Medical devices remain especially vulnerable to cyber attacks. To understand the extend of the security risk — including unpatched devices, an upstream supply chain, and budget limitations in hospitals — MD+DI spoke with Christopher Gates, director of product security at Velentium. He explained the outstanding need for prevention practices in cybersecurity procedure, and highlighted new thorough trainings for device developers and executives, as well as all other employees throughout a company’s ranks.

MD+DI: Many don’t think about the cybersecurity risks that come with the continued technological sophistication of medical devices. However, the damage of an attack can be devastating. In your opinion, what makes medtech especially vulnerable to bad actors?

Gates: Before I answer your question, let me modify your first statement—many do think about medical device cybersecurity! A recent study by the World Economic Forum (“The Global Risk Report 2023”) rated cybersecurity as #8 for both short and long-term risks. This isn’t specific to medical devices, but medical devices are not somehow exempt from this risk to all advanced technology. Secondly, it is a good thing for medical device manufacturers that most patients do tend to overlook the risk of using a medical device in favor of its advantages and improvements to their quality of life, because if patients fully understood the risks there would be a much smaller population of patients using these devices.

Back to your question, there are many factors, such as:

MD+DI: The recently implemented FDA policy requires companies to have a plan in place to address post-market cybersecurity vulnerabilities and exploits. What type of security vulnerabilities do you think are the biggest concern for medical devices?

Gates: There are over 600 categories of “weaknesses” in MITRE’s catalog of “vulnerabilities”, CWE, and you can pretty much take your pick. Because if the weakness is exploitable and then that vulnerability leads to harming the patient, or delaying the treatment of a patient, they are of utmost concern. Other results, such as the loss of intellectual property, market share, or reputation of a manufacturer are relatively minor in comparison.

Previously unpatched devices?

Insecure network connectivity?

Third party components?

Budget limitations in healthcare facilities meaning staff is using outdated technology?

MD+DI: What risks to security are especially apparent in the manufacturing process of a device?

Gates: I previously touched on the topic of “upstream supply chain”, but manufacturers are in the middle of this chain, so we also have to consider “downstream supply chain” vulnerabilities. These are usually much easier to control, focusing on processes and procedures such as transferring the product from development into manufacturing, and then ensuring that the integrity and confidentiality of the product is maintained in the manufacturing environment. Also, it might come as a surprise to readers, but the difference between this process (and the risks) for internal manufacturing versus a contract manufacturer is very little. All the same technical controls should be in place as well as auditing and strict quantity accounting.

MD+DI: What gaps, if any, are there in trainings focused on device security, regulatory, and compliance?

Gates: The “gaps” are the almost total lack of good training programs. While there are no shortages of IT cybersecurity training, medical device (or operational technology generally, “OT”) training programs barely exist, with only a handful of options to choose from, mostly in-person training which may not align with the needs of the potential student. We have a huge shortfall of cybersecurity trained engineers in the medical device manufacturing industry, and we are trying to change that. The first step was our book on Medical Device Cybersecurity (we are currently working on the second edition) and now, Velentium has opened up its own internal training as an on-demand program available for anyone to take.

MD+DI: A system becomes compromised and a bad actor has gained access: What now? What steps should personnel follow when security measures fail?

Gates: “The house was broken into and everything has been stolen.” Same kind of situation—both are events where all the remaining options are limited and painful. Medical device cybersecurity is 80% prevention, 20% recovery/resilience.

Once an attacker gains access to a system/network, the first step is to add multiple other avenues of access so that the defender is going to have a very hard time ever keeping the attacker out of the system ever again. Suddenly all of those PAC systems, infusion pumps, monitoring stations, and printers are your potential enemy. How can you ever have trust in any of the connected equipment, once it’s been exposed? After isolation, your backups may help, but the attacker may have been in the system a long time before detection, and some equipment cannot perform backups/recoveries. Restore what you can, and monitor the performance of your systems for any oddities (such as increased traffic) that may indicate your attacker has returned.

But the real answer here is to invest in prevention, such as by including cybersecurity in the medical device purchasing process, and by establishing a relationship with the device manufacturers before you’re the victim of an attack (as opposed to naively assuming you will not be attacked).

MD+DI: What would you say to people who say engineers and developers are the only ones in a company that needs to worry about cybersecurity? Why do business executives have to be up-to-date on cybersecurity practices? Non-technical employees?

Gates: I usually laugh when I hear this! I also hear the similar “My engineers already make everything secure,” yet the senior leader cannot name a single practice they perform to make these devices secure. Often, the real answer is that nobody is doing anything to secure the device.

Unless there is senior leadership commitment to a secure total product life cycle, then it doesn’t matter what anyone else in the organization does or doesn’t do—the effort is doomed. I have seen this happen many times. It takes the Senior Leadership Team (SLT) to prioritize cybersecurity, and that is just the start. Governance programs have to be established with roles and responsibilities. All levels have to understand and commit to the culture change this imposes on all related positions. And this isn’t just a one-way “imposition of requirements” upon the organization, it also takes the organization regularly reporting back to the SLT about the progress being made, the risks, the potential impacts, the potential costs, etc. Standardized metrics are the “lingua franca” for performing these activities, such as BSIMM and SAMM.

MD+DI: Velentium has created three online cybersecurity courses for medical device developers and executives. Why did the company decide to create this training? Why is it important to have based the courses on the textbook, Medical Device Cybersecurity for Engineers and Manufacturers?

Gates: I am very excited about this student-paced online training program for medical device cybersecurity. As far as I am aware, there is nothing else like it available on the market. We have received a lot of interest in these courses, and the timing of the FDA’s new legal mandate to enforce and ensure medical device cybersecurity has helped to raise awareness and interest in training, known for years to be in critically short supply.

We are targeting engineering staff with an annual certificate program consisting of 60 hours of student-paced video training, so the student can be anywhere in the world and can consume the training while still meeting their other responsibilities. The content is everything an engineer will need to create secure devices in their organization including:

There is a lot of content in this training, which is why we structured it to be student-paced. Students can train in short periods, giving themselves time to process the new information while keeping up with their other responsibilities.

The second course is oriented towards the SLT, with two hours of participant-paced orientation on:

The third course is for everyone else in the organization, offering eight hours of a student-paced high-level overview of the requirements and governance of security in the organization, including domestic and international regulations.

All attendees (for all courses) also have access for a year to a weekly hour of Q&A with Velentium’s medical device cybersecurity subject matter experts and our dedicated Slack channel. Both of these mediums are for clarification of training topics that are not related to specific confidential projects.

MD+DI: Please explain areas of the training that the company is especially proud of, or want more in the industry to know about and learn.

Gates: I believe that both the certificate program for engineers and the SLT overview is going to change the medical device industry. Now is the perfect time to assist manufacturers in complying with the latest legally-mandated cybersecurity requirements from the FDA, so that instead of frustration, they can train and facilitate the adoption of security into their new products. The next two years are going to see a lot of changes in this industry and the more educated everyone is on security, the quicker and easier transition will be.