A Conversation with DigiCert’s Mike Nelson: The Evolution of Medical Device Security (There’s No Easy Button)
The complexities of medical device security will only get more so, with the evolution of at-home healthcare, telemedicine and device IoT. In this episode, Mike Murray talks to Mike Nelson, VP of IoT Security at DigiCert about how security vendors and HDOs can rise to the challenge together.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
– Mike Murray introduces the episode and his guest, Mike Nelson.
– What has Mike Nelson been up to and what is he seeing in the healthcare space?
– The conversation shifts to device availability, legacy devices, and hiring/training.
– With so much change so quickly, telehealth and remote work pose challenges.
– The next topics are vulnerability monitoring and medical devices in the home.
– Mike Nelson shares about the CHIP project.
– He also comments on moving legacy devices to the home and 5G.
– Innovations for diabetics are amazing and highlight the need for security.
– As the conversation wraps up, the two Mikes finally consider notification.
0:00:02.7 Speaker 1: Welcome to In Scope: The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:21.0 Mike Murray: And welcome to another edition of In Scope: The Healthcare Security Podcast. As always, I’m Mike Murray. Here to talk with yet another industry leader. Today, I have with me Mike Nelson from DigiCert. Mike’s the VP of IoT Security where he’s in charge of all things critical infrastructure and is really a thought leader in the space, always out talking at conferences, being out in front of the industry.
0:00:43.7 MM: Mike spent a bunch of time in his career at other places. He was at HHS for a while, he was at GE Healthcare, he was also at Leavitt Partners for a while, and we might get into this later, Mike’s passion for all of this stems from his own personal experience. Mike’s a type 1 diabetic and actually, he and I were just nerding out ’cause I’m a type 2 diabetic and how we both use a lot of the new connected technologies.
0:01:08.4 MM: Just a quick background on Mike and I. We actually met when I was at GE Healthcare and he wasn’t a GE Healthcare. Spent a bunch of time talking about how we secure medical devices with better PKI and convince medical devices to actually talk securely and all of those sorts of things. So Mike, welcome. Really great to chat.
0:01:25.9 Mike Nelson: So fun to be with you man, as always.
0:01:28.2 MM: So tell us what you’ve been up to in the healthcare space. 2020 has been a heck of a year, as we’ve talked about, especially for security in healthcare. It’s been wild. So tell us what you’re seeing.
0:01:38.0 MN: Yeah, it has. 2020 and recent ransomware attacks, and things that are going on has certainly heightened the attention. I think you and I would say that the attention has been there for a long time but I think every incident we see like this ratchets up the attention even more, but we’re seeing good things. I think it’s still a mixed bag where you see a lot of good activity. We’ve seen a lot of medical device manufacturers in the architecture design really starting to make security part of the DNA of the way they develop products, and as you know, we’ve needed that for quite some time.
0:02:15.0 MN: And we see many of them are the big boys, the big medical device manufacturers, but that’s a positive signal, I think, and the hospital front continues to be really challenging those ecosystems, super complex. A lot of challenges there and those challenges are extending.
0:02:35.7 MN: We’re starting to see a lot more the telehealth, home monitoring get attention. COVID has accelerated a lot of that, but I think it’s still an industry that’s in search of a really… That easy button and there’s really no easy button, and so it’s really challenging, and you know that as well as anybody, and you guys are on the frontlines as well but I am encouraged but we still have a long ways to go.
0:03:00.9 MM: Do we ever? And I think the medical device side is so interesting to me. That’s where you and I met but like you said, I think a lot of the big folks have gotten religion, but the long tail is so long and especially… I don’t think most people realize that there was no cyber security guidance for medical device manufacturers until 2014, and 2014 in medical device world is pretty much yesterday.
0:03:23.5 MM: So you said that the folks are getting religion about it. What kind of stuff are you seeing? We’ve seen better standards for pre-market but especially in your world and secure communications, and all of that, are you seeing people really advanced or are we still trying to catch up to encryption at rest, encryption in motion kind of thing?
0:03:42.5 MN: You’ve seen recent reports that say that 80% of traffic is unencrypted still from devices and whether that’s true or not, it should be eye-opening. So yes, I think, as you said, the right activity is happening today but those devices aren’t gonna hit the market for, as you talked about, they have a long… A lot of the devices that manufacturers are designing today, it could be two to five years before we see those on the market.
0:04:10.7 MM: At least.
