A Conversation with Pranav Patel: A Cybersecurity Mindset From The Top Down

0:00 0:00
100
CEO of MediTechSafe Pranav Patel discusses medical device security, and how organization leaders need to take cybersecurity more seriously.

In this episode, Mike welcomes Pranav Patel, CEO of MediTechSafe. Join us as they discuss how leaders within organizations need to be focused not just on digital transformation, big data, and innovation. They must instill the importance of cybersecurity within the top ranks for this mindset to trickle down.

SHOW NOTES

Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In today’s episode of In Scope, host Mike Murray welcomes guest Pranav Patel. Pranav is the founder and CEO of MediTechSafe, and though he and Mike overlapped for a time at GE Healthcare, the two didn’t formally meet until recently. They quickly bonded over a shared interest in medical device security and a common experience being shaped by GE. These days, Pranav is busy running his own company—a company that has constructed a platform focused on medical device cybersecurity for both providers and manufacturers. Within the scope of this focus, the work of MediTechSafe is relatively broad, and Pranav has his hand in all kinds of operations. His central aim, though, is to educate people about medical device security.

Pranav’s focus on education is needed because of some common misunderstandings. One major misunderstanding is that people often do not perceive how different medical device security is from anything else in the security space. As Pranav explains, one can understand the nuanced difference between a medical device and a computer more generally by considering the issue of magnitude of impact. What would the magnitude of impact be if the device in question, whether a typical computer or medical device, was breached? While there can be notable repercussions because of computer data compromise, medical devices are tied to patient safety, and so the stakes are much higher when it comes to their security.

With the health outcomes, potential lawsuits, and other factors at play in issues of medical device security, it is crucial for those who create and provide medical devices to be educated on the levels of complexity surrounding their safe use. The clinical side of medical device use and the security side also need to work toward mutual understanding; this, however, is more of a leadership challenge than a security challenge. It is trendy for business leaders today to talk about digital transformation, but they need to back up this talk by dealing with cybersecurity. A good first step for an organization is for its leaders to ask simple questions to gauge cybersecurity. Then, the operations side and security side can define and share their CTQs.

As Pranav explains, rather than being an insurance function, cybersecurity is a necessary foundation for innovation. It should not be an afterthought, and business leaders need to be intentional to have different segments of their organization speaking the same security language. More specifically, security and operational parties need to think about cybersecurity with a risks-based approach that analyzes overall risk factors and how much risk is being addressed in each use case. Developing this focus requires leadership, education, and dialogue. But given the many devices available to patients and the myriad ways in which they can be breached, it’s necessary that the medical device field do the hard work (as Pranav is!) to try to pull together clinical and security realities into a smooth and operational system.

TIME STAMPS

– Mike Murray welcomes guest Pranav Patel and asks about Pranav’s business.

– What is the field getting wrong that drives Pranav to focus on education?

– Mike asks about what it takes to bridge the gap between clinical and security sides.

– Cybersecurity is an enabler, not an insurance function.

– How can leaders get people speaking the same language?

– Mike double clicks on dynamics of risk addressed and residual risk.

– Be sure to connect with Pranav, and thanks for joining the conversation today!

0:00:02.7 Speaker 1: Welcome to In Scope The Healthcare Security Podcast. Each episode, we bring you interviews technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:19.3 Mike Murray: Welcome to this week’s episode of In Scope The Healthcare Security Podcast. As always, I’m Mike Murray, host and CEO of Scope Security and just all around fan of all things cybersecurity in healthcare, consider myself lucky to get to hang out with all of my esteemed guests, and this week I’m really excited. I have with me Pranav Patel from MediTechSafe. And the interesting thing, Pranav, and I met and we both overlapped at our time at GE Healthcare, but we didn’t really know each other back then, and I’m sure we were in a meeting or two as most large companies, but we met recently and bonded over our shared love of medical device cybersecurity. So Pranav, welcome to the podcast.

0:00:58.3 Pranav Patel: Great to be here, Mike. Looking forward to a great conversation. I think GE bridge definitely helps you as well.

0:01:07.1 MM: Absolutely, absolutely. It’s funny, you go out into the world and you meet all these GE alumni, anybody who’s spent any time at Crotonville speaks similar language, right?

