do about those? Greg: Um I I testified in another hearing last year where I I sort of tested out, I freelanced a recommendation that said, look, any how about any technology, software, service provider that supports any critical infrastructure. I'm that's called critical infrastructure for a reason because it generally involves life or death. Greg: Healthcare, electricity, water, um transportation. You don't secure those, people can get hurt or die. Well, if you are supporting any critical infrastructure, is there a way to say you have to be held to a higher cyber security standard? sort of like an FDA for all other technology that plugs into um a medical system, a healthcare system or an electric grid. Um politically that's explo, right? And it's it's probably not practical either from a political standpoint or Greg: um, you know, implementation who's going to be who what what federal agency is going to be responsible for um for regulating and enforcing that. But but the concept is important. um, that as as Greg: major users of these uh technology systems, health providers are at the mercy of those technology systems that are not always going to um be secure in a way that gives um, you know, that that earns regulatory confidence or or earns patient confidence. And so this is, you know, this is the task we have for us. Greg: um and for particularly for the five-year strategic plan by the year 2029, will will we have moved the needle enough to get us closer to the Blue Goat vision, um or to get us closer to our strategic plan vision. Christian: It's interesting what you mentioned because I used to be in the military, a lot to work with DHS as well. And in order for someone to put a device on a DOD network, it has to be all totally scutured and all these approvals and someone has to accept the risk. And I understand that that's a government agency. but it sounds like that something similar with critical infrastructure like healthcare where a device has to be held to higher cyber security standard and there's an ATO, I guess an authorization to operate that device on the environment. Uh it sounds like you you're think that that would help the industry but there's some some hurdles because like you mentioned, that means we're going to have to hire more people to regulate this. Christian: Uh it's going to cost more for manufacturers will they even want to do it? Um but I I do think that would be a way of helping with this challenge because like you said, it is critical infrastructure. It is life and death. so we need to treat it as such versus we can just throw whatever we want on a hospital environment and expect it to, you know, be secure, which is kind of what's happening. Greg: Yeah, and you know, I I think what you were referring to and maybe there's other programs but Fed ramp, you know, you you apply your your technology provider, you want to sell into the VA or or whoever. Well, you got to go through the Fed ramp God first, they're going to check, you know, they're going to kick the tires, make sure you've got you've done all the right things. Um, but then says you're good to go and then that's good for all the other federal agencies. Right? Um, approved once, sold anywhere within the government. I'm sure with some exceptions. Um Greg: Yes, it's expensive. But if you're going to make that commitment as as a technology company as a service provider, uh to the government market, well then you're going to have to make that going to have to make that investment. Um if you want if you want to make Greg: uh, if you want to serve the health care market, you want to serve the electricity market. Um, Greg: you know, you you invest up front and the costs go down over time. And maybe you're more competitive within that market than if uh others who decided not to make that security investment. Um, you know, again, the the the the devil is in the details, how would it actually it's a it's a big hairy Greg: it's a behag, a big hairy auditory goal. A behag we used to call it. Um so, you know, Greg: I'd I'd love to to be around for another 20 years to to see if that has any if that has any any legs and any future, but um, um, that's that's a tough one. Christian: Yeah, it's interesting because the FDA already has to clear a medic what quote falls under the umbrella of a medical device. Yet, other pieces of software or technology don't have to be cleared that are added to a hospital environment, they can get ransomeware. And ransomeware if it delays the patient intake, that a patient arrives is having a heart attack, that patient can die. So it seems like this same lens or regulation regulatory oversight should be applied to Christian: anything in a health care organization. Now that we're talking about it. you know, it's not like how is it decided just a medical devices need to be scrutinized when when another device can equally, you know, cost harm to a patient. Greg: Right, yeah. And that's and that would be up to Congress that they would say FDA you hereby have the authority now to uh for for any technology systems that a uh a health provider is purchasing for installation and its network, you know, higher levels of of priority for those that are touching the patient. lower levels of priority for those that are simply um, uh, you know, transporting and storing data. Um, I don't know, but you know, you could you could give FDA that authority, but then still it would be it would be politically um, treacherous. Trevor: Do you see um, I guess US the cyber trust market and in uh Europe the cyber resilience Act is kind of a push in that general direction to try to regulate things like a thermostat going in, which currently don't really have any rules on what you can and can't do with your thermostat and that can act as the weakest link in the chain in critical infrastructure. Greg: Yeah. um you know, I've uh last year someone in the White House said, yes, you you know, you should be using this the Cyber Trust mark for medical devices to which FDA said, no. No. um, that's for IoT devices, not medical devices. Um Greg: the FDA has much stricter security standards than the cyber trust mark, but but sure, um, you know, as a matter of, you know, hospitals Greg: um functioning on so much operating operational technology, you know, um HVAC, um refrigeration for pharmaceuticals, um, elevators, um, you know, all