Conversations with the FDA’s Suzanne Swartz and Kevin Fu: Part 2
In the second part of this special two part episode with the FDA’s Suzanne Schwartz and Kevin Fu, the discussion turns to the increasingly prevalent topic of ransomware.
In today’s episode of In Scope, host Mike Murray continues his interview with two luminaries from the medical device security world, Suzanne Schwartz and Kevin Fu of the FDA. In this last segment of the discussion they tackle the hot topic of ransomware.
To begin, Kevin provides his view of ransomware as a symptom rather than a problem itself. It is a symptom of security designs which lack innovation and creativity in getting ahead of the adversary. While it’s important to address the issue of ransomware, it’s more important to figure out the root causes. Suzanne’s role faces the question of what needs to be done in terms of creating greater public awareness around these ransomware attack concerns. It isn’t merely IT systems being impacted, but has much wider consequences in terms of delivery of healthcare. We talk about cyber security being a patient safety issue, but ransomware needs more awareness because of the amount of patient data within medical devices. If clinicians can’t access this information when it is needed, the results could be detrimental.
Cybersecurity, within the medical industry especially, needs to be a regionally collaborative effort. If one hospital is down, it affects all of the surrounding hospitals which patients may be referred to as well. Attacks have regional impacts in the medical industry, which sets them apart from other types of cyber attacks and complicates things further. If primary symptoms aren’t functioning properly, it’s difficult to pass information on to other institutions.
To conclude this two part conversation, we hear what Kevin and Suzanne will be up to in the coming months and where listeners can find them online. Kevin will be focusing his upcoming talks on the clinical side, where there will be audience members less familiar with medical device security. Suzanne encourages anyone to reach out to her FDA email address. She will be speaking at the HIMSS 2021 Global Health Conference and is optimistic for the future.
– Ransomware as a symptom rather than itself a problem.
– The serious concern of ransomware attacks for patients.
– Cybersecurity as a collaborative effort for all regional hospitals.
– Kevin’s plans for the upcoming months and where to find him.
– Where to find and connect with Suzanne.
0:00:02.9 Speaker 1: Welcome to In Scope The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:18.8 Phil: Welcome back to our conversation with the FDA’s Suzanne Schwartz and Kevin Fu. I’m Phil, producer of In_Scope The Healthcare Security Podcast. Please enjoy the conclusion of this two-parter where Mike, Suzanne, and Kevin discuss the important topic of ransomware.
0:00:35.8 Mike Murray: We’ve managed to get a long way into this conversation and not one of us has uttered the word of the day, which is ransomware, because that seems to be the word on everybody’s lips the last six months. How do you all see your role in helping the scourge that is ransomware these days?
0:00:52.9 Kevin Fu: Let me just begin with, I view ransomware as more of a symptom rather than the problem itself. It’s a symptom of security designs that I think ought to have been a little more innovative and creative in getting ahead of the adversary, because ransomware as a concept has been possible since the beginning of time. It only has recently become actualized in the form of organized crime. So I think if we focus purely on… It’s important to address the ransomware problem, but I think it’s also more important to figure out, well, What are the root causes? Because there’s gonna be future malware that comes out that might not even be ransomware in the future, and we want to be able to eliminate those to really cut off the branches that are gonna give growth to even larger problems down the line. But definitely it’s a huge problem today.
0:01:44.8 Suzanne Schwartz: And Kevin, obviously approaching this from a really academic and technical, deep technical perspective, which I can really appreciate. The hat I wear is more… Faces, What do we need to do in terms of creating greater public awareness around some of the concerns that we see with ransomware attacks? And we’ve had discussions internally around the need for a new information campaign to raise situational awareness, very much along the lines of what we did back in the earlier days of 2013-2014 around medical delay cybersecurity that, in this case with ransomware, this is not merely IT systems being impacted, “Oh well, what are we gonna do?” But rather, what are the implications, what are the consequences with respect to, in healthcare, the delivery of care? Or, how does this affect disruption of ability to deliver patient care? And that’s just not getting the kind of attention that it needs to get today. We talk about cybersecurity being a patient safety issue, can’t hammer that home enough. And ransomware attacks on hospitals, on healthcare facilities, where systems are tied up and therefore down, not only are devices potentially not available to be utilized, but because the electronic systems that carry data may not be accessible.
