There’s No Easy Button: The Evolution of Medical Device Security with Digicert’s Mike Nelson

The complexities of medical device security will only get more so, with the evolution of at-home healthcare, telemedicine and device IoT. In this episode, Mike Murray talks to Mike Nelson, VP of IoT Security at DigiCert about how security vendors and HDOs can rise to the challenge together.

Show Notes

In this episode of In Scope, the healthcare security podcast, host Mike Murray interviews another industry leader: Mike Nelson! Mike Nelson is the VP of IoT at DigiCert, where he is in charge of all things critical infrastructure. He is one of the foremost thought leaders in the healthcare security space, with experience amassed not just at DigiCert, but also in his former roles with HHS, GE Healthcare, and Leavitt Partners. Mike’s passion for his work is, in part, rooted in a very personal connection: as a type 1 diabetic, he has a vested interest in the development of both medical devices and their security!

As the conversation begins, the two Mikes share their connection together, as they are both diabetics and met while Mike Murray worked for GE – a company Mike Nelson worked for at a different time. Mike Nelson then shares an update on what he’s been up to and seeing in the healthcare space. 2020 has been quite a year, especially for healthcare security. Mike is seeing good things, but considering negative factors like recent ransomware attacks, 2020 has definitely been a mixed bag.

The hospital front has been challenging. It is by nature such a complex ecosystem and its difficulties have only been extended due to the COVID-19 pandemic. Telehealth and home monitoring technologies have received a lot of attention, but while the healthcare industry seemingly hopes it will find an easy button to settle its security matters, Mike notes that such a button simply does not exist. Ultimately, while he’s encouraged by a lot of progress in the field, there is still a long way to go.

Getting into more specifics, Mike explains that the right activity is happening today in developing safe medical devices, but it could still be years before the devices hit the market. Moreover, on the topic of legacy, Mike sees positive signs along with room for growth in companies hiring the right people and handling security training and centralization well.

Given the situation of the current global pandemic, three years of digital transformation took place in a single month. The resulting surge in telehealth and remote work represents a security problem that the healthcare field has had to navigate and try to solve. HDOs (home delivery organizations) are struggling, and there are layers of complexity at play. While security technology exists, procurement can be difficult. There are good vendors who are careful about access control, data encryption, and appropriate authentication measures; the need now is to make sure procurements are managed with these controls in mind. And, of course, purchasing power is how HDOs can move the market!

A tangential point about the need for vulnerability monitoring of medical devices leads the conversation toward its next topic: medical devices in the home. Hospitals are now talking about moving medical technology, such as infusion devices, to patient homes, and this raises PKI (public key infrastructure) implications and questions about security. Security professionals have to consider the quality of the devices (some of which will undoubtedly be old), the vulnerability of home networks, and the authorization necessary to protect data.

As healthcare devices become home devices, though, there is an encouraging project underway under the direction of the Zigbee Alliance. The project, called CHIP (Connected Home over IP), is driven by three of the big virtual assistant manufacturers, Google, Amazon, and Apple. The project grew out of customer concern that their smart devices did not work to integrate their homes as desired, and its aim is to develop an interoperability standard. By necessity, such a standard would include matters of security; there are also a number of healthcare manufacturers participating in the project, which testifies to the fact that there are a lot of possibilities for medical devices (and maybe even emergency interventions!) to be part of the integration process.

Turning to some other related topics, Mike first says that taking legacy devices into the home is a scary proposition and explains how manufacturers should be thinking about these devices. He further comments on the bright future of 5G – even across industries – and the relationship between innovation and its necessary counterpart, security. As the conversation reaches an end, the two Mikes make a final consideration of the problem of notification.

Timestamps

0:20 – Mike Murray introduces the episode and his guest, Mike Nelson.

1:28 – What has Mike Nelson been up to and what is he seeing in the healthcare space?

3:26 – The conversation shifts to device availability, legacy devices, and hiring/training.

6:50 – With so much change so quickly, telehealth and remote work pose challenges.

9:31 – The next topics are vulnerability monitoring and medical devices in the home.

12:02 – Mike Nelson shares about the CHIP project.

14:40 – He also comments on moving legacy devices to the home and 5G.

15:59 – Innovations for diabetics are amazing and highlight the need for security.

17:46 – As the conversation wraps up, the two Mikes finally consider notification.

Links

Learn more about Mike Nelson and connect with him on LinkedIn and Twitter
Learn more about DigiCert and its work in the 5G space.
Access the webinar Mike Nelson did with Edison Alvarez.
Learn more about Mike Murray and follow him on Twitter
Learn more about Scope Security
Connect with Scope Security on LinkedIn and Twitter
Learn more about the In Scope podcast and sign up to never miss an episode!
You can also listen to episodes on any podcast streaming platform.
If you have ideas for the show, send an email to [email protected]

Get Scope OmniSightâ„¢ Request Demo