kinds of physical facility. Greg: um just badging people in and out, you know, that's a lot of that is IoT technology, the the interconnect between software and and physical devices. Um, you know, that's that's an issue as well. um, so but but it's often some of those, you know, in some cases, you know, physical Greg: um, you know, physical technology is still connected to a hospital network. And if a ransomware attack comes in, you know, theoretically, it can shut down not only data and medical devices and IT and communications, it can shut down physical devices as well. So, Greg: um, yeah, so I mean, I think something like the cyber trust mark, it's it's it's good in concept but at some point, you know, we have to have something that's really coherent. Um, Greg: rather than just keep layering on um different requirements that that simply make it more complex and more costly for both for both the the manufacturers and the users, right? Christian: Well the cost is always transferred to the the consumers anyway of all these things, right? So Yeah. Um, Well it's good to hear that you think based on that survey you mentioned that the awareness is increasing. Christian: Uh we feel like it's a little bit of a gap in Medtech, and there's reasons for it because nine out of 10 Medtech startups they fail and a lot of it, some of it has to do with cyber security. now, but a lot of the time they're not thinking about cyber security, they're trying to get this product to the market and start making revenue and get investors and everything else just like what one more thing on their long list. So and it's interesting like I've watched probably 25 pitches from Medtech innovators and they're pitching to investors. They have things on there like we're going to hire attorneys to do intellectual property. I didn't see one single pitch deck with cyber security listed. Christian: And it is it is probably a more expensive cost than hiring the IP and patent attorney, you know, but it was not listed. Greg: Well, you know what's interesting also is sometimes, um, you know, I I was in these conversations when I was in financial services and um, often there was a feeling that we don't we don't want to talk don't talk about cyber security. It gets people worried. Greg: Um you don't you don't want to talk about how you're eliminating the negative, um how how you're eliminating a theoretical negative which is a cyber attack. Um and and that can worry the customer. What what we need cyber security? But then the other piece of it is, um, companies who want to be competitive in cyber security, want to be very careful about saying they are in cyber security. Why? Because when you go public with that information, we're 30% more secure than the next leading competition and the hackers going, Oh yeah, let's. Yeah, you're inviting the hackers. You're inviting the challenge. You're inviting them. So, yeah, so so often that's kind of a marketing piece. Greg: Um, yeah, I remember hearing a pitch to what you said, Christian and um, and I kind of asked a question about about it to this person. I don't remember where who the vendor was. He said cyber security, that's just table stakes. We already do that. We're not you know, that's that's not something we need to market to you about. Greg: Um, to which I probably felt suspicious that they really are were doing it. Um, but you know, that can often be the attitude of course it's secure because you know, and often the sales people don't even don't know. Greg: And and I think that's also an interesting um it's an interesting dynamic within um a lot of the big Medtech companies is, you know, we have working with us within the cyber security working group, mostly it's the chief product security officers, the people within their within their teams, their chains of command. Greg: and first of all, they're very serious about cyber security, of course, because they're the chief product security officer. They have a mission, they have an objective. um, and they believe in it. But within a large complex global organization, well, there are other equities at stake, you know. Greg: There is there are the engineers who say, you want what? You you have the sales people who say, whoa, wait a minute, that's going to slow us down getting to mark against the competition. No, no, no. CFO is going, how much? How much is that going to cost us? Uh, the marketing people say, no, no, no, we don't we don't talk about that. The the compliance people were saying, the legal guys are saying, well, there's liability there, isn't there? Make a claim about security, you know, and so, you know, there's they're pushing they're Sis, man, they're pushing rocks up the hill. Um, and it's it's you know, there's there's just different tension points within a large a large company like that. Greg: um and then, you know, they look at the fact that look we're doing, you know, how much is enough? We are doing security. and yet we're really not seeing a lot of data that's showing medical devices are the cause of cyber attacks on health systems. Greg: Some time, some time you know, they're collateral damage, of course. They can be collateral damage by to a ransomware attack. And sometimes often it would be with, you know, physical proximity. You know, you know, no MFA or whatever. Um that physical access to a medical device is what gets you network access, you know. Um, but that's not necessarily because security wasn't built in, the hospital is just not doing appropriate, you know, security protocols. There's there's many different ways to look at it. I'm not I'm not laying blame on either side. Um, Christian: Well I think I think that's a little bit of a naivety. It's like saying there hasn't been too many successful cyber attacks against nuclear plants. So we shouldn't worry about it. You know what I mean? It's still like you said critical infrastructure and we need to assume an attack is is going to come and we all we already know from the DOD that we have had nation state actors on classified networks for many many years siphoning off data. So what's to say there's not already nation state actors on our healthcare environments ready to push the button to do something malicious. Trevor: And we saw one happen in nuclear with Stuck when there was a cyber security attack that was very successful and that was obviously a very very