[Music] good afternoon and welcome to today's webinar wednesday we're excited to have you with us for today's presentation which is eligible for one continuing education credit from the aci let's get started by giving one lucky attendee a webinar wednesday shirt for answering the following trivia questions our sponsor cyber mdx was announced today as the winner of what cyber security award you can answer now using the questions feature on your go to webinar dashboard while you're answering i'd like to invite everyone to save the date for our upcoming htm mixers over the next few months we'll be in milwaukee on july 14th and 15th and in kansas city on september 9th and 10th please visit htmixer.com for details registration and our steps to a safe and clean meeting environment while you're there please make sure to sign up for our go to webinar i'm sorry for our newsletter so you will always have the most up-to-date information all right the correct answer to our trivia question is fortress cybersecurity award thanks to all who participated webinar wednesday would like to thank our sponsor cybermdx cybermdx provides a single place to view and prioritize all device groups they will tell you where to start and what to do with and what to do next they help you mitigate or remediate by empowering your team to simulate different actions and see the risk reduction impact of each action this enables faster response and with fewer required hands they research track alert validate analyze and help you comply you won't need to re-architect your network because they believe it's about layering protection around medical and iot devices for more information please visit cybermdx.com our presenter today is rich d fabridis senior director of product marketing at cyber mdx rich you may begin whenever you are ready thank you jennifer thanks everyone for taking time out of your busy schedules to join us for today's webinar bringing biomed and security together to take control of your medical devices okay i have a screen that popped up in front of me so just bear with me i'm going to try to minimize it there we go just a little about me should have said my name is rich d fabridis i'm the senior director of product marketing at cybermdx um i have 25 years of experience in telecommunications and security and that's actually i think i said this in the last webinar i did probably a little bit of a a lie i actually have about 30 years of experience which is a nice way of saying i'm very old i've been around a long time i've held various roles within marketing and product management with companies like ba systems saunas networks avaya ellucian technologies amongst others and i specialize and you'll see me or hear me say this throughout the conversation primarily in network and application security and things like unified communications and i have a very uh big affinity for pizza so if you're a pizza lover and and you want to you know shoot the breeze about pizza i've been to some of the greatest pizza uh pizzerias in the country around the world uh it's like a little passion of mine but um i say you know security just because we know many of you are probably in the biomedical field so i'm coming from this you know with a more of a security angle and hopefully you'll see some of that a little about cyber mdx and what we do you heard jennifer say mention some of the things i'll just cover a little more here our mission is to enable healthcare delivery organizations like yours provide quality care by securing and protecting the systems and devices they rely on every day to treat illnesses and save lives and we do that through a solution we call our healthcare security suite that provides really a kind of a unique approach and again it's something contextual because we'll talk about this as i get into the presentation is is less about just a network-based type solution it is more about layering a layered architecture that puts you know cyber security right down on the device level itself okay so remediation and mitigation of risk is directly on the medical and clinical assets which is really a more robust solution than than you know more traditional sources that focus just at the network layer um your jennifer mentioned that we were just announced as the winner of the fortress cyber security awards we've won numerous awards that one being the most recent have also been cited by analyst firms such as forrester frost and sullivan as a leader in connected medical device security if you go on to gartner pure insights you'll see we have amongst the most if not the most peer reviews by folks in the industry with five star reviews across the board as a game-changing solution and again some of this we will will be contextual you'll you'll see and hear about it when i get to the presentation some of our clients are mainline health michigan medicine northwestern medicine and we also are very proud of and have a research arm cyber mdx research which works closely with medical device manufacturers to uncover or identify major vulnerabilities in their product and we also work with csa organizations like sisa mitre and the fda and and the reason we do that is to drive security and safety you know to those devices and to help shore up or protect hospital networks which are incredibly diverse and very complex so over the past couple years we've identified 15 major vulnerabilities and worked very closely with those manufacturers uh to get them rectified so today what we're going to talk about is not entirely security focused although it will like i said lean that way i want to give sort of a perspective of security uh you know in terms of you know how you see it in a hospital environment sort of the challenges that security teams if if you have them face particularly because the networks which with which they have domain over are very unique very complicated and a lot of the solutions that are out there today aren't really designed to you know care for those devices and and it's sort of a logical intersection when you bring in biomedical engineers right or a biomedical team um you if you're a biomedical engineer or in the biomedical role have also a very complex very difficult very hectic uh you know purview but there is sort of this looming requirement if you're not already there for security and again we'll talk a little bit about that um and then how do we sort of meld or you know take advantage of those intersects and and make this a repeatable sort of uh you know ingrained process which in speaking to you know at least one biomedical engineer that i know um this is sort of the promise of htm right healthcare technology management is really about all technology