0:04:11.0 MN: And so we have this gap between now and then, so what do you do? And I think that’s the challenging situation that we find ourselves in. We have seen a handful of products be deployed in the market, and I think that’s good, and those are products that we worked up three to four years ago and they’re now out, and so I think we’re gonna gradually start to see these products come to market but it’s gonna be time and I think one of the biggest challenges and the topic that’s always talked about in medical, when talking about medical device, is legacy and how you address that.
0:04:44.8 MN: You asked, what else do we see companies doing? I think that they’re hiring the right people more and more. We’re seeing companies who, yes, last year, didn’t have any security-minded people on staff and we’re now starting to see more hiring in that space. We’re starting to see, with some of the large medical device manufacturers, training around security. So if they don’t have a security engineer on a particular product team, they’re doing trainings to try to coach and help those who are making design architecture decisions have a security mindset and think about those types of things.
0:05:21.8 MN: I did a webinar with Edison Alvarez who works with Rob Suarez over at BD about centralizing security and it was a really… I think BD has done a really good job of identifying a handful of security approaches they want to play globally and then going out and training, and getting the team to start practicing, in unified way, some of those practices. So I think those are some of the things that we’re seeing. Again, it’s not across the board but some positive signs.
0:05:53.0 MM: That’s a really cool approach, and completely agree. It’s funny. It echoes something that happened when I was at GE. I don’t know if you ever met Matthew Bohne. Matt was basically, the Head of Product Security for all GE. He was outside of healthcare, so I don’t know if you ever…
0:06:08.0 MN: Yeah, I know the name. I’ve never met him but I do know who he is.
0:06:10.6 MM: He’s over at Honeywell now but when… He always used to talk about selecting that chosen few that got it out in each of the product teams and training them up because you can never hire, if you’re a major… BD or you name it, Medtronic or whoever. It’s not like… You have 300 software development teams. It’s not like you can go hire 300 security people to go sit with each of them. You gotta find the people in those organizations, and that’s the only way it scales.
0:06:37.1 MM: Especially when you’re that size.
0:06:39.1 MN: Yeah, totally. That’s exactly right.
0:06:41.2 MM: You brought up something else I wanna talk about. So I was talking to a healthcare CIO in April and it was one of my favorite quotes of any conversation I’ve had. He said, “We just went through three years of digital transformation in a month.” and you talked about telehealth and remote work. How do we solve that? And I’m gonna take it further after we get past the remote work and the telehealth but I feel like people are still reeling from that and they’re still trying to solve that problem.
0:07:07.3 MN: Yeah well, the line I’d like to say is that HDOs right now don’t know how to secure the inside of their walls. We’re struggling to keep patient data, to keep medical devices within the systems. It’s such a complex environment and rightfully so. HDOs are struggling with that, and now we’re telling them, “Alright, now we want you to do a lot of your care from patients’ homes and we want layer that complexity on top of what you’re already doing.” and so it’s a challenging approach, clearly, for HDOs.
0:07:42.3 MN: The technology exists though to secure this stuff. It’s not rocket science and you know that. For HDOs, and this is what I always tell them is, procurement is a really important time for you and if you’re not doing the right things to do your checks through the procurement process, you’re setting yourself up for failure, and I can tell you, we’ve worked with a lot of telehealth vendors, we’ve done a lot of home monitoring, we do a lot of connected devices, and there are good vendors out there that have products that control access, that encrypt data, that do appropriate authentication measures, and so it’s just about making sure they’re smart in procurement and that you grow it in a way that has those controls in place.
0:08:26.0 MM: Do you look at all the stuff that Mayo did back in, probably 2013? You know where I’m about to go. The Mayo folks did a lot of work on procurement security and really nailed that down probably better than anybody else. Certainly, they were the leaders at that time. I’m sure other people have picked up the work from there but you’re right, the things you can do on the loading dock, you definitely can’t do once those devices are hooked up to patients.
0:08:49.5 MN: Exactly, and hospitals that are not doing that right now need to start doing that. That’s the way you move the market, is purchasing power. What Health Trust did several years ago, bringing all the medical device manufacturers together and saying, “Hey, we’re not gonna buy your products unless you comply with these security requirements.” I’m telling you, I know ’cause a lot of them are our customers, [chuckle] it won’t come up and they’re like, “Alright, we now gotta start doing this.” Money speaks, and so if HDOs can unify on that, that’s a really great way to accelerate better security.
0:09:26.0 MM: I don’t wanna get us on too much of a tangent but one of the things that I’ve been ranting about lately is… So we have good pre-market guidance that addresses architecture and things like that, we have good post-market guidance that addresses vulnerability patching and things like that, but what we haven’t done yet is the monitorability of these devices, and there’s no one that says, pick a thing here, “When your CT scanner is broken into by a Chinese APT, what log entries are you going to output?” The funny thing… I love to have this conversation with people because the funny thing is, the answer to that question is one that nobody knows.
