#70: Dr. Hans-Martin von Stockhausen: Cybersecurity Lessons from Siemens Healthineers
We had the privilege of sitting down with Dr. Hans-Martin von Stockhausen, Principal Key Expert in Cybersecurity at Siemens Healthineers, to delve into the intricacies of cybersecurity throughout the product lifecycle. Our conversation explored the delicate balance between device usability and time-to-market pressures, as well as practical tips for enhancing cybersecurity posture.
About Dr. Hans-Martin von Stockhausen
Dr. Hans-Martin von Stockhausen is a Principal Key Expert in Cybersecurity at Siemens Healthineers. With over 20 years of experience in the medical device industry and a background in medical informatics, he has gained extensive domain knowledge throughout the product lifecycle. Over the past decade, Dr. von Stockhausen has focused on product security, holding various positions such as a member of the Siemens-wide product and solution security board, business line product security officer, senior product manager, and principal key expert for cybersecurity.As a member of the corporate cybersecurity governance organization, he leads a team dedicated to improving and maintaining the security posture of products, vulnerability management processes, and security-related customer communication. Dr. von Stockhausen’s team implements and runs the central product security repository, which serves as the foundation for executing these processes and provides input for board-level reporting of product security KPIs. Dr. von Stockhausen is a frequent participant in cybersecurity-related expert workshops and speaks at conferences held by European and internationally recognized organizations.
A summary of our conversation with Dr. Hans-Martin von Stockhausen
The podcast episode featuring Dr. Hans-Martin von Stockhausen on Left to Our Own Devices delved deeply into his extensive expertise in cybersecurity for medical devices and the evolving landscape of product security. Dr. von Stockhausen, a principal key expert in cybersecurity at Siemens Healthineers, shared insights from his 20-year career spanning software development, system architecture, and product security.Early Career and Path to Cybersecurity
Dr. von Stockhausen’s professional journey began with a fascination for technology during his teenage years when he started programming out of necessity. Initially pursuing a medical degree out of curiosity about human physiology, he shifted focus to medical informatics and engineering after realizing his passion for problem-solving through technology. His early work at the Max Planck Institute revolved around signal processing and 3D visualization of anatomy, providing a solid foundation for his later industrial impact.
The turning point in his career came after the Stuxnet attack, which led Siemens to establish a corporate-wide cybersecurity task force. His involvement in this initiative marked his entry into cybersecurity, where he found a surprising passion. Over time, he became a central figure in defining security processes and tools, highlighting the importance of aligning technical solutions with the medical sector’s unique needs.
Evolution of Cybersecurity in Medical Devices
Dr. von Stockhausen described the evolution of cybersecurity in medical devices over two decades. Initially, the industry faced minimal security threats, mainly limited to isolated malware incidents. However, as medical devices became more connected, the threat landscape expanded, exposing vulnerabilities in healthcare systems to potential exploitation.
He noted that the transition from isolated devices to interconnected systems, coupled with growing reliance on digital infrastructure, made the sector more attractive to cybercriminals. Despite this, the industry has not experienced major incidents of patient harm caused by device hacking. Dr. von Stockhausen attributes this resilience to the inherent complexity and isolation of medical devices within secured networks.
Cross-Functional Collaboration and Industry Challenges
A key highlight of the conversation was the importance of cross-functional collaboration in cybersecurity. Dr. von Stockhausen emphasized that the diverse perspectives brought by Siemens’ multi-sector security board—encompassing industries like healthcare, energy, and transportation—enriched the company’s approach to defining robust security protocols. Shared tools, such as threat analysis models and supplier evaluation frameworks, emerged from this collaborative effort.
However, he also acknowledged significant challenges in implementing cybersecurity measures. The tension between time-to-market pressures and the integration of security features is particularly pronounced. Clinical functionality often takes precedence over cybersecurity due to the lack of direct demand from healthcare providers for robust security measures. Furthermore, many customers still view cybersecurity as an operational burden rather than a critical feature.
Supplier Relationships and Security Maturity
Dr. von Stockhausen touched on the growing complexity of supplier relationships in cybersecurity. He described the evolution of supplier questionnaires from concise documents to extensive assessments covering practices like software bill of materials (SBOMs) and vulnerability monitoring. While some suppliers leverage these requirements to enhance their security maturity, others view them as administrative hurdles.
Siemens encourages suppliers to embrace security best practices through contractual requirements and collaborative engagement. However, Dr. von Stockhausen highlighted that not all organizations are equally equipped to implement these changes, reflecting broader disparities in cybersecurity maturity across the supply chain.
Balancing Usability, Security, and Innovation
Balancing usability, security, and innovation remains a perennial challenge for the industry. Dr. von Stockhausen underscored the need for manufacturers and healthcare organizations to adopt a shared responsibility model. He stressed the importance of transparency from device manufacturers about cybersecurity capabilities and vulnerabilities, urging healthcare operators to actively utilize available security features.
He also called for better alignment between security expectations and clinical priorities. For example, while features like data encryption and secure configurations are available, their adoption remains limited due to perceived complexity or cost. Dr. von Stockhausen advocated for organizations to prioritize updates and upgrades, emphasizing their critical role in fortifying cybersecurity postures.
Impactful Innovations and Future Outlook
Reflecting on his career, Dr. von Stockhausen recounted his most significant patent, a neural navigation system developed during his tenure at the Max Planck Institute. This system, designed to assist surgeons in precisely locating brain regions during operations, exemplifies the intersection of medical innovation and technology—a theme central to his professional ethos.
Looking ahead, Dr. von Stockhausen advised healthcare organizations to:
- Demand transparency and collaboration from manufacturers regarding device security.
- Adopt secure configurations and update systems regularly to mitigate vulnerabilities.
- Foster secure network environments to shield sensitive devices from broader organizational threats.
- Clearly define and document cybersecurity responsibilities across all stakeholders.
Closing Thoughts
Dr. von Stockhausen’s insights reflect a nuanced understanding of the complexities and opportunities in medical device cybersecurity. His journey from software development to becoming a leading cybersecurity expert highlights the importance of adaptability and collaboration in addressing evolving challenges. As the healthcare sector continues to embrace digital transformation, his call for proactive measures and shared accountability offers a roadmap for navigating the intricate balance between innovation, security, and patient safety.