full

Part Two: Cyberthreats and Assessing Third-Party Risk with Providence

For cybercriminals, the backdoor into the protected systems of hospitals and health systems often comes via a third party. In this second of a two-part conversation, hosted by the AHA's National Advisor for Cybersecurity and Risk John Riggi, Providence’s Adam Zoller, chief information security officer, and Katie Adams, cybersecurity director of clinical technology services, discuss the potential cyberthreats posed by third-party medical devices, and strategies to keep third-parties open and transparent with organizations. 

Transcript
::

Tom Haederle

works have not slacked off in:

::

Tom Haederle

Welcome to Advancing Health, the podcast from the American Hospital Association. I'm Tom Haederle with AHA Communications. Hospitals and health systems work very hard and have invested a lot of time and effort into protecting their systems and data. But hackers continue to squirrel their way in. Third party technology and solution providers are often both at the point of the attack and the source of technical vulnerabilities.

::

Tom Haederle

In this podcast, part two in the series hosted by John Riggi, the AHA's National Advisor for Cybersecurity and Risk, we hear more from two cybersecurity experts from Providence about what their organization is doing to protect itself.

::

John Riggi

We have Adam Zoller, the chief information security officer from Providence, and we also have Katie Adams, the cybersecurity director for clinical technology services at Providence. Katie, turning to medical devices. Why is it so difficult to keep medical devices current from a cyber perspective?

::

Katie Adams

It's a great question, John, and I think there are several reasons. It's a really complex question with probably a complex answer. But, you know, when you think about a medical device, most of this equipment is actually touching a patient and can be directly in use 24 hours a day, seven days a week. So from a traditional cybersecurity lens, when we think about things like patching or operating system upgrades, becomes difficult to find a time when that device is actually available to make some of the cybersecurity upgrades that are required to keep that device current.

::

Katie Adams

From a financial standpoint, this medical equipment is extremely expensive. You know, we have medical devices in our environment that can be upwards of two and three million dollars. And even just the cost to upgrade that equipment can be as high as $200 - $250,000 just to lift the operating system of the device itself. And for a nonprofit organization like Providence that runs on extremely thin margins, the financial challenge of keeping this equipment current throughout its life becomes very complicated.

::

Katie Adams

You know, when you think about these devices, they're in our environment much longer than traditional IT equipment. We have medical devices that, you know, like an MRI or an X-ray or some of this other fixed equipment that may be in our environment for ten or 15 years. And throughout that time, from a software standpoint, you know, Microsoft is rolling out updates that are happening much, much more quickly than that.

::

Katie Adams

And so it becomes challenging to keep the device current from a cybersecurity perspective for as long as it's current from a clinical perspective. I think in addition, the fact that this is all regulated equipment, you know, that's managed by the FDA means that our vendors have to go through pretty significant rigor when they're updating or upgrading the operating systems associated with these devices.

::

Katie Adams

And so that process also just really slows down the time to market for when we can get the latest and greatest version of these devices. So there are a number of challenges that make it really difficult to keep medical devices current from a cyber perspective.

::

John Riggi

Thank you, Katie. Even though your answer was fairly concise for a very, very complex issue, you really touched on a couple of key areas. So on the one hand, we have this paradox. The devices themselves are built pretty good. They're built to last 15, 20 years, except the software subsequently becomes outdated. And we have this issue of legacy technology where the devices work as designed.

::

John Riggi

They take images, but it's the software package because at the time they were designed, these principles of secure by design were not in place. And often the manufacturers will..of course...their response may be, well, it's time to buy a new device, even though this one's working fine. The other issue you touched on about the patching, you know, I just want to expand on that a little bit.

::

John Riggi

Often the hospitals are criticized for not patching in a timely manner. And I hear this from government after attacks. You know, my response is, just as you said, Katie, I said we can't just roll out a patch from across the enterprise that touches medical devices. They have to be tested. We have to make sure that when the patch is deployed, it does not cause a malfunction in the device that affects patient safety.

::

John Riggi

We have to find a time to take these devices offline. So thank you for summarizing a very complex issue and giving some context for the difficulties and challenges. Adam, back over to you. From from a regulatory standpoint, what changes would you like to see to address this issue nationwide? In terms of third party risk, the challenges we face in having third parties often comply with what we're asking

::

John Riggi

on the cybersecurity front. HIPPA says we're responsible, but how do we make the third parties responsible as well?