within within a hospital environment not just you know medical devices etc and so you know it is something that has been sort of talked about maybe we're not yet there okay so let's just take a little bit of a view or a day in the life of a cso or an i.t security person within a hospital environment now again this would apply to you know a cso or street people really everywhere but in healthcare delivery organization you heard me say the word if if they have security teams or if they have seized cells because you know what we know and particularly again in the hospital realm not many have dedicated security teams they may have a person or a team that also has responsibility for security um but you know we talk to many hospitals and we find it's really that upper tier in terms of size or scope that have dedicated security teams okay so um and again i'll talk a little bit about this but if there's ever been a job that's been difficult at you know at the c-suite level it is certainly the cso job right these are people that you know are responsible for protecting a wide range of devices uh multiple communication protocols networks uh and it is a very difficult job because a lot of times they they become sort of the no person when i say no no right they have to say no to a lot of people and and it creates conflict um and they usually struggle for getting budget uh it happens to be at the c-suite level the job that has the most quickest or most immediate turnover i think the average life cycle of the cso is about a year and a half which is rather short i know some csos personally including one that actually left the job completely and went back to being you know like a security analyst because the stress levels were so high just couldn't deal with it okay and and we've talked to multiple csos at hospitals you know around the world and and it's very similar it's a very tough job um above and beyond the challenge of the day to day of being that person that kind of says no or has to be the one who comes in and protects the organization saying we've got to do x y and z their main challenges are you know network complexity and then budget constraints okay so again we find in a hospital environment a lot of times the budgets that they get are very minimal they are you know really more from traditional security type solutions which may not have the coverage that they really need to to secure the hospital network um and as i mentioned there's there's a lack of security tools designed specifically for things like connected medical devices which are things that you if you're in a biomedical field you're responsible for you know the life cycle of those devices and you know these are not cheap devices not necessarily designed for security etc and then the last challenge again specific to the to the health care realm is the escalating attacks so i'm going to talk a little about that but right now there's a target on the back of hospitals and it's not going away anytime soon okay so so what the cso is really looking for and again this will be when we talk about the intersect is you know a solution that you know a lot like sort of overlays or leverages the existing investments that they've made right there's some you know infrastructure whether it's vulnerability scanners whether it's firewalls or anything like that um they need to leverage that think there is no one size fits all solution that's going to address the cyber security needs in a in a hospital environment just doesn't exist right and then above and beyond that they're looking for something that's you know really easy to use it's scalable and provides them sort of that zero trust security model and also gives them the ability to do things like micro segmentation or segmentation in the network which if you don't know what that is segmenting a network is basically a way to isolate portions of your network critical portions of your network and controlling through policy uh communication to and from those devices which is you know makes things much more secure but it also happens to be a rather difficult thing to do you know without some kind of a solution in place now combat compounding the problem okay and again this is not just a hospital thing but you know of course it's sort of magnified in the environment is the ever-changing landscape and security okay we know things evolve whether it's technology whether you know uh it's it's uh staff things change right we know this okay if you've been in security if anyone on the call is unsecured been in security you look back 20 years ago and look at you know today a lot has changed right and i think you know first and foremost which comes to mind is um the and the volume and velocity of the threats and breaches against organizations and if i go down this list here you know you'll see why that is right i mean threat vectors have changed used to be predominantly malware through some sort of a phishing attack to today we have sophisticated ransomware where entire networks can be shut down until some kind of a bitcoin or cryptocurrency payment is made to a threat organization threat actors to release it right which is really pretty sophisticated when you think about it the types of attacks have moved away from sort of this casting a wide net or we called spray and pray just send out a bunch of different emails or put up bogus sites and hope someone hits it and then the malware will will take off and propagate through the network to now where we have very surgical targeted attacks you may have heard of something called social engineering where uh hackers will will mimic or replicate say an email from someone that you know like an executive to get you to click on it or there are things like watering hole attacks where they create websites that look legitimate or they actually do it to legitimate websites and the the malware or the ransomware is a payload inside you click on something and away it goes right and this is you know particularly relevant to hospitals so again i'll talk about this in a little bit used to be years ago the idea was that you can prevent an attack i would often tell a story at one of my previous companies we did a survey of csos in both the uk and the united states and one of the questions we asked was uh how confident do you feel that you can thwart a cyber attack in uk the number of csos about five percent said that they felt confident but in the us it was about 40 percent and i remember at the time my uk colleagues saying wow the united states really has you know cyber defense down pat and i sort of you know argued no that's a false sense of security and and it is okay we went from a model of saying you know we