Beyond the Network: The Rise of Medical Device Security

Show Notes

Healthcare security isn’t just about networks anymore. 

In this episode, we dive into the complex world of connected medical devices, the challenges of securing them, and why organizations need a more holistic approach to cybersecurity.

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_02 0:00

What were some of the stuff you worked on?

SPEAKER_01 0:01

Yes. I think the big thing with medical device development in general, it's all risk-based. It's obviously safety and efficacy are the two of the most important things for medical devices. On the safety side, that's where security really comes in.

SPEAKER_00 0:16

You are now listening to the Secure AF Podcast.

SPEAKER_02 0:24

Welcome to the Secure AF Podcast. We've got another great episode today where we're introducing DR Labs, and we'll explain what that means later. And I've got Garrett here with me, and we're going to have a fun time talking about what he does and kind of what we have planned for our new sister company. Our new, um, I guess it's a couple of different things that we've we've talked about, but it's uh it's a it's a new group here at Alias or powered by Alias, and we're really excited. So, Garrett, thanks for coming on.

SPEAKER_01 0:54

Yeah, thanks for having me. We're excited to be building out this new company here with you guys. And well, by Street County Labs has lots of fun stuff coming up.

SPEAKER_02 1:02

So Yeah, it's uh when they first told me about it. I mean, this was months and months ago when we started talking about this. I got really excited, number one, because I know you guys or I heard of you guys. Um, but just the the cool stuff that you guys do and the and the things that you do for the community. So I I'm I'm really excited. So um I hope I'm I I get to stick to the questions and the and the process as opposed to just geeking out on this stuff. So anyway, so let's just go ahead and just start. Tell us about Garrett. Tell me about you.

SPEAKER_01 1:32

Yeah. So, you know, backgrounds in engineering. So I got a degree in biomedical engineering. So I've always been interested in science, math, and kind of worked product development, new product development and medical devices for about 20 years. So kind of started out way deep in the weeds, more electrical engineering, uh, systems engineering, even kind of D-basic design. So really technical, got a little more into project management, program management, and kind of systems engineering as well. So looking a little more holistically at the system. Right. And did that for the longest time. And you know, it's funny how I actually got into product security. It wasn't really by choice or even something I really knew about. Um, the company I was working for at the time kind of had a security researcher present something to the company. We're gonna present something at a conference.

unknown 2:11

Right.

SPEAKER_01 2:12

There were concerns, they decided they needed to kind of holistically have a product security program across all business units. And I got an email from a VP I never knew to said, Hey, you're gonna be studying this program. I said, Cool, what is that? You know all and whole some version of that. Yeah, yeah. I was doing systems engineering, so it's like I was doing a lot of the security architecture and other things, so I was kind of in that and it was working with a lot of great software and other engineers that were doing good security work, it just worked normalized. So it was fun because you know, it was a larger company, so lots of different business units and some groups were were very much involved in this. So I got to kind of collaborate with them, learn from them. So it was it was a great way to kind of just get in and and it's yeah, I kind of kicked off my career in this space and been in this now, gosh, probably 15 years. Oh wow, it's okay. It's exciting to see how it's evolved from you know, more so ad hoc, just good engineering work to very formalized. You know, you've got Regus robotis and others that are got they got teeth now and they are enforcing it and for the betterment of everybody. But it's but this great industry to be in and just exciting.

SPEAKER_02 3:11

And that's kind of how security has grown up. I mean, you you go back 25 years or 30 years, security back then was maybe a firewall. You know, you just kind of you kind of threw whatever ad hoc process you had to protect your systems. And then we started getting into some frameworks and then some regulatory requirements, and now we have standards of okay, this is how we're gonna do this, this is why we're gonna do it. So I get that. What were some of the things you did very early on? You know, before you get into this, or before you got into the the security side, what were some of the stuff you worked on?