::

Adam Zoller

Yeah, I think and that's a great question. And I can I want to piggyback my answers to that question. Because there's several pieces to that that need to be unpacked. I want to piggyback that on what you and also what Katie said previously. So I'd say, you know, overall, if we're looking at the regulatory landscape and you compare regulations like PCI to HIPPA, I think there's a fundamental misalignment in our priorities.

::

Adam Zoller

When you look at the regulations of, again, HIPPA compared to PCI and PCI is regulations for payment card industry protection of credit card details are more stringent than HIPPA IT controls. And, you know, I'm never one to really advocate for more regulation, but I do think there needs to be some higher level of accountability in the health care sector at large for adhering to industry best practice as itertains to cybersecurity controls.

::

Adam Zoller

So I guess to sum it up, it's hold us accountable, but make sure that as you hold us accountable, hold our third parties and suppliers accountable to the same regulations, because I find myself oftentimes at odds with the third parties that we do business with, having conversations with them about why their products or their services, their processes don't adhere to cybersecurity best practice, and how it introduces unnecessary cybersecurity risk to us in our patient care journey.

::

Adam Zoller

I shouldn't have to have those conversations with third parties. They should just be held accountable to regulations that hold them accountable from their regulators to adhere to those. I would also say regulations can't be at odds with modern IT practices. What I mean by that is oftentimes third parties push back on my conversations with them - and Katie's as well - to say, you know, we we are demanding that they adhere to modern IT security practices.

::

Adam Zoller

But then the third parties will oftentimes point back at the FDA certification and say, we can't do this because the FDA certified this device. And if we make this change that you're requesting, it's going to break that certification. The regulations can't be at odds with modern IT security practices. I'd also say that the accountability models are out of alignment.

::

Adam Zoller

Many third parties are publicly tradable companies. We're a not for profit company. Any time a company is beholden to shareholders and makes a choice to cut costs or to manage costs to hit their quarterly numbers at the expense of security best practice - and again, I'm not going to point the finger at any particular company - but I would say, you know, if there are publicly traded companies that are looking at cutting costs and hitting quarterly numbers versus, you know, investing in security best practice, that's going to lend itself to some additional regulatory scrutiny against those companies.

::

Adam Zoller

And I would also say something that I think we've hinted at through this conversation. Third parties have made a conscious choice to develop on commercial operating systems and commercial software. This commercial software and these commercial operating systems have lifespans that are far shorter than the devices that those pieces of software and those operating systems reside on. So, if it is true that these third parties are going to sell us and they will continue selling us these devices, running third party commercial software, then the device itself should either have a life span that matches the software that runs on that device or the vendor should be held accountable through regulation, keeping the software on that

::

Adam Zoller

device up to date through the entire acceptable lifecycle of that device. So if, for example, Windows software runs for seven years on a seven year lifecycle, and that device is designed to be in my ecosystem for 20 years, then I want to see a plan from that vendor that will upgrade that device at no cost to me to keep that software that the vendor chose to develop on secure and up to date through the entire lifecycle of that device.

::

Adam Zoller

And I think there should be regulation mandating that vendors can't sell devices that have either end of life or out of date software to customers. We've had issues in the last two or three years at Providence where major vendors have tried to sell us medical devices running end of life software, end of life operating systems.

::

Adam Zoller

And to me, that's just flat out unacceptable.

::

John Riggi

I appreciate that, Adam. You know, again, couple of comments on your wide ranging commentary, which I absolutely agree with. So, you know, and there's this misperception when vendors will say, no, we need FDA approval to upgrade here for security and so on. It's not accurate. The FDA website has a specific page devoted to explaining what security patches would need updates and which don't.

::

John Riggi

If it does not affect the function, the security patch does not affect the function of the device, you do not need FDA approval to implement that patch. And the FDA's made that very clear. Law passed last year, called the Patch Act provides that for all new technology where applications for new medical devices submitted after October 1, must include a lot of what you said, Adam, secure by design.

