Axel Wirth, Chief Security Strategist at MedCrypt discusses Healthcare and cybersecurity, how it has changed during the pandemic and what he sees as the biggest cybersecurity threats.

Episode Table of Contents

• [00:48] The Changes and Dangers of Cybersecurity in Healthcare
• [07:03] The Massive Rapid Move to Telemedicine
• [13:16] Large Scale Problems Involving Cybersecurity in Healthcare
• [17:35] Why the Cybersecurity in Healthcare Couldn’t Afford To Be Competitive

The Changes and Dangers of Cybersecurity in Healthcare

Carolyn: Today we have Axel Wirth, Chief Security Strategist at MedCrypt. Axel has over 30 years experience in the healthcare industry. Thanks for joining us today, Axel. How are you?

Axel: Doing well, thank you. And thanks for having me on today.

Carolyn: To kick this episode off, talk about the changes and dangers you've seen since the pandemic started in cybersecurity and healthcare.

Axel: Clearly we have a number of things going on here. Some are just opportunistic. We know that cyber adversaries, attackers, plainly look for opportunities to attack. We’ve fought this pandemic and deployed IT infrastructure in a hurry.

Axel: Clearly we did so with less attention to cybersecurity. That's an opportunity for attackers to know, exploit these less secure systems. And basically take advantage of us focused on something else. We have no choice, we can just say, "Let's take a break from fighting COVID and focused on cybersecurity."

Axel: That's not, practically impossible. But we certainly need to look at the future and look at opportunities to improve. Unfortunately, we have to assume that this is not going to be the last pandemic we're dealing with.

Axel: The second aspect we see are attacks that are clearly related to COVID itself. Attacks on research facilities, attacks that try to obtain intellectual property on treatment or vaccine research. But also malicious attacks that try to disrupt, for example, care delivery on a national level. We've seen those as well.

The Offensive Side of the Industry Has Shifted

Eric: I think we've seen the whole industry, the offensive side of the industry, has shifted. Earlier in the spring, many of the nation state actors were working from their homes because they had to. Because they were locked down also from COVID.

Eric: But I think we've seen them shift from corporate targets, critical infrastructure, and healthcare is critical infrastructure of course. But definitely into the health sector and into local areas. As nations have reprioritized their intelligence or espionage gathering type of needs. It's been interesting to watch.

Carolyn: Yes, honestly, interesting, and it's scary to me.

Eric: Well, it's very scary. But just like any type of espionage, countries have motivations, they have intrinsic motivation. In this case, it's to take care of their people. If you can steal critical information around the patient profile, around vaccine generation and creation, you name it. It can create a distinct economic advantage not to mention saving the lives of your own country.

Carolyn: Axel, you mentioned that you've seen malicious attacks to even just try to stop the research. What's behind that?

Axel: There's always this scary connection between cyber activities and traditional warfare snd the attempt to use cyberspace to reach political or economic goals. We've seen a few attacks that I think very well can be categorized in this context.

Axel: We have seen attacks where the only sense they made was, they intended to disrupt the ability, for example, to run diagnostic tests or even the ability to care for patients.

Carolyn: So what are we doing to mitigate that and specifically cybersecurity, on the cybersecurity side?

What Needs to Change in Cybersecurity in Healthcare

Axel: We're really in an interesting situation here. Clearly the pandemic trumped everything else, no pun intended. In a sense that we had to take care of the outbreak, the patients, the healthcare infrastructure. Build emergency hospitals in conference centers, build test sites in parking lots. We had to do that with the cybersecurity we had.

Axel: There was an interesting quote I read the other day. That is, we had to go to war with the cybersecurity that was available to us. This was not the time to improve on cybersecurity in healthcare. But clearly going forward, we need to think about how we can be better prepared and what needs to change. I've read articles. People estimate that, for example, the COVID crisis has accelerated the adoption of home based care, patient monitoring, telemedicine. All those things, by about a decade.

Axel: That opens up a whole bunch of very interesting security questions and privacy questions we need to answer very quickly. Also, one thing we've learned is that we have been challenged with medical equipment in stockpiles. When we didn't have the search preparedness we needed.

Axel: We had to ramp up emergency production of ventilators and patient monitoring devices and all of that. So clearly what would come out of this, I assume, is an improved stockpile. Be it on the level of the local hospital, local government or the federal government. That stockpile will include software based medical devices. In turn, it needs to be secured in a way that they’re ready to deploy in an instant when they're needed in the future.

The Massive Rapid Move to Telemedicine

Axel: And we can't just put ventilators and patient monitors in a warehouse somewhere, let them sit there for 10 years. Then when we need them, pull them out and start installing new software. Clearly, that will not work. So we need to be much more proactive in the way we design security into our IT infrastructure. But also into our devices, whether they go into a hospital or into a patient's home, doesn't matter.

Eric: Actually, you talk about going to war, but it's a war that hasn't even been declared. So we're still fighting it. And the medical device providers, I should say, they're clearly not prepared for the massive rapid move to telemedicine.

Axel: Clearly, we see not only a rapid increase in telehealth, be it video consult, be it homeless patient patient monitoring. But we've also seen an increase of more critical care moving into the patient's home. I mentioned it earlier, home dialysis, home infusion, home cancer care. Those are all now being deployed or conceptually being worked on and within reach.

Axel: But again, clearly we need to think about what does that mean from a cybersecurity perspective. Where all of the sudden, you have life sustaining and life supporting equipment in the patient's home, connecting to the home network, connecting them to the care provider via the public internet.