SPEAKER_01 3:43

Yeah, so I think the big thing with medical device development in general, it's all risk-based. It's obviously safety and efficacy are the two of the most important things for medical devices. On the safety side, that's where security really comes in. All right. But also on the FACE, because like security has to be usable. Sure. So it's very different from your standard IT where you can have complex passwords and things that you can just you just force across the board nobody asks questions. Right. The medical device environment, you really have to understand how the device is used and who need who may need access to it in an emergency or uh various situations. So you do take a risk-based approach. So when you design things, you you know, you you always want to reduce risk as much as possible. Sure. But you always have to accept things in a medical device. Right. Right. So this so when they're doing these type of things, you know, so really one of the first things starting out is kind of that security risk management. You know, how tying the security into your safety risk management, you know, taking an approach of looking at as you're trying to reduce risk, what can you do in the system? What makes sense? You know, and then kind of evolving from there. And there's some you know, processes around that that help your early architecture, like threat modeling. Okay. Just pay paper analysis, just really looking at the architecture of the system, kind of building security in as early as possible. That was always the challenge. What what happened when security became a a bigger need in the industry is like a how do you bolt it on? And really hard to do for legacy devices, and you've got you ejected in the end as opposed to put it in the beginning. Yeah. There's medical devices that have been out there that you use for 20, 30 years. Right. So to be able to, you know, to move to these newer systems, it's hard for hospitals. Yeah.

SPEAKER_02 5:13

Yeah.

SPEAKER_01 5:14

So yeah.

SPEAKER_02 5:15

And I've got some hospitals that I do some BCSO work for, and we find stuff all the time. I mean, they it's a major investment for some of these things. Yep. And their control systems or the monitoring systems, whatever it may be, we're talking millions of dollars. And that's really hard to just go, oh, well, it's out of date, kachunk, and now we have something new. So I get that. Um, for the audience, can you talk about when we talk about medical device, what does that mean? What what is it that we're really talking about? Give me some examples or how does how does the audience need to think about medical devices? The term medical device.

SPEAKER_01 5:48

Yes. So it's it is very broad.

SPEAKER_02 5:50

Yeah.

SPEAKER_01 5:50

You've got you know anything from you know, if you're diabetic, you've got you know can you use glucose monitors, you've got you know, plantable medical devices for you know cardiac and you know, neuro conditions, you've got you know your big capital equipment at hospitals, your your scanners, your rises, and your your fusion pumps and I mean name it. There's just there's so many cool technologies coming out today, too. Just yeah, a lot of great startups, a lot of cool ideas. Right. And obviously with AI too in the forefront, like it's the amount of devices that are evolving quickly.

SPEAKER_02 6:19

Aaron Powell Which is a little scary for me as a CISO trying to figure out okay, where where does my security paranoia come in to protect current systems and now we have some new systems with new technology, it's like, oh God, now I gotta protect that too. Uh so it at least on my side, it could be really scary sometimes. Aaron Powell Yeah.

SPEAKER_01 6:38

So to that point of worrying about it, you know, really when you look at securing a medical device, it's uh very holistic and there's a lot of things you should be doing from early architecture, you know, through you know, as you're coding using secure coding standards, right? Using tools like your static and dynamic analysis tools, and then you're moving on to penetration testing to ensure like take an adversarial approach, like how could somebody attack your divisors? As a developer and a designer, it's always you you you develop a system to do X right. And you test that it can do X. Sometimes it's capable of doing different things that an adversary can take advantage of.

SPEAKER_02 7:14

And that's what a pen tester wants to do, like, oh, can I do Z and A and C and M?

SPEAKER_01 7:21

Yeah, people always ask, you know, is it like is penetration testing like verification testing? Because you know, in systems engineering or in the Northwest, you you have requirements. The system shall do X. You write it a test to verify that it does X. And I said, no, it's penetration testing is the the system shall not. And as a as a former systems engineer, I would cringe if anyone wrote a requirement like that. Well, it's that negative space. It's an infinite test space. So really when you go after and look for a good pen tester, it's somebody that's got a lot of experience. Yeah. Someone who knows how to how to do those things that you just be like, wow, I didn't think it could do that. Or anyone could do that or would do that to a system.