0:01:16.1 PP: That’s right, I used to say at one point, you see a GE guy or a girl, and you know it in probably few minutes… I don’t know. There’s maybe a lingo.

0:01:24.9 MM: Yeah, no, there absolutely is. And I find that we all have… Anybody who’s spent any time there, we think… We have some overlapping thought patterns that I think are incredibly interesting, and especially inside of GE Healthcare, we really did learn a lot about medical device security in the last decade, and I think GE was at the forefront of a lot of that, and there was a lot of the folks there were really working hard on some of those things, and you’re not a GE anymore, you’re running your own company doing a lot of cybersecurity around medical devices, maybe tell us what you all are up to and sort of how you’re thinking and what you’re up to these days and how you’re spending your days.

0:02:00.2 PP: Yeah, no, good question, and I think what you said is true GE healthcare has been ahead in things around medical device cybersecurity. I remember when I was running a portfolio of GE Healthcare services, we did start a business that focused around clinical network cybersecurity and medical device cybersecurity included part of it. But it was more services, but anyways, so I think that linkage makes sense, and I think the statement that you made made sense, and we worked with large health systems back then and they’ve progressed tremendously from that point on. What we do at MediTechSafe is slightly different from what we did there was all around services, here we actually have a platform, and that platform focuses on medical device cybersecurity, both for providers as well as the medical device manufacturers now, and we do it relatively broadly, so most of my time is spent… Well as the CEO, I can’t tell you what my time is spent on, because then I will be listing a hundred things, but the top of mind remains around educating people also around the importance of medical device security, but more importantly, how they should probably think about it to address the challenges that they have and do it in a most cost-effective manner, if you will.

0:03:15.6 MM: Absolutely. An absolutely important thing. So what do you think we’re getting wrong, you say you’re educating folks, what are you having to educate on most often, and what do you think that especially the audience of this podcast, a lot of the provider folks and folks on the medical device side, what do you think that they’re not seeing and what are you having to educate on?

0:03:35.2 PP: Good question. There are multiple areas that you can take on, and I think we could probably take it in order, the first one is just how different medical device cybersecurity is to anything else. And then next one is, where is the challenge? But if you think about just for a second, and I had this conversation with Chief Information Security Officer of a relatively large health system, and as the conversation progressed, the person said, Look, medical devices are also a computer, and a computer is a computer is a computer. What’s the difference? And when I think about it from that person’s perspective, I think it’s very true, ’cause when you’re looking at things at scale, you’re thinking a device on a network, and your approach has to be, How can I standardize all the things that I can do so that I have a benefit of scale and effectiveness, but then there are also nuances around it and the nuances come around from the fact that if your computer is breached, some of the proprietary information can be compromised so it’s maybe not available, but when medical device is breached or is not functioning well, you’re thinking about patient safety and the magnitude of impact in the two can be huge, and just take for a second, just so that we actually understand what the magnitude of impact could be.

0:05:01.9 PP: So Colonial Pipeline, we talked about it, it was all over the news, and the ransomware was at… Was for about $4.4 or $5 million, and we think it is a large amount of money, and it certainly is a large sum of money. But when you look at what happens in malpractice verdicts, that amount goes to very, very large amounts. So for example, take an example, in 2018, there was a verdict for $32 million, and if you go look at the verdict for $32 million and what it involved, was doctors basically forgot, you could use the word forgot, but I don’t know what it could be, but forgot to include in the medical record a warning that a patient had been diagnosed with a deadly aneurysm and eventually this patient went on to a different surgery and not having the information caused complication, health problems and so and so forth. And that verdict was $32 million. You take the next level Maryland last year in 2019, the verdict was for $230 million. And the reason was doctors and nurses at the hospital gave a teen mother inaccurate information about the seriousness of this to be born baby, and the mother was later diagnosed with pre-eclampsia, so it was just a missing information that caused health issues later on, if you will.

