Mike is joined by Mike Nelson VP of IoT Security at DigiCert. Join us as they talk about how COVID has accelerated the need for hospitals to secure connected devices not only within the hospital but well beyond it.
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.4 Mike Murray: And welcome to this week. I am super excited to have a friend of the family and a repeat guest with us today. Mike Nelson from DigiCert is one of my absolute favorite people and we always have these long interesting conversations about whatever comes up. I think last time we ended up talking about Type 2 Diabetes for a bunch of time too. So Mike, welcome back to the show.
0:00:41.1 Mike Nelson: Hey, my man. How are you?
0:00:42.6 MM: Doing great, doing great. And actually, I’m really just gonna let you kind of lead a little bit this morning because you’ve been doing all these really interesting events and talking about all this new stuff that has relevance to healthcare, and I don’t even have it all in my head, so I’m looking forward to learning along with the audience what you’ve been up to in the last few months and what the news is over there.
0:01:04.3 MN: Oh, that’s awesome, man. Well, it’s fun to be on with you. It’s great to see you again and to chat with you, I always enjoy our discussions. We’ve kind of been locked up, right? Last little bit. We’ve talked over at podcast, but it’s been an interesting year, I think, to say the least, I know just based on our conversations, it’s been interesting for you guys, and it kind of feels like people are coming out of their chambers right now, and we’re seeing a lot of cool stuff going on, but to the point you raised, we have… Because of my love of healthcare, I’ve grown up in the industry, we spent a lot of time in the space, and it’s been really… I’ve been at DigiCert now just over six years, and you and I had shared drinks, I don’t know, early on in the process, and former GE guys sitting and sharing battle stories.
0:02:01.0 MN: And it’s been amazing to see what’s happened in healthcare over the last six years, and I think you and I have watched that, but what we decided to do recently is put on some healthcare focus, what we’re calling regional micro-events, where we invite our customers and friends of ours from the industry to join and we have an interactive discussion on trends that we’re seeing through the lens of PKI, which might not be a discussion for everybody, but if you’re security aware, it’s something that has a lot of relevance.
0:02:35.4 MN: And man, we just have had some really robust, healthy discussions, we’ve learned a lot from our peers in the industry, and we’ve also shared with the industry some of the things that we’re seeing from a global perspective, in terms of trends. I think things that are pointing towards more maturity, things that are giving us more confidence that manufacturers are starting to do the right thing. And so it’s been fun.
0:03:00.1 MM: That’s incredible. So what are some of those trends that you’re seeing? I’d love to just unpack some of those and see where we end up, ’cause obviously, we’re seeing some interesting stuff too…
0:03:08.0 MN: Yeah, for sure.
0:03:09.3 MM: And I think it’ll be fascinating to hear. And especially not enough people get to talk about PKI often enough. It’s a favorite topic of mine, and I know it’s obviously a favorite topic of yours, but we’re kind of nerds like that, so maybe we can just nerd out and see where we end up.
0:03:23.3 MN: Awesome. Yeah, connectivity brings about some core challenges: Authentication, encryption, and as the Food and Drug Administration is pushing manufacturers to build products that can be updated, integrity becomes a really important ingredient, code signing, things like that, and so PKI really is… It’s relevant and it’s kind of a starting point for a lot of manufacturers that are doing it. We’re also seeing a lot of hospitals adopt and start employing PKI, but… I don’t know. I think back to the early days, Mike, when we were talking, and I think six years ago, Legacy was like everything, people were like, “Oh, we’ve got all these Legacy products and they need to be secured.”
0:04:10.5 MN: And Legacy still is a challenge, but I think we’ve seen a transition from Legacy to, “Alright, now we’re actually making connected products and we need to get ahead of the design, the architecture. We’re starting to plan for security instead of react to security.” And we’re seeing a lot of pro activity in terms of design architecture. And so one of the trends that we’ve seen is this transition from how do we secure our legacy devices but now… And then it was kind of like, “Okay, now we’re manufacturing. How do we do security at the point of manufacturing? Bake some of that stuff in, provision certificates in the manufacturing line, stuff like that. Now we have customers who are like, “Hey, we wanna get ahead of it and do it in the supply chain. We wanna put certificates on our microcontrollers before they even get to our manufacturing plant.”