0:03:29.8 SS: The ability for clinicians to understand exactly who the patient is that’s in front of them, or, What’s their past medical history? What are the medications that they’re on? What are they allergic to? Etcetera, etcetera. You can see how that develops into a whole cascade of potential adverse events if clinicians don’t have the kind of access that’s necessary to these systems. And this is playing itself out in various ransomware attacks that we have seen over the past year. It’s not getting the kind of attention that a Colonial Pipeline attack or attack on the meat-packing industry has occurred, I think, because those are real tangibles, in terms of how it affects the individual. But in the case of healthcare systems being attacked only if you were there, only if you were directly involved, would you perhaps have any sense of, “Oh my! What does this mean for the patients that we take care of here?” Or for me as a patient or as a caregiver of a patient, “Oh no! What if I need to go to the hospital and I need access to a CT scan emergently or an MRI, in order to determine what’s going on for my doctor to enable a immediate treatment intervention?” And those systems are not working, they’re down.
0:05:05.5 SS: We do see the importance of raising awareness around ransomware attacks within healthcare and creating that bridge or that link between… This is not just simply an IT matter, but understanding the cyber-physical consequences, the operational aspects of it, and how that translates into availability of delivery of care.
0:05:33.0 MM: I have a story to tell around that, that I’ve never told publicly, and I’ve never told either of you that I think you’ll find very interesting. A member of the Scope team recently, her wife was having a baby and they were going to have a home birth and they ended up having to take an ambulance to the hospital. Everything was fine, but they had to go, have the birth monitored with medical devices. And while they were in the back of the ambulance, the ambulance attendant said, “You’re really lucky you’re going to this hospital because the other hospital in our town is shut down, and the nurses don’t know how to work the old-style medical devices anymore.” And the thing that reminded me of this, Suzanne, is as you were talking about those devices being down, we have 15 years of doctors and nurses and physician assistants being used to the new-style connected medical devices with technology where you can just pull up the patient’s records on the screen. And it’s not just a matter of the systems are shut down, but people don’t remember how to do medical care on paper when they haven’t been doing that for almost 20 years, if they were ever trained on it at all.
0:06:37.4 MM: And it’s so fascinating to think about the actual consequences, but there are real life consequences to this stuff that… Like you said, it gets on the news when gas prices go up or meat prices go up, but it’s not tangible enough for most people to understand.
0:06:52.4 SS: Yep. I am a physician myself, I guess kind of traverse that period of time, especially as a surgeon, having dealt with a lot of trauma where with all the infusion pumps, well, IVs I should call them, not even infusion pumps, you measured, you knew by how to dial it up what the fluid rate was of what you were administering. That’s just not the way medications or fluids are delivered today with electronic and automated pumps that you calibrate and you punch in your numbers that are computer-driven. So yes, when you say, especially the newer providers that are coming out of training and all, when various systems then are not available, is there even the memory or the ability to go back to what I would call more, now, more austere types of conditions? Which makes the point for why, and this ties us back or loops us back into ransomware attacks as well, the importance that we think of exercises being done. Tabletop exercises, other kinds of functional exercises that healthcare institutions should do together with their local Departments of Public Health. The federal government is certainly willing and desiring to participate in those kinds of scenarios, and industry will as well, just so that you can play out different types of attacks and figure out exactly how you’re going to continue your operations during that period of time.
0:08:32.7 KF: And that really cuts to the topic of OT or operational technology as well, which is called out specifically in the presidential executive order and tabletop exercises for IT and OT will have some relationship for cybersecurity, but there are fundamental differences because often the closed loop control of diagnosis and therapeutics.
0:08:57.3 MM: Absolutely, and it’s funny that we’re talking about state coordination because I was recently talking to the Cyber-Med guys, Christian and Jeff. And they made a point that I hadn’t thought of before, which is that those tabletops for a given hospital can’t just involve that one hospital because if that hospital is down, and Suzanne, you said this to me yesterday when we were chatting, that hospital being down doesn’t just affect that hospital, but all of the other hospitals in the region where they’re diverting patients to and involving medical providers at other places in other parts of the region. The attack spreads not like a cyber attack, but it actually has regional impact, and that that’s a very different thing than most other types of traditional cyber attacks.