0:06:37.7 PP: And the claims were in hundreds of millions of dollars, not a small amount, so one event, one patient safety incident, people can call it for negligence and malpractice outcome was in hundreds of millions of dollars. You would not see that in just pure data breach, but if the data breach did cause withdrawals of some key patient information from a medical record or a wrong outcome, now all of us are aware the implications are substantially big so comparing that from a patient safety perspective, changes the game. And you have to treat that completely differently with a clinical mindset than you would otherwise in a very generic standard manners that they do at most of the times. And we’ve seen those type of things in practice, there have been cases, for example, when a firewall on our vendors were turned on and as a result, in a surgery, the equipments were not available and they had to keep patient under anesthesia for a very long period of time, they ran a scan and a telemetry, which calibrates for two to three hours of a downtime.

0:07:57.4 PP: There are many cardiac events were missed, now one can characterize those as negligence from a health system perspective, you should have known these implications and you didn’t do it, could have caused potential, it could cause patient safety event, so I think these are the level of complexity one may understand when they start to go deeper into it and appreciate to build a solution, I just wanted to bring those example out to say what the differences are, and that’s a level of education that I think people need to have.

0:08:26.9 MM: So with that, what level do you have to be at to get those folks to think that way. One of the things that I see is the security people that we talk to, they don’t usually understand necessarily the clinical outcomes at that level, and so how do you bridge the gap? Are you spending a lot of time educating the security folks on clinical side, and then the clinical folks on security, or how do you see how that plays, because I feel like the argument you just made is very nuanced.

0:08:53.8 PP: Yeah, and that’s the challenge, that’s why I think it’s more of a leadership challenge than maybe a security challenge, because think about all of us, and when I say leadership, look, I didn’t born into a security field, my last role was a General Manager and quite frankly, I had a portfolio of a lot of digital products and services, and I didn’t think about security as much, so I am as guilty as anybody else, but as leaders what we like, we like to host parties, but we don’t think about cleaning up afterwards, do we? We find somebody who’s gonna clean it up. We wanna showcase all the stuff, the nice decor that we have, and I translate that into a real world by saying, Look, most of the leaders today, the health system leaders, medical device leaders… No matter where you go, we talk about digital transformation, we talk about IoT. We wanna talk about big data, we wanna talk about personalized medicine, we wanna talk about telehealth, we wanna talk about AI, but then in… During all those conversations, we rarely say, Hey, what about cybersecurity, we leave that for the folks behind it, but if you start because any…

0:10:07.9 PP: All those conversation, we are talking about those clinical implications, because we’re talking about clinical outcomes, whether the quality of care, cost of care, better patient experience, you name them all, and in those conversations, exactly when we need to insert the point around cybersecurity because those… All of them actually, they have an implications to that. When you miss that and you give it to whoever cleans out after your party, well, I think then we have really not bridged the gap, so that’s why I usually say first, if I have to educate somebody that has to be in leadership by saying, Look, you gotta start asking a question when you’re talking about digital transformation, how are we gonna think about cybersecurity, and then the typical thing that we do in an operating side is say what is the critical to quality. Define what your CTQs are and translate that now to the security team and our security team, what are your CTQs? As you think about cybersecurity for the solution, and now you can have the discussion around the trade-off, where those two parties aren’t really talking in that manner, then you’re gonna have a sub-optimal outcome, and then if something goes wrong, you just don’t know what you did wrong, and it’s probably too late.

0:11:26.4 MM: I completely agree. And one of the things… You just reminded me of something that I think about a lot, which is the argument far too often is cybersecurity is an insurance function, and especially as I talk to a lot of healthcare C-level executives, I hear that insurance argument, but I actually see it as an enabler, you can’t go out and innovate if all you’re doing by creating innovative solutions, whether that’s all the things you talked about telehealth and pushing care beyond the four walls and remote patient monitoring and all of the things that are hot topics for healthcare executives right now, you can’t go do that if all you’re doing is making the cybersecurity challenge bigger and making the potential breach harder and longer and more damaging, you have to have a base of security in which to innovate or you’re actually going to go… You were gonna go spend $10 million on innovation, it’s gonna cost you 15 because you just got yourself breached.