can prevent an attack we can build a moat around the castle to ultimately realizing you can't stop it okay you're gonna get hacked i mean it's probably a matter of you know when right they're supposed to if and and that's the mentality you have to take so when you think about that then it becomes a mission of mitigation right how quickly can i mitigate and what's my response to to an attack and can i thwart a certain percentage of them and a lot of that then gets down to the technology right so so technologies of even a few years ago we say invasive things like vulnerability scanners things that are really intended for i.t devices well you all well know that you know a medical device a very sophisticated medical device many manufacturers won't allow that okay they won't support it it may violate warranty and again i know from a biomedical person that i know that told me a story that he had actually scanned a device that was on network but not in use and reset the device okay so so you start to get this picture of you know these devices i mean these technologies aren't really made for the environment with which we work it okay and and and that's not really a good thing and again we'll see some of that in a minute i want to stress something really important and and this is the core of what i'm discussing today okay that cyber security isn't just a technical issue it isn't it is not the domain of the cso alone okay when one could make the argument that everybody is really involved and that argument is a is a very sound and one built in a lot of truth okay it's across the organization whether you think about it daily or you don't it's still a responsibility of everybody's and let me dive a little deeper and show you really why and i'm gonna go from the right to the left here just to throw you a little bit of curve while make sure everyone's awake first and foremost it is a huge risk to the financials of the organization okay so if you're a cfo or you're in accounting you're thinking about this right um you may get hit with a ransomware attack and you have to pay a ransom you may get fines imposed on you for potentially exposing phi data to threat actors you may get sued as a result of the breach and then your reputation is damaged so there's a reputational risk as well and many hospitals obviously in the united states in particular you know they need revenue well if people don't come to the hospital you're not getting any revenue right so so it's a big big risk there it's surprising that more at this c-suite level don't see that but but it's very important to stress that it's obviously a threat to data security okay so the whole core of hipaa and making sure that patient data is protected completely under threat healthcare data can be stolen and it can be sold on the dark web and i'll talk a little bit about this on one of the next slides but understand that for the threat actors here um this is a financial gain approach okay so healthcare data phi data typically goes for orders of magnitude more on the dark web than say something like a credit card number and it's very easy to see why because credit card number is really easy to change right there's there's not a lot of life in a in a long life cycle and a credit card number but your social security number your name your address amongst other things they're not so easy to change right so the value there and what they can do with that data it's worth a lot of money okay so i'll give you a little business case in one of the next slides lastly you know and this is where i think from a biomedical point of view it starts to creep into your purview is that you know it's a patient safety imperative right medical devices can stop working they can malfunction they can report the wrong data there's all these things that can happen as a result of malware or ransomware or some kind of breach to a hospital network that threatens you know the lies and the safety of patients right and and we've been fortunate that nothing has happened yet but uh you know those days may be coming and it's in the threat it continues to grow okay so let's talk about you know the perfect storm that is in health care with respect to cyber attacks and hopefully some of this is eye-opening to you because again many of you may be in biomedical you're very influential and and these things are important to know like i said everybody in the organization should be responsible and thinking about these things okay if you were to look at total breaches against all verticals according to the 2021 horizon report care was by far the most targeted sector okay by an overwhelming amount and it's very easy i can explain why that happens okay um the increase in ransomware tax up 71 percent which is massive the increase in phishing attacks is up almost 700 percent which is really massive again an order of magnitude higher and just in the past years we know from the pandemic cyber attacks against hospitals have jumped over 500 percent why because maybe you're rolling out telehealth or remote work options for staff and patients um and you know we know that uh department health and uh human services has you know relaxed imposition of penalties if you're rolling out telehealth options to help with the pandemic well you may be using or maybe your staff or patients are using you know unprotected you know commercial grade off the shelf type infrastructure communication solution those are potential breach points right to the right now this is again where if you're in the biomedical field this you know pertains to you the number the growth of connected medical devices and i'm going to throw in their iot as well so iot and iomt devices it is expanding rapidly massively right i mean you know there's a lot of value in having devices connected to a network having easy access to data and utilization and all these things with all that good there's this proposition of of the bad of the negative right these are more potential areas to be breached and then when i talk about the telehealth thing you know if a patient or staff you know is at home using a laptop and they're you know on facebook and then they're dialing in or i say dialing and i'm an old school guy networking into the hospital that that's a potential point where you know something can get in on the network and it causes all kinds of havoc understand again as i said the financial piece of this let me give you the sort of the business case why is this happening why is this happening to healthcare because obviously hackers aren't just attacking healthcare is it is it you know is it just that they're having more success well it's a little of both right they are targeting healthcare