Skip to main content
    Back to episode
    Episode 9 · January 21, 2025 · 24m listen · 4,392 words · ~22 min read

    The Human Factor: Why Cybersecurity Awareness is Key in Medical Device Manufacturing | Ep. 8 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 9 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    In this episode of "The Med Device Cyber Podcast," the hosts delve into the critical role of the "human factor" in medical device cybersecurity. They explore how human vulnerabilities, from weak passwords to configuration oversights, often present easier and more impactful attack vectors than direct system exploits. The discussion highlights the limitations of traditional cybersecurity awareness training, drawing parallels to necessary evils like dental visits or car maintenance, which people often approach with reluctance. The episode emphasizes the need for a paradigm shift, advocating for security to be integrated early in the product development lifecycle rather than being a costly afterthought. Key topics include the pervasive challenges of network segmentation, the dangers of default credentials, and the importance of multidisciplinary collaboration among product security teams, engineers, and IT staff. The hosts also touch upon the evolving landscape of FDA guidance and its impact on driving increased awareness and forcing better security practices in the medical device industry, ultimately aiming to mitigate risks like patient harm from compromised devices.

    Key takeaways from this episode

    • The human element is often the weakest link in cybersecurity, with social engineering attacks frequently more successful and impactful than technical exploits.
    • Traditional cybersecurity awareness training often falls short because people view security as an inconvenience rather than a priority.
    • Effective medical device cybersecurity requires secure system design, assuming breaches, and implementing controls like proper access gating and network segmentation.
    • A lack of awareness and budget constraints often lead to overlooked security practices, which become exponentially more expensive to fix after a breach or late in the development cycle.
    • The FDA guidance is increasingly compelling medical device manufacturers to integrate security throughout the product lifecycle, fostering greater collaboration and a shift in culture.
    • Overcoming cybersecurity challenges necessitates better integration and collaboration across development, IT, and security teams, as well as a top-down organizational commitment to security.
    • A shift in culture to integrate security professionals' insights into user experience considerations is crucial to finding effective security solutions.
    • The financial and reputational costs of neglecting cybersecurity upfront can be immense, potentially leading to product abandonment or regulatory setbacks.
    • Medical device manufacturers must prioritize security from the very beginning of the design process, making it an inherent requirement rather than an afterthought.
    • Network segmentation and robust asset management are crucial in preventing widespread compromise within hospital networks, which are often considered hostile environments for medical devices.

    Topics covered in this transcript

    Full episode transcript

    Page 1 of 6· Paragraphs 1 - 9
    Welcome back to another podcast. Trevor, how are you doing today? I'm doing pretty well. How are you doing today, Christian? Doing good, doing good. Didn't sleep too well last night. I had this weird dream that I was an accountant. I don't even know where that came from, and it was kind of like a nightmare. I have for some reason, like bookkeeping, and it probably came from the fact that I'm doing it for a company now and it causes me a lot of anxiety, all the bookkeeping and accounting. But it's a weird dream. Yeah, that would be a pretty scary dream. I've never had much of an affinity for that. I majored in Engineering in college and that was already way too much math for me, so I don't want any more. Yeah, I used to sleep with a recorder next to my bed so I could wake up and record my dreams. And I stopped doing that for some reason, because my one of my favorite bands, Nightwish, the guy that writes all the songs, Tuomas, he has a recorder and he wakes up and fresh from a dream and just talks in the recorder, and that's what becomes the songs. So it's kind of interesting. So we have a lot of wisdom come to us during our dreams, I believe. I probably only remember like one or two dreams a month. I just go to sleep, I'm out, there is not a thing happening until morning. Well, that could be good as well, probably get better sleep that way. Yeah, in this podcast, you know, we're talking about the human factor and how it matters with medical device cybersecurity. Before we dive in here, can you explain like what we mean by the human factor? So in cybersecurity, it's very often said that the human is the weakest link. Of course, computers are vulnerable to attack, they can be exploited with malware, all sorts of different hacks, but it's pretty easy to trick a person into giving up their password. It's often a lot easier to trick a person into giving up their password than a computer. Some of the most success that we've had on penetration tests are through social engineering campaigns. We set up a fake login panel, send out a bunch of emails, and then boom, all of a sudden we have 90 sets of passwords to use instead of trying to hack into the system ourselves. So, not only is it often easier and more successful, but the impact is often far more severe. If someone's giving up their password for a VPN portal, you're able to get into their internal network, you're able to see a lot of pretty dangerous stuff. So what the big concern is that we always need to be thinking about is how can we fix this problem? You're never going to be able to change human behavior, you're never going to be able to change human tendencies. So it's a matter of trying to teach awareness and trying to implement controls that are going to reduce the impact of a successful exploit or reduce the likelihood that it will be a successful exploit. We've been talking about cybersecurity awareness training for a long time. I don't feel it's making a difference because every company that we've worked with, they do phishing training over and over and over. They do this one-hour cybersecurity training annually, yet we come in there and are still able to get through with a phishing attack or still able to get through with some sort of like social engineering attack with like a thumb drive attack. We just drop thumb drives around, they pick them up, put them in a computer. So do you feel like we're actually improving with this awareness? Yes and no. So one thing, and I know we've kind of talked about this before, but oftentimes cybersecurity is viewed as a necessary evil. It's not something that people want to do, it's not something that people want to be aware of. It's usually an inconvenience for what is a necessary evil. What's another example of a necessary evil? I know before I've used the example of, you know, like going to the doctor, going to the dentist. It's something that nobody wants to go do, nobody has a good time when they go to the dentist, but you have to do it, you have to stay on top of these things. I guess that's true, you don't have a good time in the dental chair. Yeah, or like, you know, like regular maintenance of your car. I know a lot of people like cars, I'm not really a car guy, and so anytime I have to fix something on my car, it's annoying, it's something that I have to do but I really don't want to do it.
    1 / 6