0:12:21.0 PP: Yeah, exactly. It’s no different than you’re talking about interoperability, it’s no different than you’re talking about a support model, right, ’cause any times… Let’s say you’re running a procurement process or you’re thinking about building whatever the digital transformation strategy that you have, you’re gonna ask, Hey, who’s gonna support it? You are gonna ask, Hey, do I have interoperability issues that’s gonna create… Anything else? Cybersecurity is no different. It is level of support that you’re gonna need. It is just like interoperability because to your point, it is an enabler, your people, the users, they don’t understand the outcome and they take it for granted because they think you should be providing it, now if you educate them and if they understood it, and they’ll ask that all of a sudden it wouldn’t be an afterthought because adoption would not be there if they truly understood all the risk. So when we’re doing something on behalf of them, and it is an important critical to quality metric, then it has to be part of the requirement to start with not an afterthought, to your point.

0:13:34.6 MM: How do you get those folks talking the same language. I mean, the number of cybersecurity folks that I have talked to that really speak the language of CTQ and all of those sorts of things that you’re talking about, that’s not usually the language of security folks, are you educating the security folks to speak the business language as well?

0:13:54.1 PP: Yeah, I mean, I do, at least in our business, I would say, when you think about cybersecurity, think about a risk based approach, and I’ll take it down in a very simple way. If you’re a health system leader and you can go to your clinical engineering team, and say, Guys, do we have medical device cybersecurity covered, and they will say, Well, we don’t, but we got it, we patch them all the time. Okay, great, now you go talk to the IT team or security team that does the whole enterprise-wide, and they run the NOC and SOC, if you will. And you say, Guys, do you have a medical device cybersecurity covered? They go, Yeah, we do. We got a SOC operation where we take a feed and we do this intrusion detection that’s AI-based and refine. Well, here’s the deal, if you change that and you ask, now tell me how much of the total risk has been addressed by your intrusion detection system or how much of a total risk is addressed by doing product patching. And tell me, do I still have cybersecurity covered or not, ’cause the reality is, if you do a product vulnerability patching or management, that’s up to 14% of the total risk that you would have for medical device cybersecurity. If you went and did your IDS, an anomaly detection and that policy management that’s connected.

0:15:17.6 PP: That’s another up to 10%, so now you only address 25% of total risk, so what about rest of the 75% of the risk? But you walked away thinking, because you had a conversation, you asked one question to one party, one question, another party, they both said, Yeah, you walked away thinking Oh, it’s good, I got it covered, and now I have a false sense of security, but neither of the party that you talked to, or I talked to, would also know what the total comprehensive risk view is, so from their small siloed or narrower view they think they addressed it. So there is a level of education that’s required at both end, and so if you are a security leader, I would say, how about asking basic questions? What’s my total risk and how much risk I’m addressing by each one of the use case, because look, me or anybody else is a security vendor, what we do, especially for the product side, what we do is we sell the use case, and the use case is a use case, as we say, it’s not a generic case where it applies for everything else.

0:16:25.8 PP: So you gotta understand how much of the use is applied into a particular situation and how much risk reduction would you have, whether it’s before or after, it doesn’t matter, ’cause end of the day risk is the total impact that you’re gonna have. So there is a level of education required to both, now I can’t become a school, I’ll spend my entire career doing that, but when we have a meaningful dialogue with people who are open-minded and willing to take a step back and understand the variables, then we have very meaningful conversation, we tell them Do this, this, this, and this, and that’s not to say whether I saw all the problems that you have or somebody else does, it’s just, these are the things you gotta go do and pick the best that works for you, and that’s what you gotta be able to deliver. And take that and translate that into business language so your leaders know exactly what they have covered and what’s missing, and if they need to do any budget allocation or not, the board would be very well aware because that’s their responsibility, and now everybody is aligned, so some of the times, asking those simple questions, that tend to be business-centric questions but technology feeds into it could really bring people together, if you will.

0:17:36.3 MM: Completely agree, everything you said on a lot of that, but I’d love to double-click on something that you said you were talking about the 25% of the risk and the 75% residual risk that’s left over for the sort of less in the medical device weeds as your world, what is in the rest of that 75%? And how do you help those folks think about that?