organizations and they're having a lot of success because again the the defenses just aren't there um but i mentioned it's a financial thing right so so one of the more infamous cyber attacks in the past few years uh many of you may not have heard of this but was conducted against uh the financial services industry specifically what they call the swift banking network it was something that is now termed the bangladesh bank heist and you can look this up it's on wikipedia and and i happen to be working for a security organization that you know helped uncover it what it was was a nation state attempted over the course of a holiday weekend to steal a billion dollars in money uh which represented you know a pretty good percentage of their gdp okay so i won't mention the state but uh you know the reasons were clear right was financial gain they needed money this is a rogue nation etc so what they did was they you know initiated the attack over an extended holiday weekend against the bank in bangladesh uh it was uncovered only by accident on a saturday by somebody working in new york i think with federal reserve they saw a typo on one of the requests and they shut it down now the nation state was able to get over the threat actors were able to get away with about 90 million dollars but again they were trying to get a billion dollars well i talked about the phi data getting like orders of magnitude more on dark web the data sort of changes or it fluctuates but you can find those records anywhere from like 250 dollars to up to like a thousand dollars right yeah really like a credit card number is like a dollar because they're a dime a dozen and again they can change just like that so no one's going to pay for something that they know might possibly be changed phi data not easy to change okay so they're willing to spend a lot of money to get access to that data again for for various reasons that i won't get into but if i look back in 2020 and one of the more prominent breaches exposed almost 500 000 uh records to potential uh breach or being potentially stolen if they could get a thousand dollars per record that's 500 million dollars okay so so you're not talking about something that's you know low level you're not talking about a kid in the basement you're talking about nation states or very well-funded threat actors very specifically targeting healthcare because of the proliferation of medical devices that are connected because of the lack of security that's being put in place because of things like covid which is causing you know sort of the focus to be away from you know the network itself and that's the reason why it's happening and it will continue to happen until something significantly changes another big piece of this puzzle or why this is becoming a problem is as i've mentioned traditional security tools you know may not necessarily address what you see in the very diverse ecosystem of a hospital so i'll go through some of this you know it may look like something that you you are familiar with most hospitals will typically have a data center that you know archives records and images etc or communication servers they have emrs and they may have medical servers and that data center is usually going to be reasonably protected right because again there are tools that do address that those are more typical it type tools you start to get into the main hospital campus now you have hyper-connected medical devices like ct scanners mris glucometers infusion pumps you may have things like surveillance cameras or hvac thermostats right these are iot devices that may be sitting on the network typical vulnerability scanner isn't going to even see that again within the last 10 years high profile attack against target stores who has you know very significant security presence and and capability or posture um they were hacked through an hvac thermostat okay so so those devices aren't necessarily being protected you may have staff that have tablets you may have byod where people can bring their phones in and allows them easy access to data with when they're on the campus and then they take those devices home with them okay there's nothing that really addresses this and then you overlay the fact that maybe the security doesn't have the i mean the staff doesn't have the security expertise whether that's having a dedicated security team whether that's you know you as a biomedical engineer or whether it's just somebody working in any department in the hospital one of the csos i had met at a round table we did recently told me a story of how one department bought a brand new coffee machine that was connected to the internet i guess it's connected to the internet to let you know someone know that the coffee grinds are out or something along those lines and he had to go down to that department and say basically you got to take that off the network you can't leave that on there there's no way to protect that device well that's somebody that knew it was there now take a larger hospital nobody knows that they exist or the story we hear a lot again during the pandemic a lot of hospitals deployed things like amazon alexas put them in patient rooms to sort of ease them give them a little more comfort they don't they can just talk to the device or maybe they want to call someone and very proud of that this is a convenience to the patient except every single one of those is now a potential point of breach for someone for a malicious actor to get onto the network so from a c cell's perspective their heads are absolutely spinning the word i would use is overwhelmed and that's that's right from the mouth if they see so that i met recently overwhelming okay now i'm going to take just move out beyond the hospital campus i mentioned the remote workers or telehealth all those endpoints all those devices you know sitting remotely they're mostly unmanaged right i mean you know you can't expect that a patient coming in for telehealth or telemedicine is going to be on a vpn some may set that up but it's not likely right or you may have third-party connections you have partners you work with to do things like maintenance or you know it's outsourced or maybe you you have a device manufacturer some of these devices we call that calling home right it calls back to for some update or something like that okay again another potential point of of breach so so the ecosystem as you can see here is really really diverse it's above and beyond just the medical devices themselves it's traditional it devices third-party connections it's remote workers it really is sort of a big mess in the sense that there's a lot of things that you got to be thinking about i've beaten this a