SPEAKER_02 7:58

Right. And I mean and this is a specialized skill set. This isn't just, you know, and I work with pen testers all the time. We have some really fantastic pen testers. But even this, this is a specialized set of skills to do pen testing on these. Is that because it's unique hardware and software, or is it because the requirements are so specific, whether it be a framework or regulation or whatever? Aaron Powell Why do you think that there really is that necessity to have that specialized skill set?

SPEAKER_01 8:30

I think if you look at you know security as kind of an emergent property of a system. So now as you've got a the more complex the system, the more understanding someone needs of how everything interacts and can be utilized. So you got if it's a pen tester, you know, if you've got a network pen tester, they know network pen tester. They do a phenomenal job, your IT enterprise. Yep. When you start getting these complex medical devices, you now have a network, a mobile device. You know, you've got a you know various sometimes web portals, you've got edited systems, you've got all sorts of RF technologies. Yeah. Bluetooth, Wi-Fi, sometimes very custom protocols. You've got like mixed band med radio. So there's so many different ways and so much, so much attack surface. Yeah. For someone to be able to utilize and just chain those things together. But there's also like manufacturing tools. I mean, some of these systems have intentional ways of updating or doing things like and software updatability is a huge attack vector. Yeah. And something that is not always done well.

SPEAKER_02 9:24

Well, we haven't been able to figure that out on the other sides as well. I mean, the patch management as a patch management thing, but also that supply chain attack of getting in there on those patches and doing something and sending it to the s the system or the device in this case.

SPEAKER_01 9:39

Aaron Powell Yeah. Well, patching is a huge issue too, because as a medical device, you're you've even if you change one line of code, you still have to verify the system. And safe and efficacy. You can't just be patching weekly. Right. Just cost prohibitive. Sure. So you have to do you do have to be careful with adding it goes back to that risk management. Whereas you find vulnerabilities, you run it through risk management, is it acceptable? And if it's if it is acceptable, you but you do want to trigger how to fix it eventually, because lots of little things could could end up another whole other attack vector later on. Individually they're not.

SPEAKER_02 10:16

Yeah. Okay. So when we talk about attack vectors, are you usually getting these devices, let's say, at a point before they get out into the public space, out into like the hospitals, or are you getting it from the hospitals for verification? Kind of talk to us a little bit about that timing.

SPEAKER_01 10:34

Yeah, typically the it's driven from the manufacturer side. Okay. Hospitals, I think, would love to do it. Sure. But it's just cost prohibitive. Right. Right. And and you do not you do not want to pen test a device and put it back in service. It really becomes, you know. It's not in a known state. Right. So you wouldn't do that. So and so typically, yeah, manufacturers find a pen test that makes sense. Yeah, and then send devices out and isolate it. But the but there's another unique challenge with that is really the FDA is looking for full system tests. So when you set up your isolated test, you want to make it as real as possible. Sure. So even things like talking to a pack system, you know, and just those type of things like you know, sending DICOM messages or other things, like you you really want to have that s the holistic approach because they want to be able to utilize any of those things that are in a normal system as in could be used in an adversarial way.

SPEAKER_02 11:27

Right. So you you mentioned the FDA. Is that who generally either sets the guidelines or the frameworks or the requirements for the types of testings that gets done on these devices? Aaron Powell Yeah.

SPEAKER_01 11:39

So the FDA has a pretty strong, you know, they've got guidance out there that is pretty clear about what they expect to do. But the ha they usually don't go too far into the how. Okay. All right. They do say they want, you know, they want you to do your penetration testing and other security testing and things as well. They do call it out and the guidance that's out there. Uh but there's a little bit of but then there's a little bit of the expertise. You have to find someone with the right expertise that's capable of doing it. Right. And they do want that like in reports, there's some do ex- You should be explaining why your testers have the right expertise.

SPEAKER_02 12:12

That makes sense. Again, a specialized skill set. You want someone who's really knows that holistic approach of looking at all the parts and being able to test them appropriately.

SPEAKER_01 12:21

Aaron Ross Powell Yeah. And they want to make sure too you're independent. This is a standard practice in meditative device. Like if I don't if I design something, I shouldn't be the one testing that. Sure. So having that independence to truly be able to test it well.