0:17:57.8 PP: There are a lot of things and the way you would have to think about it is how are the different ways the device or a clinical network can be breached or have been breached previously? Just take one scenario. I’ll just give you a simple scenario, if you’re giving a patient… Home health has become a big deal, if you’re giving a patient a medical device, the patient takes it at home and plugs it into and connects through the home WiFi, your intrusion detection at the central location is not gonna do any good, ’cause you may not be connected and you may not have access to all the anomaly or what that’s going on in the home network of that person. But from that person, the patient’s perspective, I got this device from the hospital. And I had that… One of my uncle is funny, one of my uncle, a very elderly gentleman, he had a pacemaker and for about two weeks, he wasn’t being monitored, and he did not know that. He got to know it when he got a bill from the local carrier of how that was kind of broken in between, and he goes to the hospital care guys and said, Look, it was off for two weeks, did you guys know? They said No.

0:19:08.0 PP: Okay, so they didn’t know. He didn’t know. What if something would have happened in between, and from his perspective somebody is monitoring it. Right, so these are the type of scenarios that you gotta understand that what’s in the network, what’s the box, how the devices are, where they are, the patient device, not patient device. Look, here’s the thing, every year on average 3000 510 [k] s gets approved, which means not all of them, not connectible devices, there could be some needles and stuff, but even assume 20% of them, you have at least 20% of the 3000 devices either they’re new or improvements that you’re tracking. There are 6000 medical device manufacturers just in United States, let alone all the great companies in Europe, in Asia, in Africa, as well the rest of the world, and they all serve and fulfill different use cases, clinical use cases they operate in different way. So for you to be able to address medical device cybersecurity, you gotta understand those clinical implications, how they’re used, clinical processes, compliance, legal aspects of it. It’s just not, Hey, can I scan them? Can I see some anomalies? Or can I just patch them? It’s beyond that, and that’s what you gotta go put a pen to the paper, if you will, and understand and get the holistic picture and put a blinder around it, and it has to be very operational.

0:20:39.8 MM: Completely agree. And I don’t think anyone is really doing a great job of pulling that picture together today, and we’re part of the solution, and you guys are a big part of the solution, a lot of other folks are trying to be part of the solution, but I’m looking forward to when we can all talk about it a little more comprehensively. So Pranav, you’re a busy CEO, we’ve got a million things going on, I really appreciate the time today. Where can the world find out more of your thoughts, are you gonna be speaking anywhere, are you on social media?

0:21:06.5 PP: Yeah, no, look, I speak at a lot of clinical engineering conferences, I speak at a lot of Ohio’s health associations, obviously, you can visit and learn a lot more on the knowledge center on our website, meditechsafe.com, social media, we keep putting things out there, from a non-medical, from OT as a general, we’ve actually rolled out a course, we have a small little mediagent is a trivia game kind of things that we put out just so that for people who don’t understand cyber space, this is not for the expert and the pros like yourself, but this is for… This is for general people who wanna just play that trivia game and get a little better educated on what’s going on around cybersecurity role, so that rather than them becoming a problem, they’re actually our advocate and protector, if you will. So the multiple media and then follow us on LinkedIn.

0:22:01.0 MM: Right on. Well, thank you so much for coming today. And well, I’m sure we’ll run into each other at HIMs and all of the various clinical engineering conferences. And it’s been great catching up. And thanks again for coming on.

0:22:13.6 PP: No, thank you. It’s always a pleasure speaking to you, you’re a wealth of a knowledge, and all you’re doing is fantastic.

0:22:19.3 MM: Aw, thank you so much.

[music]

0:22:23.0 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]

 
About Pranav Patel

ABOUT THE GUEST

Pranav Patel is the founder and CEO of MediTechSafe. He is also a board member in Centum Electronics and Adetel Group. Pranav previously held executive roles in GE’s Healthcare, Aviation, and Transportation businesses. He has founded half a dozen product and services businesses including Clinical Networking and Cybersecurity, AI-based Prognostics and Airline Operations Optimization, Energy Storage, etc. Prior to GE, Pranav held leadership roles at Siemens.

Pranav holds undergraduate and graduate degrees in engineering and business from the University of Illinois @ Urbana – Champaign, the Georgia Institute of Technology, and Georgia State University. He has co-authored multiple patents.

LINKS