little bit but i want to repeat it traditional security tools just simply don't have the scope to address what it is we're talking about right they cannot or typically won't be able to see right a connected medical device if they if they can't even see that you know they're not going to give you much right they weren't really designed for medical devices they were designed for as i talked about the data center really i t type products okay there's very limited integrations with other tools again as a biomedical engineer you may be using like a cmms these vulnerability scanners don't talk to those they don't really interoperate with them nothing like that at all right in terms of visibility you know it's just as bad right i mean how can you protect something if you don't know that it exists and i want you to remember that you know question right because the same thing applies how do you perform a job uh you know of of managing the life cycle equipment if you don't know where it is you don't know that it exists you don't these stories are true stories these aren't stories i don't have the experience in that realm these are stories i've talked to other biomedical people that told me um these traditional security tools are not going to see the devices they're going to give very limited contextual data they're not going to know things like you know maybe the manufacturer what the rev of the firmware is you know are there fda recalls they're not going to decipher proprietary protocols okay so so you have this big blind spot sitting in a hospital environment that a traditional security tool isn't going to address okay so just to step back down let's see where the intersection occurs here and hopefully some of the things that i've talked about you know your ears are perking up you're hearing things that i'm saying that yeah you know that seems kind of relevant to what i do okay and i'm going to focus particularly in one area right because i don't want to minimize what it is that biomedical engineers do okay typically managing you know a large number of connected medical devices uh that's in complete life cycle management whether it's retiring a piece of equipment acquiring a new piece of equipment uh making sure patches are done when they need to be done tracking the devices etc right it's a really important piece of the operations within the hospital you know critical i would say why i said earlier that you know biomedical folks are very are very influential from us from a security perspective because this is this is the blind spot right you you are the people that are basically in charge of this and we talk about being overwhelmed see so with all the different devices our stats you know and probably warrants you know looking into this again because as the proliferation of the devices continues the number would be expected to grow we say the average hospital has 20 to 30 000 connected devices you know those aren't all connected medical devices so it's a subset of that but still quite a bit right maybe 10 to 15 000 or medical devices and the average biomedical engineer is responsible about 1500 to 2000 devices which is just insane it's a huge number of devices that you've got to manage the life cycle of so so challenges you know from your perspective are time right you know do i have time to manage all these assets do i have the resources to adequately manage these assets you know when i say resource you know maybe you're not outsourcing this maybe you are still doing things you know very manually and i say still a lot of hospitals are doing this manually particularly after something like a cyber attack where things get shut down then they're most certainly doing it manually right that's a very difficult if at best way of doing things you may not be getting enough contextual information for each asset so this this is where i'll say technology such as like a cmms very helpful but it may not give you the depth of knowledge you really need to know so when we start getting into things like utilization or managing downtime when you have to patch a piece of equipment do you know where that device is do you know you know when peak usage is do you know when it's not being used etc etc right and then like the part that i'm really going to talk about is you know as of now security may not have been a priority and and it would be hard to expect you know biomedical engineer to be thinking about security the same way that the cso is thinking about security but it's important just given the piece that i've talked about already right so so what a biomedical engineer would be looking for and again there's some overlap and intersection here with the cso things like inventory management finding those devices quickly making sure you have critical data making sure you know if there's any recalls or vulnerabilities on those devices where are they located everyone's heard stories i've certainly heard them you know here's a device we didn't even know was tucked in the back room somewhere and it's sitting on a network and blah blah blah blah if you don't know where it is it's very hard to protect that right i talked about utilization and efficiency about things like making sure you can patch devices what about in like an m a type of environment where you may be joining a larger network or you may be acquiring smaller hospital and there's you know overlap or you know redundancy in the equipment how do you know what to keep how do you know what to retire you know those are things you want to be thinking about and then of course you know things like lowering the total cost of ownership and and maintenance costs right if if if you could streamline maintenance or if you can simplify the maintenance of the devices or the life cycle management of the devices that's going to help you right that's going to make things you know a lot easier so if i were to look at the typical biomedical team um you know again responsible for a lot of different things right things sort of come to mind to me again i'm more of a simpleton with this are things like you know the devices themselves testing calibrating making sure everything's working properly making sure things are reporting right making sure technicians are trained on how to use the device and educating people on how to use devices making sure you're following manufacturing guidelines these are all really really important things right talk about reporting metrics obviously very very important status updates of the devices themselves but as i jump all the way to the right say like really you are more than equipment maintenance you're really an integrated part of the facility an integrated part of the team and and we