SPEAKER_02 12:33

Trevor Burrus, Jr. Well, I and that makes sense. I mean, that's and that's really kind of the pen testing goal anyway, because you know, you have IT people and IT system administrators who have built the systems. You want to have a third party come in and check it and and verify. Now, in in terms of this, I mean, again, we're talking about specific skill sets and expertise. And especially if the FDA is requiring to have those sorts of expertise, at least from a we trust that these people do this well, as opposed to, you know, I mean, I could get it and test it and play with it and poke at it, but I don't know what I'm doing. You know, I'm a CISO. I I'd I do policies and procedures and all of that fun stuff. Um so I get that. I get that why that would be necessary. Um how often does when we're when we're talking about frameworks or standards, how often do those change? And I guess the real question on that is I know how often stuff changes at hospitals, and not very often, but there's new stuff coming out all the time, new technology and new there's new code.

SPEAKER_01 13:44

Yeah, there's new capabilities, there's new vulnerabilities always being discovered. So there is an expectation, and some of it agains back to that risk-based approach to how risky the device is. But general rule of thumb is annual pen tests are probably a good idea. Maybe more frequently if you've got a higher risk profile or if it's changing a lot. And yeah, anytime you make an update to the system, yeah, you're definitely gonna want to if you add features, other things, do changes. It's it's just it's just a good best practice. Right. Yeah, I mean you can always justify maybe not needing to do it if you didn't touch certain things, but sure. Still uh in general, on an annual basis, is a good rule of thumb.

SPEAKER_02 14:20

Well, and the attack tools change. So I mean, it may be that last year we did X, Y, and Z testing. This year I have this new tool that I can scan at a different spectrum and do this and do that. So I mean, I could definitely see it on both sides. Either the product has changed or the the tool set has changed to test the products. Yeah.

unknown 14:42

Yeah.

SPEAKER_01 14:42

And I think with kind of what you brought up earlier, is like when I think even in the lifecycle, you mentioned like do you do this testing? Right. Typically, you like you mentioned if hospitals have things are on the market already. Obviously, even then they should be slow tested, but but typically you do want to do it as early as possible, even in development. Right. Because you you just you don't want to be surprised at the end. Yeah. You you want it to be close to production. You didn't know it did that. Yeah. So it is, yeah. It's very good to do preliminary pen tests or even partial pen tests early on. Because again, like I said, it's the people that built it just have a different mentality than the shirt that break it. Yes, there's not necessarily a crossover there. Just it's you you just want it to work.

SPEAKER_02 15:16

You don't, you're not thinking about well, and it's that same thing of why would they do that? I mean, that I hear that question all the time from my clients of why would they try that? Because they can. Exactly. It's fun for them. Yeah. Can we make these lights do something different? Let's try it. Um we were we were doing that on a uh it was a piece of hardware. I won't go into the what the hardware was, but it was can we do that? Serve no purpose, but could we? And that was the intent. It was can I get to whatever system to change this thing? Well, if I can get to it, well then maybe I can do even like changing lights, you know, that is something stucks net well, sort of was you know, just changing a readout or changing an alert light or something like that can really throw a system off or throw a person off who's looking at that system. So yeah, I mean, I think that that's all completely valuable, but I'm a CISO, so that's that's what I try to do. Um okay, so you you were talking about risk and talking about like criticality. What are some things that you have seen in the past of like really critical devices? Like, what are the like the most critical devices you've ever seen? Whether you worked on them or you've just seen them out in the world, what are the simple things that you look at and go, yeah, that one would be that's important.

SPEAKER_01 16:44

I think historically, even a bit in the news in the past 10 plus years, infusion pumps always kind of get a little bit of a kind of a target on the back and they're like, Okay, they're very serious. They're there some kind of network or outlook basing and that sits.

