There are very few professionals that influenced Medical Device cybersecurity more than Chris Gates. Recently we had a chance to sit and talk with him on our podcast “Left to Our Own Devices”.
Currently Director of Product Security at Velentium, a professional engineering firm specializing in the design and manufacturing of therapeutic and diagnostic active medical devices, Chris brings several decades of product security expertise for embedded systems. He has helped dozens of leading medical device manufacturers build up their product security practices. Today, he mainly focuses on the security frameworks that are used across the entire medical device industry, especially Software Bills of Material (SBOMs).
Quite a few important points came up in our conversation with Chris. We put together a quick rundown of the insights he shared, in the hopes of helping product security teams learn and improve in the coming year.
How it started
Chris has always been a hacker. He started his romance with hardware by picking bike locks in his role as a monitor in elementary school. Today, he says that lock-picking is a lot like hacking: you try this and that technique until you find something that works. In college, he turned toward technology and had the privilege of working on DARPA, the precursor of the internet. Early in his career, he became a medical device developer and often tried his hand at reverse engineering unfamiliar devices. He often was charged with the responsibility of finding ways to protect the devices that his company was producing.
About 17 years ago, Chris happened to be on the premises of a very large, international firm when it got publicly hacked. He was able to explain to management how the hack worked. They quickly decided that they needed such a person close at hand, so they signed him up as a contractor. He ended up advising the company on product security for seven years.
Five years ago, Velentium tapped Chris to build up their cybersecurity practice. Among other things, Velentium trains engineers in cybersecurity and Chris is at the forefront. He also serves in various capacities in operational technology (OT) and medical device cybersecurity standards committees such as the Cybersecurity and Infrastructure Security Agency (CISA) for SBOM and Health Information Sharing and Analysis Center (H-ISAC).
Hacking is so Easy
Chris finds hacking easy. “You just find a thread and follow it through. If it doesn’t work, you try another one.” But he informs us that preventing hacking is much more difficult. You have to find ways to incorporate hack prevention into a normal device development cycle that you can track. For medical devices, you need to create artifacts for regulatory submission.
IT vs. OT
Chris marvels at how so many product developers and even senior managers think that cybersecurity for information technology (IT) is similar to OT. “They are not similar at all,” he states. IT deals with information, while OT deals with machines. Widely used IT standards like NIST 800-53 do not pertain to devices.
When asked where he thinks medical device regulations are headed, Chris is quick to respond that we are progressing toward a world with much more regulation. “There’s not a lot of trust in the FDA for medical device developers. I can only imagine that controls are going to get stronger.”
Chris is certain that in the months and years ahead, we will see cybersecurity audits and certifications of thsuppe security of devices. “You should be able to read a label on a medical device and know what security is protecting it.” He even thinks that Congress might give the FDA a direct mandate to include cybersecurity as part of their mission.
Most Common Mistake
From a technology point of view, the most common mistake Chris sees is leaving manufacturing line functionality open and enabled in a shipped medical device. He says that this should not happen. “When the medical device reaches the end of that manufacturing line, many of the features that aided its development should be disabled or placed behind cryptographically significant forms of authentication. This isn’t being done.”
As an example, Chris points out that an infusion pump that has a short range of allowable rates for delivering fluids into a patient’s body should not even carry the ability to pump outside of allowable rates. In development, testing the pump at all sorts of fast and slow rates might have value, but once the device is being used on people, it shouldn’t have the ability to operate beyond safe limits. That’s just one more thing for hackers to abuse to the detriment of patients.
Chris notes how people assume that a health delivery organization (HDO) is a safe space because it’s a hospital that is taking care of sick people. This is wrong. HDO’s get hacked, too. Chris points to the Conti hacker group who, during the height of the COVID pandemic in 2020, released a wave of ransomware attacks against American hospitals while texting, “F the clinics in the USA.”
Use Cases Matter
A born teacher, Chris recollects that the most impactful professional moment he has experienced happened during the time he was training device engineers about cybersecurity. At a design review, one of the developers talked about a feature he was adding to a medical device. Another developer stopped him in his tracks and asked about the vulnerabilities this new feature would add. “That brought a tear to my eye. That’s exactly how to think about it,” exclaimed Chris. “Use cases matter.”
What Methods and Tools Could Help Us Today?
Without hesitation, Chris indicates that good threat modeling delivers the best bang for the buck. Unfortunately, most threat modeling is being done by people who are not experts. As developers, we know everything about the device, but we don’t know the environment. We need to improve and do more threat modeling.
In second place, Chris says is the creation and distribution of SBOMs for all medical devices. Besides its efficacy in the cybersecurity realm, an SBOM can be used to gauge a company’s level of cybersecurity awareness and maturity. It can be a differentiator in the marketplace. He singled out commercial SBOM products like Cybellum’s PCA and CycloneDX that do a great job of delivering useful SBOMs.
A Better, Safer World
Chris is dedicated to a mission that will benefit all of us. “I am trying to change the industry to protect lives and take us to a much better space,” Chris declared. “We’re on the path of angels. It can be tough, but we have to do this together. We are making a difference.”
“Cybersecurity is the ultimate challenge. It isn’t just a checkbox. The patients using your device might be you or your loved ones. What you do matters.”