::

John Riggi

What is the plan to disclose vulnerabilities? What is the plan to update the systems and provide some type of support for the device over the lifetime of that device when comes to security? But that's only for new technology, for new applications submitted October 1. We have a massive legacy technology cybersecurity issue. Katie, since we're talking about your area, let's go over to you and give you a chance to also discuss with us.

::

Katie Adams

I would just add on to what Adam said. I mean, I think first and foremost, what we're asking for from our vendor partners is to really take cybersecurity seriously. This can't be an afterthought in the development of medical devices where they're so focused on the clinical aspect that they forget to include cybersecurity as part of the design of this equipment. That needs to be upfront as part of the initial innovation and design of the device.

::

Katie Adams

And so we need them to really work with us to help protect our patients and keep them safe.

::

John Riggi

Yeah. Thank you, Katie. And Adam, you did allude to their profit orientation on a lot of these companies, which we support, right? That's what makes this country great, capitalism, but not at the expense of security and patient safety. And ultimately, we as end consumers, as organizational and individual consumers have a choice. And I think we need to exercise that choice to impose market pressure on those third parties that do not have sufficient security to to let them know we can make a choice.

::

John Riggi

If we have that choice, we have public voices. We have regulatory voices that to help drive market forces where security becomes not an expense but a revenue driver for them. It becomes the selling differentiator perhaps, for some of these cybersecurity firms. Adam, over to you here for our last thought here. If you could make an ask of third party vendors around this issue, what would it be?

::

Adam Zoller

I don't have just one ask.

::

John Riggi

Given the fact we have limited time. Let's go ahead.

::

Adam Zoller

Yeah, a few things. I think. Number one, what Katie said: build security into your devices and software from the ground up. Know I shouldn't have to come to you as a third party and say, hey, institute this modern security practice in your device or software. Number two, if you're using commercial software operating systems, let us manage them like we do all other commercially developed operating systems, devices, etc. on our network.

::

Adam Zoller

And that includes things like scanning them for vulnerabilities, installing modern endpoint detection and response technology on the devices. Modern asset inventory mechanisms. Let us manage these devices as we do every other Windows or Linux device on our network. Hire, train and retain a security team. I can't tell you how many incidents that we've had over the last two three years where a third party gets hit by a ransomware attack and they don't have a full time security person at all.

::

Adam Zoller

Next, I'd say align your business practices with security best practices. For example, we had an incident, an issue a couple of years ago where a third party we were working with, a major third party was storing remote log on credentials in their instance of Salesforce. And obviously doesn't align to best practice. And then lastly, I would say don't show up to meetings with me or with Katie and refuse to cooperate on security best practice or don't show up to the meetings and play ignorant to security practices.

::

Adam Zoller

For me, patient health and safety is my number one priority and it should be your number one priority too, as a vendor.

::

John Riggi

Thank you for that, Adam. Katie, we'll give you the last word here.

::

Katie Adams

Man, it's hard to add on to that. I think Adam covered it pretty thoroughly. I would probably just go back to the partnership, right? We're in this together, and to deliver safe care to our patients requires not only Providence and our our health care partners and health care system, but the help of our vendors as well.

::

Katie Adams

And so rather than looking at medical device cybersecurity like a revenue stream, I would ask that they partner with us to really deliver the best possible care, safe care to our patients.

::

John Riggi

Thank you, Katie. And as I close out here, perhaps a word to our third party vendors. Please understand we have a choice in cybersecurity cells. This is a very, very serious responsibility for all of us here to protect patient safety and their data. But again, protecting patient safety is our number one concern. Pending cyber regulations, cybersecurity performance goals, specifically targeting hospitals

::

John Riggi

the AHA has a loud voice. We are also recommending any regulation that applies to us, especially around third party risk management to hospitals, must apply to the third parties as well. So Katie and Adam, thank you again for joining me today. Thank you for what you do every day as network defenders to care for our patients, serve our patients, defend them from all these varied cyber threats.

::

John Riggi

And thank you to all our frontline health care heroes for everything you do every day to care for our patients and serve our communities. This has been John Riggi, your National Advisor for Cybersecurity and Risk. Stay safe everyone.

::

Tom Haederle

Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify or wherever you get your podcasts.

About the Podcast

Show artwork for Advancing Health
Advancing Health
A Podcast on Everything Health care