Phil Englert was ahead of the curve in introducing cybersecurity into the medical device industry, building medical device cybersecurity programs from scratch several times during his career. Today he is the Director of Medical Device Security at the Health Information Sharing and Analysis Center H-ISAC, helping establish connections within the medical device community, and well-versed in building and sustaining medical device cybersecurity programs in healthcare.
Cybellum invited Phil to be a guest on the Left to Our Own Devices podcast where he shared his experience and gave some practical tips for product security in 2023.
With a background in clinical engineering and thirty years of experience in lab testing, Phil Englert went on to head the facilities maintenance of the clinical engineering program at Catholic Health Initiatives. His job responsibilities included what was called at the time “physical security,” or managing the maintenance of all patient care devices and benchmarking maintenance operations with the goal of driving down cost without compromising quality or availability.
The security risks of these patient care devices were brought to the forefront after Poneman Institute’s 2012 report highlighted some alarming challenges.
As Phil recalls: “69% of the respondents said they don’t have any protections on their medical device environment. And then in February of 2013, President Obama came out with Executive Order 13636 [with the goal of improving] critical infrastructure, [bringing this to the] attention of our leadership.”
The reality was, not a thing was done to better secure our devices.
Applying resources beyond a traditional IT approach
Phil was responsible for the security of 400,000 patient care devices, but he didn’t know where to start.
Relying on the NIST853 framework, he developed a survey to assess which devices were connected, what organizational controls were in place, and the organizational discipline applied to those devices– especially in relation to cybersecurity.
Phil explained: “We assessed about 2000 endpoints [to determine] what we had, and then I really worked with our IT security team.” He continued “One of the first things we did was went through all of our IT security standards and policies and did –what I called– “medicalized” them. We had a lot of policies that said, ‘You must have antivirus.’ And I said, ‘I have a lot of equipment, that’s not even a possibility. So let’s modify that policy to accept the fact that medical devices, many of them can’t have antivirus on them or anti-malware.”’
The information he gathered in following through with his product security goals brought him to speak with standards groups and even become involved with the Food and Drug Administration (FDA). “I was very often the sole healthcare delivery organization voice at the table for [many] of these standards groups,” Phil recalls.
3 Top lessons for product security teams today
We asked Phil about the top three lessons he can share with product security teams that need to build a cybersecurity practice from scratch.
1. Cross-team collaboration is crucial
“If you look at a clinical engineering team or a healthcare technology maintenance group, you have folks that take care of the surgery in the operating room. You have folks that do radiology equipment, clinical, diagnostics, and physiological monitoring. It requires [a] specialty. So the first thing you have to do is commit to working together as a team,” Phil explains.
This is challenging because different technical teams have fundamentally different customer relationships. IT teams, for example, understand that their customer relationship is one-to-many. In other words, a small change can have a huge impact. Clinical engineering or biomedical technical teams on the other hand have a one-to-one relationship with their customers. Only one piece of equipment interfaces with a patient at a time and repairs are made one at a time.
These different technical teams also might use the same terminology differently. For Phil, a common language or framework is critical to enable a collaborative approach.
“That’s why the medicalization of our policies was important because it gave us a chance to negotiate [and] understand the perspective of the other side, and make sure that we could apply [it] with a common understanding moving forward.”
2. Progress is gradual, implement what works
With so many medical devices and 200 different makes and models of connected devices alone, Phil realized quickly that he needed to identify which devices have the potential to cause the most harm from either a patient safety, clinical operations, or delivery care perspective. Then he needed to work with the clinical leadership to devise the best methods for working on them, applying resources where they would have the most impact.
3. Identify and prioritize the most vulnerable risks
“Your CT that supports your trauma center is far more important than the CT that’s out in an ambulatory diagnostic center in the suburbs, [because] if your CT in the ER goes down, your ER is now on divert and you’re losing 16 to 18% of your admits that come through the emergency department, [impacting] the revenues, impacting things in a way the remote one doesn’t. It may inconvenience the patient [because], you may have to delay or reschedule or send them to another location, but it doesn’t have a direct impact on your clinical operations. You’re also not treating the more at-risk patients that come through the emergency department.”
Transparency is the top challenge in the healthcare industry
Patient safety is the biggest challenge to transparency, he explains, compounded by the fact that healthcare organizations don’t like sharing their information. H-ISAC is creating a safe harbor to share indicators of compromise to compare their information and experience with others. “One of my biggest challenges is to help healthcare organizations understand that sharing this risk makes them stronger as a unit. To beat the least of us, you’ll have to beat all of us, is the approach that we try to take.
The industry is starting to take steps to become more transparent, Phil explains, “H-ISAC is assisting the SBOM POC, working with both manufacturers and healthcare delivery organizations to bring the groups together and learn how [as a manufacturer, we] can deliver it and consume it at scale.”
But additional challenges remain.
The SBOM may identify the software or hardware components that are in devices, but they are still assets that need to be managed. The vulnerability communication protocol (VEX) may disclose vulnerabilities with the CVSS 3.0 score, which tells organizations the impact of a breach but not much else.
Phil went on to give an example of how an impact score might allow for the escalation of privileges or remote code execution, but it doesn’t provide the context. “If I can gain access to a device and remotely execute some code, does that mean I can turn the printer off? Or does it mean I can change the value settings and therapy on a device? Those are two distinctly different outcomes or impacts on healthcare delivery. I can live without the printer, [but I can’t have] somebody come in and change the settings on this device without my knowledge. That’s a patient safety issue.”
Prepare for modularization, AI, and greater flexibility
Phil is witnessing a few trends in the medical device industry that can offer solutions to these challenges.
“There’s the modularization of medical devices. It’s great from a support perspective and I think what we’re going to begin to see is a decoupling of the medical device technology from the communication ends. It’s not applicable to all technologies, but if we get there, we can then be more reactive. We can update these devices on a shorter cycle without impacting or having to evaluate the impact on clinical functionality. That’s the thing I hope for, and I’m beginning to see signs of that as we go.”
Software as a medical device, where the technology is not dependent upon the hardware, is another trend. This provides real flexibility in supporting the infrastructure, the operating system (OS), and other elements.
The final trend, according to Phil, is more of a double-edged sword: the utilization of Machine Learning and AI to monitor and detect anomalous behaviors. Although it allows detection and response in a much more effective and shorter timeframe, it also empowers the bad actors to be just as flexible and powerful with their attacks.
Practical tips for product security in 2023
Phil stresses the importance of connecting different teams to correlate systems and detect suspicious behavior, such as with PSIRT. In addition, healthcare organizations must identify the crown jewels of their medical devices, brainstorm how they can fail, and have a plan for responding. He also suggests investing in a passive monitoring tool that delivers visibility into the traffic across devices with few resources or the inability to have agents put on them and monitor them with traditional IT tools. These tools also allow a better understanding of normal traffic behavior and identification of analogous behavior to have a response plan in place.
“The last point I would make is to involve your clinical teams, your clinical leaders. Hospitals are much [like] malls with a bunch of specialty stores. Talking to the radiology director is not the same as talking to the pathologist, or the clinical lab director, or the director of the OR. So get these folks involved. Understand what’s important to them from their specialty delivery and then figure out how to support and be responsive to those teams.”
This type of cross-collaboration is critical for the future of product security in the healthcare industry.