devastating problem. And so yeah, we aren't seeing a ton of attacks against medical devices specifically, but that's why we want to harden it. We don't want to see what happens when they are attacking them. Greg: Yeah, and that's exactly right and that's you know that's the uphill battle is to make that case. Um, you know, the the paranoia of a good cyber security executive has to be persuasive. That paranoia has to, you know, has to be persuasive to the CEO or the CFO or others who are making those resource decisions and often risk-based decisions, you know, and just say, okay, well what's the what's the risk of this happening? You can't you can't judge risk by by the absence of events in the past, necessarily. I'm not a risk expert. Um, but Greg: you know, you you have to be able to um, you know, you you you have to be able to to inspire some of that paranoia into the C suite to support um that level of of you know, risk reduction. So that's that's part of what we're we're trying to accomplish by objective number one. Greg: um as I as I read off to you, secure by design and by default. Um, so there's really table stakes, you know, Christian: Exactly. It's not there yet, of course. Greg: It's not there yet? No, it isn't. It is for some, it is for some. I mean some of the larger, you know, some of the larger um manufacturers are you know, making making the effort. However, we did do a benchmark survey uh co-sponsored by us and the medical device innovation consortium, MBIC um to to just sort of survey uh the medtech community, you know, essentially, how how are you using the JSP? Greg: Are you using the JSP? What are the results of that? Um, you know, and it's not we're not where we need to be. Christian: Well, Trevor is a big fan of the JSP2. We use it with all of our clients. So Greg: Right. Well, thank you. that's Greg: Yeah, that's and that's really our objective. All of our, you know, we have you know, I urge all of you readers to go to healthsectorcouncil.org um and you go to the cyber practices tab. Um, I think today marks the 29th or the 30th publication that we have done. Um, this one is not a best practice, but most of them like the JSP, like the managing legacy technology security, like executive checklist for incident response. Greg: uh or our um supply chain cyber security best practice based on the nist framework. All of these best practices are free um to the stakeholders. They are by the sector for the sector. We wrote them our Greg: members, our practitioner members through a task group structure wrote these. Um, if everybody you know, if ever if all Medtech companies use JSP and you guys uh are um, you know, serving as ambassadors for the JSP. Um, and other health provider consultancy consultants are um serving as ambassadors to the hiccup, the health industry cyber security practices, HICP that we put out specifically for hospital systems. Greg: Yes, it's called it's called hiccup. Um, it's you know, that's a joint publication between us and and health and human services and we say to folks like you and other consultants, consultants, take what we've done. It's not copyright. It is free. We consider it um uh open source, a public service. And if a consultancy wants to take that best practice and monetize it, sprinkle on your secret sauce as a consultancy um and and and raise the level of security of your client then that's the force multiplier effect uh that will permeate across the sector. Greg: um by the year 2029 and so we really we we really take that seriously. Um all of this is free. We just need people to use it because if it's somewhere it's no damn good. Um uh and that's that's that's what we're getting at so that we can really protect patient safety at the end of the day. Christian: Awesome. Well, we're coming up on time here. Uh we really appreciate you being a guest Greg. Uh thanks for sharing your wisdom. Um, I always ask for like parting words of wisdom, kind of last comments. So I thought of you Trevor and then we'll end with uh Greg. Trevor: Yeah, I think uh this has been a fantastic conversation and a big thing that really stuck out to me while we were going back and forth about this is the shared responsibility. Cyber security can't be pinned on any one individual and it is ultimately up to the community, the health care community and the cyber security community to try to bolster the cyber security posture for everyone. Um, like we keep saying, it really just takes one week link in the chain to cause a problem. so everyone has to share the effort, everyone has to share the burden. Christian: Awesome. How about you Greg, at least minute words of wisdom. Greg: Yeah, I you know, I I would say, you know, when you think about the the cyber security working group, the health sector code coordinating council, we are an advisory council to ourselves and to the government. We have a special relationship with the government. we're not government controlled, government funded, we are independent industry, but what drives all of us is this is this essential culture of collaboration. Um, Greg: we are all in it together as my my friend, the former, um, national cyber director under President Biden, um, uh, Chris Inglis, former of NASA, he put it best. He said, um, to beat one of us, you have to beat all of us. He's talking to the adversaries. Greg: You know, you can also say all for one and one for all, the the three musketeers. Um, I say, you know, none of us individually is as smart as all of us collectively. Point being that um, Greg: you know, as as as Trevor said, you know, we are we are all in this together, we cannot be doing it alone. Um, so um if if you you know, if if your viewers want to participate in this process, either as an observer just to learn or as a contributor to help raise the bar, um, Greg: then you should uh look into to participating in the in the sector coordinating council. It costs nothing. Greg: Um there are no dues. The dues are sweat equity because we are in this together. Um Greg: so I would urge urge that for all of your your viewers Health sector council.org, go to the contact page and uh let us know you're interested and we'll get back to you. Christian: Super. Christian: Well, thanks uh again Greg for being a guest on the Med Device Cyber podcast. And thanks uh everyone for tuning it again and we hope to see you on the next episode.