0:05:02.8 MN: And so you think about the progression of that and the maturity, it’s been really neat to see and it’s caused us to have to figure out solutions for that. We announced a little bit ago a partnership with Arrow Electronics. They are a distributor of microcontrollers and they can program chips. And so when one of their customers places in order and they want a certificate baked on, they have an integration with us where they can just spit certificates onto those chips. And then when they get to the manufacturer, they can be initiated and leveraged for all the great things that certificates can do. So, just a lot of cool, I think, ways that manufacturers are starting to do security and to look at it more from instead of just legacy, they’re starting to do more. Another trend… What’s another good one that you would think would be really…
0:05:55.2 MM: Wait, hang on, I wanna jump on that one ’cause I think it’s so interesting. I do rewind the clock back to when we started having our conversations and like you said at the time, it was just basically, how do I deal with Windows XP? And you are hitting on a trend that I’m seeing across, everybody I talk to in the device space, that literally people are actually investing in trying to figure out how to make this thing secure from the beginning and from silicon on up, there’s now an ability to start having some assurance in the process. I think the really interesting thing from where I sit is that the hospitals have to live in this weird sort of dual world in that they still have a lot of that legacy stuff, and there’s not much that they can do about it, but they’re getting pushed towards this connected world, right?
0:06:41.6 MM: When we started, the sort of state-of-the-art was take all of the medical devices and stick them off in a network, put a firewall in front of them and don’t let them talk to anything. I literally had a CISO at one point telling me, he called it his cesspool network, where all of these medical devices were.
0:06:55.5 MN: At the time, that probably wasn’t far from accurate. [chuckle]
0:06:58.5 MM: At the time, that was state-of-the-art, right? And that was what everybody was talking about. And now what I’m hearing from the CISOs and the CIOs is, we’re not allowed to do that anymore, we can’t just take these devices and stick them off and firewall them off and not let them talk to anything because the business, the hospital wants it to be able to get the data off of that. It wants to be able to have immediate scan results in your EMR and be able to pull these things up remotely and share patient data externally. And so it’s like we’re straddling two worlds right now, and I think it’s so interesting to talk to the device manufacturers who, I think 10 years from now, we have really great solutions for almost all of these things because of the work that you guys are doing, right? But the next 10 years is gonna be fascinating.
0:07:48.5 MN: Yeah. It’s a messy world the next five to 10 years, I agree with you. In order for healthcare to embrace IoT, I say this all the time, ’cause people don’t think it, but I cover more than healthcare. We’re doing a lot in transportation and industrial… We’re in all industries, but IoT at its core is about harnessing the power of data and collecting data that was not previously readily available and using it to make meaningful decisions. And so in healthcare, as a Type 1 diabetic, I get instantaneous data from a glucose monitor that’s connected to me and I make treatment decisions based on that. Hospitals are starting to realize the benefit of that data. And to your point, they’re saying, “I want that in my EHR right away.” And in order to do that, you have to have IoT, you have to have connectivity and you have to change that previous mindset of, “These are all in a black box, nobody’s touching them, they’re not connecting to anything.” And then you have the pressures from the FDA who’s saying, “You have to build devices that can be updated.”
0:08:55.8 MN: So how can you do that in an effective, efficient way that doesn’t compromise procedures, that doesn’t compromise treatment, that doesn’t compromise the network of the hospital? How do you do that? And some of those problems are still being figured out, and that’s the mess that we’re gonna deal with for the next five to 10 years.
0:09:17.9 MM: Yeah. Well, it’s something I talk about a lot about the operating system problem on those devices. Windows 7 had a 10-year support life cycle, and if you’re talking about a big medical device, a CT or an MR, something beefy, it can take three to five years to go from new product introduction to 510 [K]. It takes me five years to get the device on the market. By the time the device has been on the market five years, Microsoft stopped supporting it. And you just have this mismatch between design life cycles in the very traditional Waterfall mechanisms of medical device design and verification and validation, and this world that moves far faster than any of those people sort of originally designed for, and I think they’re all having to change the way they think in order to support this world. It’s almost more of a mental shift, as much as it is a technology shift.