0:10:01.7 MM: If you went to the engineering team that built the product, that enters that stuff in the logs, they’ve never thought about it. There’s no mandate for it. The hospital doesn’t know. So who knows and who knows that answer? And I think that that’s a particularly interesting one and especially, and this is actually where I wanted to go with you from there, we saw this amount of digital transformation but now, hospitals are talking medical devices in the home, pushing medical devices down to the home user and sending the infusion pumps home with the patients.
0:10:33.3 MM: We’ve talked PKI a million times but if you think about the PKI implications of like, now the equipment’s not even in the same four walls of the hospital, let alone Telemed. Now you’re pushing all this stuff down to the home. So now we’re talking about pushing the medical device to the home itself and talking about it from a PKI and just from a how-do-you-secure-it perspective and especially… And this is where it starts to get fun. It’s not like we’re only gonna send new devices to the home too. It’s not like hospitals are gonna go out and be like, “Oh, I’ve gotta send an infusion pump home with a patient, let’s go procure a whole new set of them.” So how do you even think about that challenge? Where do we go? Where do we go from here?
0:11:13.7 MN: First, I think about home networks and the vulnerabilities that are inherent and the exposure that that provides is scary. There are a handful of good things going on. PKI, clearly is an important security component of securing the home environment, having secure authentication. So as your device is connecting to the cloud, making sure that that connection is authentic. As that then connects back to the hospital and transfers data, making sure that you have proper authentication, that you have integrity of data through digital signatures, that you’re encrypting that data in transit, clearly is a mandate, HIPAA, and other… It’s just the right thing to do with or without HIPPA but one thing that I would tell you that’s going on that I’m encouraged…
0:12:01.6 MN: So as healthcare devices become home devices, there’s a project going on right now being run by Zigbee Alliance called CHIP. It’s Connected Home over IP and it’s a really interesting project, Mike, because it’s being driven by three of the big virtual assistant manufacturers; Google, Amazon and Apple, and the reason this project formed was because a lot of consumers were saying, “I buy all these smart devices, I bring them into my home and none of them work, and I want this integrated home with these devices where I can say, ‘close my garage door’ or ‘turn the front light on’, and I can’t do that.”
0:12:44.1 MN: And so what they’re trying to do… And I’m gonna get to the healthcare part and where that ties in but what they’re trying to do is create an interoperability standard where no matter what smart device you buy, if it’s compliant with the standard, it will be interoperable, and another part of it is the security, making sure that all devices coming into a home have proper security credentials to authenticate and if it’s doing the encryption of a sensitive data.
0:13:12.8 MN: Now, as healthcare moves into the home, healthcare should be involved in this project, and I can tell you that there are a handful of medical device manufacturers that are participating, and I think that’s a really good thing, and I think because of the weight of those who are driving it, when you get Google, Amazon and Apple, and there are 250 other vendors that are participating, it gets a lot of attraction.
0:13:35.6 MN: So I could see an environment where we get to where an infusion pump that’s being sent to the home is compliant with that standard and it has proper authentication built in and has proper encryption, and it also will connect with your smart hub where for me, as a type 1 diabetic, you will say, “Hey Mike, your blood sugar’s low, get some orange juice.” and if I’m not responsive, then maybe it’s smart enough even to make a call to someone that I’ve pre-determined to say, “Hey, Mike’s blood sugar’s low and he’s not responding.”
0:14:07.9 MN: There’s so much potential in the smart home. It needs to be done in the secure manner, taking legacy, as you said, taking legacy devices into a home is a scary proposition. Manufacturers need to look at the capabilities of those devices, figure out what they can do. Some have the ability to use PKI, some don’t, but they need to be smart in the way they do that, but I do think… I mentioned the CHIP project ’cause I think the future is really bright in that space.
0:14:33.1 MM: It’s awesome to hear you optimistic because it’s so easy to be pessimistic about some of this stuff.
0:14:39.0 MN: It is, yeah it is.
0:14:39.4 MM: Another sort of direction on that. Have you been thinking about 5G at all? Everybody I talk to thinks that 5G is gonna change a lot of this home stuff as well.