have to start thinking a little more globally but before we do that i do want to stay down and drill down one more and i'll talk why what are reasonable expectations of any biomedical department right and and and your feet may be in both sandboxes here right it's it's not a bifurcated view of the world times may feel like things are reactive but there may be many things that you do proactively okay but if i just were to look at you know the different realms here you know what's optimized and what isn't right you know reactive is not where you want to be sometimes we accept you have to be but it's not always where you want to be reason why you don't want to be there is again if you're if you're highly reactive you generally we're not going to have visibility into devices you're going to miss inventory you may not know what you have everything you have you may have incomplete service records there may be things with audits right and risk assessments that you have to you have to cover it would be very difficult to do again i had the opportunity to speak with a biomedical engineer at a very large hospital and i have to give this this guy a lot of credit he was very honest and frank with me and said we do what we can and this was talking about in terms of compliance we do what we can to make sure the most critical pieces are in place but we can't get to everything right that's a reactive mode right when you want to be you know much more proactive if you can possibly be and that's that's where everything is optimized you know where everything is in real time you're able to standardize metrics and reporting you're able to prepare for things like audits you're able to conduct risk assessments and where i'm going to focus is you know the asset management piece right so if i think about complete asset management and there's one thing here i'm going to say is probably missing you know what we're talking about is acquiring or sourcing devices making sure those devices have gone through safety and electrical inspections making sure that preventative maintenance and repairs or updates or patches are done any third-party management you have to do total cost of ownership as i mentioned what's missing i say missing again this is not everybody it's not a blanket statement because again i've seen both sides of it somewhere in that acquiring the devices and inventory management and preventative maintenance is some sort of a risk assessment pre-sourcing risk assessment and ongoing risk assessment what are biomedical teams doing or how are they collaborating with security teams and security teams collaborating with biomedical teams to ensure that you don't go out and procure a device put it in the network and the security team doesn't know it exists or finds out about it after the fact it's a critical piece of equipment and right now it's completely exposed that's a problem and a lot of teams and hospitals are seeing this so much so that uh you know one recent cso that i met um was sort of surprised although i wasn't um was surprised that the whole biomedical team was put under him um and as i mentioned having spoken to another a different person different place biomedical engineer said the promise of htm was that right was this sort of holistic view of technology life cycle management of healthcare technology management it would include that so it makes a lot more sense then that the biomedical engineers were put under this cso and and he got it you know he understood it he just was surprised by the move right i mean you start to see more and more that but that's not the norm okay so we're still in a situation where we see you know they're operating independently of each other and that can create problems so i want to talk about why this matters to you right and a lot of it i said this is the intersect right um kovit came out of left field it impacted everybody nobody expected something like this would happen now we're better prepared to think okay this could happen again um but rolling out telehealth services for example or facilitating remote work for staff so they didn't get in contact come in contact with people and put them in at risk has increased the need for connected devices right you know and that that made not just be uh in the i-team realm right so so connected devices are increasing you have this demand for a certain type of service that's important for you to know and be aware of um iot as i talked about may be sort of like what i call corporate iot which is like the hvac thermostats or surveillance cameras things that you may not necessarily be responsible for but then you start to get into things again like more mundane or consumer grade devices like the alexas coffee machines and and and that's crazy right when you sit and think about it i always tell the story i just bought a new refrigerator has no screen on it just but it has the ability to connect to the network i'm not really sure why but it does okay so you know these are things that you may not even be aware of that have to be cared for i'm talking a lot about staff involvement right i'm talking about you know not just installing or procuring devices systems protecting them etc right all of the staff needs training and education you know everybody needs to know why it's important security is an important thing for the hospital be educated on the things to look for processes need to be put in place this is before you even get to thinking about solutions right there's just things you can do and you have to be doing to ensure that the facility remains safe okay what happens when critical devices go down what happens when they're impacted by maybe not even something like a ransomware attack what's the impact to patient care and then lastly why all this matters is regulatory compliance things like patient trust which i talked about the financial risk resource allocation so all these things how do you operate that you know efficiently and cleanly and really that you know as i like to say sort of takes a village right it's not you and me it's us it's it may be two departments or multiple departments if i throw you know it's security biomedical et cetera everybody contributes it it's one team okay where the i.t or secured people may be responsible for things like network maintenance and protection biomedical teams are responsible for the physical device maintenance and protection i will say right service and all that okay there's the intersect there's the overlap it makes logical sense then that we're collaborating and talking with our security teams and our security teams are talking to our biomedical teams right and and there's really three areas you know you can focus