0:10:12.2 MN: Yeah, without question. One of the things we did in our events, we did a lot of live polling and then we asked the audience to contribute, and one of the questions we asked… ‘Cause I hear this all the time, you have people who haven’t been in healthcare and they’re like, “In the next two years, there’s gonna be 500 million connected devices,” and you’re like, “Look, brother… [laughter] That’s just not the case.” First of all, you don’t understand the industry because we are… The connectivity is growing, but to think that we have that many within the walls of a hospital, it’s not happening that fast because of the timelines associated with what you’re talking about. They’re being manufactured, they’re being designed, but we’re still three to five years out before some of these products even hit the shelf. And so, while there are companies, there are big companies, like I did a webinar with BD, they currently have 148 software-enabled products. That’s a lot, that’s a lot.
0:11:08.7 MM: That’s impressive.
0:11:10.4 MN: But not all manufacturers are in that state, and a lot of them are still just kinda getting underway in that journey, which means they’re five years out. And so to think that in the next two years, we’re gonna quadruple the number of connected devices, it’s just… And our polling indicated that. It was good to see that and we had representation from most of the manufacturers participating, and I think they expect double in the next two to three years, and then in the next three to five years, probably a triple at that point, but it’s not a 10x in the next two years.
0:11:49.9 MM: I don’t think the hospitals get supported even if they wanted to as a 10x in the next two years.
0:11:53.7 MN: Totally, yeah, totally.
0:11:54.8 MM: They’re not gonna go out and replace every single infusion pump in the entire hospital in a couple of years, there’s even beyond the design life cycle, there’s a buying life cycle that’s gonna…
0:12:06.5 MN: Yeah, totally.
0:12:08.2 MM: It’s, we’re not gonna eat that elephant all at once, it’s gonna filter over time, but if you go 10 years out, I think that that is the world we will live in a decade. You said something really interesting, you said something about the four walls of the hospital, and one of the trends that I’m spending a lot of time thinking about and talking to people about, is this move of care outside the hospital. You’re starting to… I think in a lot of places, hospitals still have the network architecture of the 20 years ago. Remember we used to say hard, crunchy outside and soft, chewy middle. How are you guys seeing the real move towards medical devices to the home and all of that sort of thing?
0:12:50.1 MN: I think the last year and a half has accelerated that transition dramatically and it’s not… I think there’s increase in connected medical devices being used in the home, and that’s a really positive thing. But the increase of telehealth… I like to say on this topic that a year and a half ago, CISOs at HDOs were struggling to protect the walls of their own hospital, and then we threw on them COVID and said, “Now we want you to also secure the home environment and figure that out.” And it’s like, my concern is that a lot of bad has happened in the last year and my concern is that in a rush to get some of those systems up, that the right security precautions weren’t taken. And I would guess then in the coming years, we’re gonna see the repercussion of some of that, some breaches that potentially occurred during that.
0:13:47.8 MN: I know that I had an experience with my physician where he couldn’t get it working and it just was like… I was like, “Oh my gosh, if you even knew what the violations you are… ” [chuckle] So, it happened quickly and there are good systems out there that are secure, but I think in a rush to get things up, some things may have been overlooked. DigiCert, at its core, that’s where we play. That’s the space we play, authenticating those connections, encrypting the data, and so that’s been good business for us. Last year has been a tremendous year for us, with those types of devices and those types of connections, and we’ve done a lot of cool stuff in that space.
0:14:29.7 MM: I think the space is gonna continue to expand. The really interesting thing that I’m starting to see is there’s so many interesting health tech startups that are population health and interesting care delivery models that don’t look like hospitals, but do some of the things. And I think that COVID, in some ways, took the genie out of the bottle. And to your point, now if I’m a healthcare or an HDO CISO, I’m not just having to secure the four walls in the patient’s home where I sent the medical devices, but also the doctor’s home…
0:15:03.1 MN: Yeah, good point, yeah.
0:15:04.5 MM: Doctors doing telehealth from their living room. And now I have just this expanded environment that I have to think about all of those things. And you nailed it, PKI is one big challenge, but how do you even… The question that I get asked all the time, “How do you monitor when I send medical devices home with the patient?” Well, it depends on whether the medical device can support that, which most of them can’t. And it’s just… I think I had a healthcare CIO say, “We underwent five years of digital transformation in six weeks,” and that’s… I think you nailed it. We haven’t even seen what the long tail of that looks like. We’re still at the very beginning. So what other things came out of your trends and interesting events? I wish I could have gone to some of these.
0:15:51.2 MN: I’ve got one recorded if you want some bedtime listening.
0:15:54.8 MM: Yeah, please.