0:14:46.4 MN: It will. Yeah, it certainly will. Yeah, we’re actually doing quite a bit 5G, for those interested, you can go to our website, shameless marketing plug there. But yeah, we’re doing a lot of cool stuff with 5G with a lot of the big telecoms, and the future is really bright there. I agree, I think that we’re gonna see 5G networks being stood up all over, and that’s gonna enable not just in healthcare, but broader IoT and effective IoT, secure IoT across industries. It’ll be awesome.
0:15:16.0 MM: It will be awesome. I think the really interesting thing is where a security plays. One of the things that I think about a lot is, especially in healthcare, security is the one thing that can slow down innovation, and you and I were talking about it earlier and I think we both benefit from innovation. We were both a little bit early adopters in terms of continuous glucose monitors and things like that, right? And you think about the advantages that we have that our grandparents didn’t have, right, and the advantages that our kids will have that we didn’t have, and the only thing that I see that can stop that is if we don’t figure out how to secure it well.
0:15:53.3 MN: Yeah, we can talk about this at length, and I would love to do so but the innovation, Mike, it’s so cool because you and I have seen it. It’s the last five to 10 years where we’ve seen this stuff. I was diagnosed at the age of 16 with Type 1 diabetes, and when I was diagnosed, it took 45 seconds for me to get a blood sugar reading. I had to prick my finger and put it on this little stick and it was effective very other time instead of tons of ways, spending a lot of money, and I would get a single snapshot into what my blood sugar was that wouldn’t tell me trending, that wouldn’t tell me if I was going up or if I was going down, it would just tell me what my blood sugar was.
0:16:31.0 MN: And today, I think you and I use the same glucose monitor, but every five minutes I get an alert on my phone. I get a reading and if my blood sugar is going up, it notifies me, if I’m going down, it notifies me, and it notifies my wife, she calls me sometimes, she’s like, “Eat some freaking sugar.” Because she’s at home, and her phone’s beeping saying that my blood sugar’s low but if I’m in a situation where I’m by myself and nobody’s there to help me, that safety is a great piece of mind.
0:17:02.5 MM: And that it happens securely and you don’t spend your time worrying that someone’s gonna hack your glucose monitor, ’cause the folks at Avid did a great job and the folks at Dexcom in this case, did a great job, I’m mixing those up in my head right now, ’cause we were talking about…
0:17:16.3 MN: No. Yeah.
0:17:16.6 MM: ‘Cause we were talking both of them…
0:17:17.6 MN: Both of them run great systems, and they put security… They’ve done the right thing from a security perspective, and you can think about the negative consequences if there’s a man in the middle attack on RCGM and it tells me my blood sugar is 400 and I make a treatment decision on that. That could put me in the hospital. Can be really catastrophic and so integrity is so important with the types of devices that we use with diabetes…
0:17:45.6 MM: Exactly. Mike, with that man, thank you so much. You have to come back. We have to do this again, ’cause I know, I know you and I, we could talk for hours.
0:17:53.1 MN: We can get down man, you and I can talk health care security forever. You guys are doing some great stuff. You mentioned the problem of notification, I think that’s one of the next frontiers that hospitals have to address. I’m just gonna say that there’s no good system for alerting and health system administrators know what the heck is going on, and it’s so complex and there’s so many multiple systems, you have the MR, you have IT, it’s a really complex environment, and having a simple solution that can provide notifications is so needed in the market right now.
0:18:28.6 MM: And especially as we start to move things beyond the four walls, like you said, it’s really hard in the four walls, but the world is moving so fast that people are pushing this stuff out to the home and everything we’ve talked about, it’s gonna get even harder, and if we haven’t solved the four walls, man, it’s gonna get bad if we don’t do it well.
0:18:46.2 MN: Totally.
0:18:46.6 MM: Mike, tell us Where can everybody find you? Twitter, LinkedIn, all of… Where can they find more of you?
0:18:52.1 MN: You can come skiing in Salt Lake if you wanna go skiing, come on out and join me but yeah, digicert.com is our website. I have a Twitter handle Mike_K_Nelson and you can follow me there, but yeah, hit me up. I’d love to talk to anybody about PKI and what we can do to help, but so fun to chat with you Mike, as always.
0:19:10.6 MM: Always, Mike. Thanks so much. We’ll have you back sometime soon. It was a blast.
0:19:14.0 MN: Awesome, thank you.
0:19:15.8 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcast, Spotify or Stitcher, and if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Mike Nelson is the VP of IoT Security at DigiCert, a leader in digital security. In this role, Mike oversees the company’s strategic IoT market development for critical infrastructure industries. Mike frequently consults with organizations, contributes to media reports, and speaks at industry conferences about how technology can be used to improve cybersecurity for connected systems. Before DigiCert, Mike spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.