on that will sort of improve the security posture of the organization the first is assessing those devices what do you have where are they are they compliant are they registered with i.t did you buy something that they don't know about you know those are things that are very important once you know what it is that you have once you know whether or not they're in compliance you're going to start to look at and identify in standardized policy okay when i say policy what are your critical devices do they need to be more secure how do we reduce our risk exposure here as i said i spoke to somebody you know that was working in biomedical and talking about compliance issues saying was best effort that's not necessarily a bad thing because you're certainly going to want to secure life-saving devices or certain parts of your network over others right that's not to say that we should be ignoring things like the amazon alexa installed on a room but it's certainly not going to cause patient harm if an alexa goes down versus say if an infusion pump goes down and those are things you have to be looking at and on a ongoing basis right so that's when i say create synergy creating sort of a communication process between the departments outlining who owns what and then integrating all that data if there's a way to pull that together in a single dashboard a single report or a single solution that makes things very efficient okay but but should no longer really be thinking about this you know in a bifurcated way it should be done with synergy and collaboration so i'm going to talk a little bit about you know what that solution looks like right i referred to earlier passive scanning technologies versus you know active scanning technologies but but i don't even want to talk about security technologies i want to talk about htm technologies right we're talking about complete technology life cycle management here what does that look like okay and i'm repeat nothing if not repetitive my wife reminds me of this all the time right asset inventory and tracking you really need very high level of detail and accuracy of your devices okay and i keep saying like where it is what it is what's the manufacturer what's the model number what's the serial number what's the mac address what's the firmware rev what's the os rift are there known vulnerabilities are there fda recalls when is it being used can i patch this device you know how many years has it been in service all these things you're going to want to know that you're probably doing some of this today um but you're doing it you know maybe isolated from a security team because the security team also wants to know these things right there's a again the intersect okay so you want to be able to you know not just identify and classify but monitor these devices analyze and track them the next thing you want to consider are things like risk assessments okay again this is something that applies to both the biomedical engineer and the security person probably the network person too uh you certainly need to know whether or not there are any known vulnerabilities against devices in your network okay um if you follow or look at you know cisa and see they put out ics advisories you'll find that many medical devices have some sort of vulnerability that allows potential exploitation by a threat actor it's not isolated to medical devices you know very commonly in something like a windows environment if there's some kind of a windows server you know we talk a lot about open rdp or smb ports those are like known ways or back doors in that most people don't even think about you know they buy the server they put in the network and they don't even know that that the rdp port is open so if some malicious actor gets access to the network somehow um they can run rough shot over it and that was like the wannacry situation that happened a couple years ago okay so you're going to want to know what vulnerabilities you have and you want to score you know identify score them and prioritize score i mean cvss okay so if you're not familiar cvss score it talks to you know how critical or how serious or severe that vulnerability is is it easy to exploit if it is exploited what what kind of potential damage can it do etc okay and then prioritize these are critical devices for us we need to fix this we need to remediate this how do we remediate it are there patches are there advisories from the manufacturer that we need to follow up with them so i can make sure the device is secure you're going to want to do that right you're going to want to be able to mitigate and prevent through policy any further issues with the devices once you've remediated it right so once you know that everything's been updated and everything's cool do you put policies in place like block lists whitelist antivirus i talked about segmentation depending on the criticality of the device you may want to segment it from the rest of the network these are issues or things that both my medical department and an idea or security department you'll be thinking about that now i'm getting into sort of ongoing management right first we're taking a look and assessing we're taking steps to remediate now you're in a somewhat optimal state but remember i talked earlier so i'll make a little bit of a connection here about how things evolve right well things will evolve you can't just assume that once you've gotten to a you know a stabilized state it'll stay there right it's going to change so detection and response is very important do you know if there's been a breach on the network right and how do you respond to a breach on the network and then by this we're talking about detecting any strange behavior with a device or the network making sure that uh a sim or some other type of monitoring you have gets notification and sends out alerts you can then scope or assess the impact and isolate devices and then your response whether that's done automatically whether it's manually integrated with you know other devices on the network like firewalls for policy etc but you want to be thinking about these things you want to look for this in the solution that you have and i and i'm passionate about this okay because i actually wrote a white paper on something called incident response okay and what you see in hospitals in particular you see it over in ireland with conti if you haven't read about that very interesting you read it's about three and three to four weeks ago there was a ransomware attack and their response was to shut everything down now the reason they do that is containment okay there's hardly a better way to contain shutting everything down unfortunately when you're running