Former Medtronic Director of Product Security Bill Aerts took some time recently to discuss the new security challenges arising from the IoT of medical devices, how to put together a strong security program, and the current state of medical device security (and how we can fix it).
Aerts will be hosting a training session on How to Set up a Medical Device Security Program for Manufacturers at the Archimedes Medical Device Security 101 Conference this January.
Describe your experience in the medical device security field and how it’s led to the work you’re doing now.
I’ve had the opportunity to start and develop IT security programs at a number of large companies over my career, including the program at Medtronic. As time moved on, it was clear that the products and services that Medtronic sells had some of the same IT security challenges, as well as many unique challenges and situations.
As my wife has benefitted from many heart devices, I’ve always been very interested in making sure that products are secure, so I jumped at the opportunity to build a medical device security program at Medtronic. It has been a great experience and the program is really having an impact.
More recently, I realized that 30+ years working in large corporations was enough, and that I wanted to try something new, so I retired from Medtronic. Now, I’m excited about any kind of work I can do in this field to help all of the players in the medical device security industry create better and more secure products. There is so much opportunity and challenge ahead.
As more medical devices have become wirelessly connected, what new security challenges have arisen?
The list is long: asset management is difficult because of the wide variety of vendors and unique devices connected to a hospital network…protecting the storage and use of personal information as it is sent anywhere in the world…lack of physical control over the device.
Secure communications, including authentication and encryption, is also a real challenge. Being connected to the Internet is an even higher risk for medical devices than for a typical laptop or mobile device. It will be difficult to secure IOT devices as they multiply.
How serious is the risk to patients?
Real security risk does exist in connected medical devices, especially in older ones. Any security risk needs to be taken very seriously to protect patient safety, but the key question to me is always, “Does the therapy that the device provides outweigh the risk of a security problem?”
In the majority of current cases, the risk is relatively low, and the benefit is very high. That said, there are too many devices out there that have poor security and they need to be addressed as quickly as possible. The risk to patients is growing quickly as more connected devices are used, and the IOT becomes full of medical related “things.”
What can medical device manufacturers do to create more secure products?
They need to build a program around device security and have strong commitment from the top, as well as assignment of accountability. This may require that they find or buy more expertise on security, specifically in medical devices.
Manufacturers need to leverage new security technologies and build security into the development of new products from the beginning. As part of this process, they must engage heavily with their healthcare customers to really understand what needs to be improved with their products, and then support the security functions in their products when they’re in the field.
What are the key components of a strong security program for device manufacturers?
A successful security program should have strong leadership and governance, security built into the entire product lifecycle, training and education on security for those people developing products, independent assessment and security testing in products, a repeatable coordinated response capability, and heavy engagement with the communities outside of the company, including patients, providers, researchers, regulatory agencies, industry groups, and the press.
What are some of the common struggles manufacturers have in implementing a security program?
One of the biggest issues many face is simply getting the support and funding they need from leaders to build a new capability and hiring the right people to do it. Manufacturers have to educate engineers about the real threats that exist for these products and secure their understanding and support as well. To get a security program in place, it’s essential to bring together IT people with R&D engineering people and help them understand that they need each other to take on this challenge.
It can also be difficult to find the right expertise from inside or outside the company and to get Legal and Regulatory onboard without being too cautious and slowing things down.
What can manufacturers do to overcome these issues?
Gaining support from executive leadership, including the BOD, is essential. Sell it to them based on patient safety, regulatory requirements, and requirements coming from the healthcare customers that are buying the products. Provide training/education on the risks and remedies done by outside expert groups. Invite Legal and Regulatory into the discussion early, and expose them to what the industry and other competitors are doing. Put deliberate effort into bringing the IT experts together with the engineering experts in order for them to learn each other’s language and build productive relationships. If needed, have security assessments done on core legacy products to be sure there is good understanding of the risks.
St. Jude Medical was in the news recently when a report indicated that their pacemakers could be hacked and Johnson & Johnson recently released a warning that their insulin pumps could be vulnerable to hackers. How widespread is this problem? What is the state of medical device security today?
We know there are large numbers of devices out there right now that are not secure. There will be more events like these recent examples in the future, and they could involve any manufacturer or connected device. Many of the devices in use today were designed years ago when the only requirement was patient safety.
A lot has been accomplished in the last three to four years by manufacturers, healthcare providers, and regulators, as well as security researchers working with the community to help improve security. I hope we’ll see the benefit of that collaboration in the next few years as newer, more secure devices are rolled out. In the meantime, we need to put mitigations in place, and continue to measure security risk against therapy benefit.
You’re teaching at the Medical Device Security 101 Conference this January. Who do you think should attend and what are the most important things they’ll learn?
My session will be on building a strong medical device security program. I believe that anyone who has or desires responsibility to ensure their medical devices are safe and secure would have great interest in this, regardless of how big or small their company is, or how new or mature their program is.
They will learn about the importance of taking a programmatic approach, getting executive support and creating governance, integrating security into the product development process, engaging the right people, coordinated response, and the importance of being connected within the industry, among other topics.