0:09:42.9 SS: 100% agree. It is. Then that’s where you can take some lessons learned or pages out of other types of more natural disaster events that are kind of localized to regions where those are exercised regularly and the regions that are very affected know the routine. But it gets to what happens when one or two hospitals are not available or in diverting patients, and the surge ends up elsewhere, and I think what makes this really that much more complicated as well, is not only do you have surge going elsewhere, but if your systems, the primary systems that were affected are not working, then it’s difficult to pass on to the accepting institutions information that’s relevant to the care of those patients, ’cause it’s also not accessible. So that just adds a different level of complexity versus kind of your hurricane affecting an area and one can retrieve the electronic records and provide them even as paper or whatever, but you can provide that to the receiving institution.
0:10:58.2 MM: Absolutely. Alright, I don’t wanna keep you all forever. And I too could talk about this for hours with both of you, but where can the world find more of both of you? I’m gonna throw it to Kevin first. Kevin, what are you up to in the next few months? Are you speaking anywhere? Do you have anything cool going on? Where can we find you on social media? Tell the world if the world wants more Kevin Fu, where do they get it?
0:11:20.2 KF: Oh, well, probably the best place would be LinkedIn for little announcements about articles or upcoming conferences. There’s going to be some activity involving FDA, a number of people from FDA at the Biohacking Village associated with DEFCON next month in August. There are, I would say, my speaking, as well as the speaking of many people in OST are spread across disease-specific organizations. You’ve got clinical engineering types of organizations, you’ve got trade associations, you’ve got pure cybersecurity groups. So there’s so many different places. So I’d say it would really depend upon the audience member. But I’m certainly trying to spend much more time on the clinical side where there’s going to be persons in the audience who are less familiar with medical device security and need an introduction. And part of that is sort of dispelling the hoodie hacker and sort of bringing it up to the reality check of what’s really going on today, and what are some of the root causes and what can an individual and an HD or a manufacturer do about it.
0:12:32.2 MM: And Suzanne, what about if the world wants more Suzanne Schwartz, where do we find you?
0:12:36.4 SS: [chuckle] Well, first off, people can always reach out to me at my FDA address, that’s open door, welcome mat. People shouldn’t hesitate to reach out to me through FDA. I am on LinkedIn as well, and I really do try to post new either events or new work products that we are putting out or announcing any workshops or meetings that we’ll be having on LinkedIn as well. I’ll be speaking at HIMSS coming up. I won’t be there in person, but hopefully as the months go by and we are able to resume more conference participation, there’ll be opportunities for more networking and meeting up in person. For now it’s gotta stay a little bit more virtual, but that should not be at all a limitation on people finding me. I always like to hear from folks as well.
0:13:35.8 MM: By the way, everyone, she actually means it. She does respond. I know this ’cause I think it’s how I really got connected with Suzanne when I was back in the way old days. So she actually does love to talk to people, and it’s really cool. Thank you both for spending so much time with us today. That was an absolute blast. And you know you’re always welcome, both of you, any time that you wanna come hang out on our podcast, but thanks again for being here today and for telling us all this interesting stuff.
0:14:01.9 SS: Thank you for giving us this opportunity, Mike. It’s always a pleasure.
0:14:05.6 MM: Always. Thanks Kevin.
0:14:07.8 KF: You’re welcome, Mike.
0:14:11.1 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up or you can listen on Apple Podcast, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUESTS
Suzanne B. Schwartz, MD, MBA is the Director of the Office of Strategic Partnerships and Technology Innovation (OST) at FDA’s Center for Devices & Radiological Health (CDRH).
Suzanne’s work in medical device cybersecurity includes raising awareness, educating, outreach, partnering and coalition-building within the Healthcare and Public Health Sector (HPH) as well as fostering collaborations across other government agencies and the private sector. Suzanne has been recognized for Excellence in Innovation at FDA’s Women’s History Month for her work in Medical Device Cybersecurity. Most recently, she received the 2021 Routhy Award from the H-ISAC for her leadership in cybersecurity in healthcare, especially during the COVID-19 pandemic.
Together with Health Canada, Suzanne has represented FDA in co-chairing the International Medical Device Regulators Forum (IMDRF) Work Group on Medical Device Cybersecurity leading to its first international guidance publication in March 2020. She chairs CDRH’s Cybersecurity Working Group, tasked with formulating FDA’s medical device cybersecurity policy and has additionally served as co-chair of the Government Coordinating Council (GCC) for the HPH Critical Infrastructure Sector, focusing on the sector’s healthcare cybersecurity initiatives.
Kevin Fu is Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). During 2021, Fu is also Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.