SPEAKER_02 16:58

I mean, they try to make them convenient and easy to manage and do stuff, but the moment you do that, you open up the that attack factor. Okay. Yeah, it's really scary thinking about all those bits and pieces of trying to make sure something works. Um, I've got a friend who um her son-in-law uh for a long time worked with a company that does uh implants like hip and knee and stuff. And he was a sales guy, but he was in the operating room with them when they were installing it. And the whole intent was to make sure that it fit and it was the right one and that it went in correctly and there was no problems because it falls back onto the company if something went wrong. Um, and he used to tell me all kinds of stories about that of, you know, like uh hip sockets, you know, and they they put in they weren't the right size and they weren't this and that was a lump of metal. You know, there wasn't network connectivity on these things. There wasn't Bluetooth or wireless or any other sort of RF you know communications. I can't imagine all the stuff that you can do nowadays with new technologies for these different things that people are using. Yeah. I wanna just look at homes nowadays. Oh yeah. Fridges, everything. Like it just Yeah. We uh had had briefly talked about getting some of these home devices um at our next conference and and hack them for one of the classes. And we were doing it because it was going to be fun. Um, but then we started thinking about it like we're gonna have to rent the device, then we would hack it, and then we gotta give it back to home. Let's not do that. So we're we we've got a whole different plan, which will be a surprise if you guys come out to B-Sides this year. We're hoping to have some some cool surprises on some fun stuff. Um speaking of that, I think you're gonna be at B-Sides this year, aren't you? Um maybe. Maybe okay. Yeah, all right. Well, I hope you're ever been to B-Sides? Um, so B-Sides, we have two core or cornerstone conferences here in Oklahoma. We have dozens of conferences, but the two big ones are B-Sides up in Tulsa and then IWS down here in Oklahoma City. Um, and they're both cheap or free, you know. And it's it's those those um anchor conferences, you know. It's kind of we get 400 to 600 people at each one. Um, and it's you know, the community goes all the way from Dallas, Kansas City comes and turns to them. And it's a good turnout. You know, we always have fun. Um and it's the it's a community one, so it's cybersecurity and and those technical people. It's just we get together and have fun. Um, you get some other conferences. We got some conferences like Innotech and things like that. Um, and they're bigger, um, certainly. Um, they've got more speakers and stuff. Um, more um they they bring in different kinds of vendors. Uh we get more IT people, maybe less security people. Um, but the the IWS and the B-sides are those two core cybersecurity conferences here in Oklahoma. Uh and B-sides is B-sides. If you've been any B sides, they're always a lot of fun. And that's you know, kind of where that is. Anyway, I'll I'll get off the pillar side.

SPEAKER_01 20:17

It's real cool. You mentioned kind of a sense of community that the word kind of came up when you said that. Yeah. And it kind of makes me think of it in a very unique thing with the medical device security side of things. Like if you look at medical devices, companies in general, they compete for products. They'd be but in the security space, it was the the and the thought process early on was you know, if if one company has a breach or vulnerability, all the companies are harmed because doctors, you know, hospitals are gonna be asking, oh, show me why your product isn't on right. So the it actually they these companies came together and we're working together. So there's lots of great working groups out there that actually people are working together and forming like how do you do things? How do we do things better? So it's it's really interesting. Interesting. It's a very unique aspect of that. That you know, normally those I mean, even sometimes big now-wise companies don't communicate within divisions, yet alone yet amongst you know, competitors. Trevor Burrus, Jr.: Corporate people don't talk to corporate people.

SPEAKER_02 21:12

No, um well, okay. Well, so that's a a really good question. I mean, this is a specialized skill set. How many people are doing this? I mean, there's probably not a whole lot out there in the world.

SPEAKER_01 21:23

Yeah. I mean, there's obviously, I mean, you know, you've got obviously a dozen or so big companies. But I mean, there's tens of or are thousands of medical device companies. Oh, yeah. Lots of small companies and stuff.

SPEAKER_02 21:34

And who's doing the pen testing side? Who's doing the the that that side, like what DR Labs is doing?

SPEAKER_01 21:40

There is a very and that that's part of the reason I think why we're creating this company is that there's a there is a huge need. Like we talked about the need for annual pen tests, more pen tests, just yeah, or the the c the appropriate breadth and depth of testing of that skill set. So there's there's a huge need there. Because I know some of the manufacturers have used different vendors. And have have had challenges. Sure. Because you may get someone that is more of an kind of an IT-centered person, really doesn't understand the product side of things, the device hardware, or just the complex side of things. So there's definitely a strong need. And I think that's a gap we can definitely fill. Yeah. And it's in it, and it's and it's more than just medical devices as well. Though you look at IT, OT, this other spaces, there's there's a ton of opportunity out there that I think, you know, we're looking we're definitely gonna kind of fill that need if Yeah. Yeah.