a hospital that may not be the best solution for a patient and they've been informed as of this date still that care will be delayed appointments will be pushed out or rescheduled you know is that the proper response or do you have a solution in place that tells you isolates where things are happening and gives you the ability with clicks to isolate the device and say okay it's now protected it's segmented or it's been and we can take it offline physically so you're thinking about things like that and then also again now we're really into the ongoing piece of it it's compliance and governance compliance is a very complex thing if you if you're involved in that you know okay hipaa regulations are pretty significant you may want to know whether a device if it has things like phi data on it is it compliant are there areas that we can shore up can we do that in an automated way or do we have to do this in a very manual tedious way no you want to be able to do things like click and figure out okay these devices are not in compliance with hipaa you know regulation one two three four i'm making this up right and then prioritize which ones need to be brought into compliance and go from there okay so so these are things you want to be thinking about and and to just sum it up right is ultimately a single source of source of truth that you know breaks down the silos that have traditionally existed within hospitals we're no longer living in you know what we had in the past right where we could sort of just peacefully co-exist without overlapping or interfacing with one another you only need to look at any of the healthcare publications today or go to google and publish i'm sorry type uh you know hospital cyber attack and you'll be you know served up with a ton of stories it's very scary it's something we all have to take very seriously and it's something that that you know everybody in organization needs to push and influence and drive together okay so so ultimately the solution you're looking for should be a complete htm type solution not a biomedical solution not a security solution not a networking solution but one that really provides bespoke or customized access and reporting and capability for your respective functional roles and with that i want to say well i i usually go over thank you for the time i actually made it in just under way four minutes left jennifer any questions thank you so much rich that was great we do have a few questions that have come in for you a reminder to our audience if you do have any questions we only have a few minutes left today but i can get those questions to rich after the webinar so if you'd like to submit any please do that now our first question is do you think cyber security teams and biomedical teams are collaborating on life cycle management and what equipment to pre you know to procure or to obtain yeah okay so i kind of talked a little bit about that during the presentation what i would say is i'm encouraged to see that it's happening more i think this is happening you know out of necessity i think if hospitals are dedicated to the security side of things you will certainly see it now now i'm going to ramble a little bit and i don't want to make the answer too long but recall that i had mentioned early on that if you were to look at you know there's like 6 200 hospitals in the united states roughly you know maybe 300 have a dedicated security team okay so so like the first thing that has to happen is the c-suite or the executives have to take cyber security very seriously they have to invest in it they have to make sure that you know that there's there's backing for those teams and then when when they do have that um then the i think the biomedical teams and security teams can can collaborate a lot better what's more likely you'll see uh is it's like a ad hoc security team that doesn't really have the backing of the of the you know management and things are a little bit loose but but i'm encouraged to say that it's changing but maybe not fast enough all right our next question is it's a long one so hopefully we won't go too far over as an htm at public sector in los angeles county our htl role is very limited this means we cannot get involved we cannot get involved in network configuration and management and very little incoming inspection for new coming devices how are other hospitals cooperating with it to make it work or to minimize the gap between htm and i.t so i'm not sure i'm i'm entirely answering it properly but you know i think i think the the big thing is if there's uh a requirement for equipment um you know you you absolutely have to be in contact with networking or i.t people and the thing that i see a lot is you know perhaps working together on like questionnaires or you know some sort of assessment that can be done prior to any procurement right so like i don't know if the the networking people would be the gatekeepers necessarily um they could be but if you satisfy a requirement and you've done everything you can do up front then it shouldn't be an issue assuming the need is there um but but that to me is sort of the first and foremost and to be honest with you again you're not seeing a lot of that we're not seeing you know you know really the push for it it happens right i'm not saying it's not existent but um i would like to see more of that more you know institutionalized where there's a process by which has been defined you know say networking or security teams say if you're going to go procure this equipment this is what you need to do it needs to be approved obviously buying a very expensive piece of you know a medical device isn't a trivial thing so i know it takes time but if you can sort of check those boxes beforehand it should satisfy the need and and i think you know the one thing that security and i t people have to be very careful of is they're not blocking you know that process either right because if there's a legitimate need for something um and you're holding it up you're putting still patience sort of at risk right so you don't want to do that thank you so much rich for a great presentation and an informative webinar thank you to our sponsor cyber mdx to receive continuing education credit for today's webinar please look for an email from us one hour after we end today the email will contain a survey link once you have completed the survey you'll be able to download your certificate immediately if you have any questions please contact us at webinar mdpublishing.com for more information about our upcoming webinars please visit our website webinar wednesday dot live thank you again to rich and to cyber mdx thank you all and have a great day thank you