0:15:56.2 MN: So another trend that we’ve seen is signing, code signing. Code signing is on fire in healthcare right now, and I think there are a couple of drivers for that. One is what the FDA has put out there around execution integrity, so knowing that your device is operating in a state of integrity, that configuration settings haven’t been manipulated, and you can do things like signing a boot file, you can do things that… You can use signatures to help enable some of that stuff. Firmware signing, code signing. So the FDA mentioned code integrity, execution integrity and data integrity. And so if your device is generating data and transmitting it, making sure that it’s not interceptive and that it arrives at the intended place in a state of integrity, and signatures, digital signatures are the way you do that.
0:16:50.6 MN: And so I think the FDA’s guidance has been a driver for that, but I think what happened to SolarWinds recently also. SolarWinds wasn’t only a code signing problem, but it was certainly part of the problem. They signed a package that had malware on it, indicating they didn’t have the right controls around the code signing, they used a valid code signing certificate, but someone had injected malware into a package that they didn’t catch. And so my message on that is code signing is important, but if you don’t have controls for rights management, control of your signing keys, vulnerability testing, doing all of the things that you should be doing, you’re failing. And unfortunately, we’ve seen a lot of that, especially uncontrolled distribution of signing keys is a practice. I think that’s been rampant in healthcare, and I hope it’s coming to an end. So we see a dramatic increase in signing, code signing and all sorts of uses for digital signatures.
0:17:58.2 MM: And I think we have to. I laughed when you said you hope it’s coming to an end. We haven’t stopped our users from sharing passwords yet, so I don’t know that we’re gonna manage to stop them from doing that. But you’re right, the code signing is a wonderful control, but it’s only as good as the rest of the controls that lead up to it. You have to actually build an entire pipeline that allows you to have integrity at each step before you sign it, ’cause otherwise, you don’t know what you’re signing.
0:18:26.4 MN: Yeah, bingo.
0:18:28.1 MM: Right? I think it’s such an interesting challenge. Having been on the inside of a medical device manufacturer, there are some of those folks that have just great development maturity and really incredible process maturity and ways to do all the things you’re talking about and there’s others that I think, they will struggle to raise their game to that level.
0:18:51.4 MN: Yeah, yeah. I think certainly it’s kind of a crawl, walk, run mentality, and some are not even crawling yet, so…
0:19:00.4 MM: I will say, I have to shout out to our friends at the FDA. The FDA have done an incredibly good job in the last 10 years of leading the cyber security movement around medical devices. I think the challenge, of course, is that the manufacturers tend to move a lot slower than the FDA folks have. And it’s by necessity something that the FDA can only have so much impact on because of the timelines you talked about earlier.
0:19:24.1 MN: Yeah, yeah. I agree with you. Kudos to the FDA. I think they’re a shining example of a regulatory agency who gets it. We don’t see that in all industries, but the FDA, I think under Suzanne’s leadership has done a tremendous job of not just putting out good guidance, but cyber is a collaborative approach in healthcare. It has to be. And the challenges between HDOs and device manufacturers and the fingerpointing or the lack of response, they’ve done a really good job of trying to bring them together and say, “You need to work collaboratively to address these things” because if it’s on… Once you put a device in a hospital, you have no idea what they’re doing to that device. It has to be handed off in a way and used in a way that adheres to the security protections that manufacturers put in place. So I agree with you, hats off to the FDA, they’ve done great work.
0:20:25.2 MM: And hats off to you and your team, and always being willing to collaborate and being a great partner to the whole industry. And dude, where can everybody find you? One more time. Just tell us where we can find more of Mike Nelson.
0:20:38.9 MN: Well, you can come to Salt Lake and we can go out mountain biking, Mike…
0:20:41.4 MM: Done.
0:20:42.3 MN: I mean, that would just be the best, but if you’re not able to come to Salt Lake… Actually, we have global offices, but Salt Lake is where I reside. But www.digicert.com is where you can find more about DigiCert and the things that we’re doing.
0:20:56.2 MM: And you’re on the Twitters and all of the various social media?
0:21:00.0 MN: Yeah. Mike_k_nelson is my Twitter handle, and you can find me there, but really fun to connect with you, Mike. I always enjoy our discussions.
0:21:11.5 MM: Always great, Mike. Thanks again for coming on and always being such a great guest, and meandering through the world of healthcare security with me.
0:21:18.5 MN: I love it. Thanks, man.
0:21:21.7 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
If you have ideas for topics, guests, or technical tips, contact [email protected]