SPEAKER_02 22:30

Well, you know, that's the thing about you know, Donovan, our you know, the CEO. We uh this for as long as I've known him, um, it's going on a long time now. Um, and I've been here for three and a half years, three and quarter years, whatever it is. But he's always about supporting that community, always about providing those that security back to the our clients and our customers. And and I think this was one of those things that he definitely saw a need. Um, and there's definitely concern because I mean, when we're talking about what happens when we fail, you know, when we don't test it correctly, when we don't find problems, yeah, that's huge. You know, and and that's not something we want to deal with. We want to make sure we do, you know, we do what we can. I mean, if from you know, my side, I'm on the CISO side. So I'm looking at helping organizations build those controls, put that secure um uh software development lifecycle in, you know, all these things before we get to the pen test, and hopefully the pen tests, uh, you know, maybe they find something that's like, okay, great, that's a problem. Let me go fix it over here. You know, I'll fix the problem here in the system. That way the end result is more secure. Uh and but he is all of us are that's what we're here for. You know, we're helping the community, we're helping our customers, we're helping our clients. So I think uh DR Labs is coming in and doing that for that. I don't even want to say it's a niche, because while it may be a niche, because there's only uh a small community doing it, huge impact. So that's really to me that's really fascinating, you know. Because again, we do pen testing. Yeah. But we don't do that part.

SPEAKER_01 24:23

Yeah, no, I mean just hearing those stories and the patience and just the lives that are improved and uh major manufacturer I used to work for, they'd bring in you know customers all the time. It really helps those late nights, those extra weekends maybe you put in occasionally, it makes it just yeah, seem all worth it, and it's it's just awesome.

SPEAKER_02 24:44

Wait, not everyone does that? They don't work on the weekends. Huh. Well sorry, I didn't need to push your bubble eggs. Somebody was asking me the other day. Um they they sent me a chat, it was I used on Saturday or something, and they're like, your teams is always green. I was like, Yeah, kinda. I was doing something, I was trying to get it done. And they just laughed at me.

SPEAKER_01 25:10

That's the challenges of the connected world, right?

SPEAKER_02 25:13

Yes, yes. Well, I this is great. I'm really excited. I'm really excited. First of all, I love the fact that you guys are here with us. Um, you know, I've met the whole team, and it's uh it's gonna be a lot of fun, at least I feel like it's gonna be a lot of fun. I hope you guys do too. And I'm really excited. I'm really excited the stuff that you guys are gonna be doing. Um, and we're certainly going to get more detailed, you know, as we otherwise work through the podcast and do different things. You know, I'll certainly have you back on and we can talk more about maybe some of the tactics, maybe some of the pieces. Um, we'll get Sean and some other people in and maybe have a big you know thing on it. But I think uh this is gonna be fun. I I'm really glad you're here. Yeah, we're just getting started. I'm having fun already. Yes, yeah. Good. Good to be here, good to be part of the team. It's yeah, this is this is I think you're gonna enjoy it. We we have a lot of fun. I mean, you've seen our office, you've seen our podcaster now. So yeah. All right. Well, thank you, Garrett. Really appreciate it. Everybody else, thank you so much for joining us. Uh uh bringing in Garrett in DR Labs, Device Recon Labs. DR Labs, that's how I'm just that's that's how the brain says it. Um, we're uh we're glad to have them. And this is gonna be something I think for the community is gonna be fantastic. So thanks for joining us. Uh, this episode of Secure AF Podcast, we've got the next couple of episodes planned where we're gonna be talking to the other members of the team and a few other surprises coming up. Uh, so make sure you join us on the on the podcast, and we will see you next time. Thanks, everybody. Take care, everyone.

SPEAKER_00 26:55

The Secure AF Podcast is a production of alias Cybersecurity. Visit us online at alias cybersecurity dot com. All rights reserved.