Axel: Those are totally different security questions. Then in the traditional hospital environment where you have a degree of control over your network, over your network boundaries.

Eric: That's definitely concerning. Those will get the news cycles as hackers, as individuals have their private data released, definitely a concerning problem.

Cybersecurity in Healthcare Is Multifaceted

Eric: But when I think of this problem in terms of scale, I believe there's so much more of a priority to protecting critical IP of companies of the government.

Eric: The vaccine information, medical type of information, understanding agreements on where vaccines are going to be produced, where they're going to come from. So that nation states can't take offensive action or subvert a country's negotiation capability. That's going to harm the masses in my opinion.

Axel: That's as always like cybersecurity is multifaceted and you gave some very good examples there. There are so many different aspects on how a cyber incident can harm us as the individual patient. Or can harm us as a society and economy. But there are also so many different angles and interests an attacker can have. That motivation can be purely financial, for example, a ransomware attack.

Axel: It can also be political or economic or strategic, for example, obtaining intellectual property. Understanding the degree of an outbreak in a certain country, for example. Or understanding which key government officials may actually be in treatment right now is compared to those still on regular job.

Axel: There are many political and intelligence type opportunities to use that information and to gain benefit from it. Some of them, you had a good example earlier, are purely out of self interest. We all need a vaccine. So yes, there will be cyber espionage to get that vaccine sooner. But there's also the more sinister aspect.

Axel: For example, a disruption of care delivery, understanding the scope of an outbreak, the social media aspect, planting falsified information, confusing the population. There's really a huge spectrum of things that happen and all happen at the same time.

The Healthcare System’s Ability to Deliver Care

Carolyn: That's a huge list of concerns. How are we doing and can you prioritize those concerns or are you just having to combat them, all at once? What's the most pressing?

Axel: The most pressing is always around patient safety and the healthcare system's ability to deliver care. We've seen that, for example, with WannaCry in the UK. 81 of 256 NHS trust hospitals had to fully or partially shut down and divert patients to other hospitals.

Axel: Clearly things like that have impact on outcomes. And if you have a stroke, if you have a heart attack, if you need regular care for your ongoing cancer, these delays impact. Maybe not immediately, but certainly longterm your health outcomes and nothing.

Axel: Patient safety and care delivery are the two most critical ones we need to protect and need to be able to assure. Because healthcare and public health is part of all critical infrastructure.

Eric: Do you see those as the highest risk though? I think of patient safety and critical care. We've seen ransomware hit the hospitals. We've seen some others, I'll call them fringe attacks. But the race to the vaccine, the race to understanding where it's going to be produced and getting your orders in. It’s really going to change the geopolitical situation or has the potential to.

Eric: Now we're talking tens or hundreds of millions of lives, potentially. Who designs the vaccine first? Does somebody sabotage a nation state's vaccine or a company's vaccine capability, or a nation states to gain economic advantage? To me, we're talking decades, we're talking generational impact there. Which one do you think is the worst case or where should we focus?

Large Scale Problems Involving Cybersecurity in Healthcare

Axel: Unfortunately, I don't think there's a single area to focus. You're making some very good points there. Those are very large scale problems of significant scope and impact. Not only in space, but also as you rightfully said, in time. The challenge is going to be to balance these considerations. There needs to be day-to-day security to make sure patient safety is assured. To make sure that care delivery is not disrupted.

Axel: There's the long term strategic impact around potential disruption of vaccine production, vaccine distribution. So, I would hesitate to say one is more important than the other. But, I do acknowledge that finding the right balance is really critical. I don't think finding that balance is something an individual hospital or an individual pharmaceutical company can do on their own.

Axel: This requires national and international cooperation. It requires that we understand that a cyber attack on one is a cyber attack on us all. This is very much of a paradigm shift compared to how we looked at it in the past. It’s not a local problem and it’s not a problem for this week. Those are global problems and those problems can impact us for generations.

Carolyn: So have you had to pivot? Based on what you just said, have you changed your strategy to deal with the individual and on the larger scale? In cybersecurity?

Axel: My strategy and my company's network strategy has always been on proactive security. Whatever is being built or is being deployed should be as secure as possible. Then you have reduced the reactive part to a manageable minimum. I think about what we have seen today, and I'll go back to my WannaCry example.

Cyber Incidents With Overwhelming Impact

Axel: Those are cyber incidents where clearly the response, the reactive part, overwhelmed the given organization and the impact was significant. And we need to make sure that systems are resilient. We need to make sure that security is not brittle.

Axel: We need to make sure that security is designed into every piece of equipment we buy and put on our networks. And yes, there still will be incidents. But the point is we need to bring it down to a manageable level that does not have the potential to create a shutdown.

Eric: Do you think healthcare users, consumers of medical products are willing to pay a little more for better protected capability? We haven't seen that in the industry before.

Axel: I really wouldn't look at security as an individual feature with a price tag. At least not on the level of the end product. If you go car shopping, you don't want to pay less for the car with the cheapest seatbelts and airbags. You expect the minimum standard of safety in your car, period. You don't even consider that as being part of the price tag of the car you're buying.

Axel: The same is true of a medical device. Hospitals buying medical devices, or a patient receiving medical devices from their doctor from the hospital really shouldn't consider or be forced to consider whether they want to pay more for a better secured device. There needs to be a level of security, a standard of security, that needs to be met period.

Eric: And no discussion similar again, to my example of the airbags and seatbelts. But then you're really talking about a regulatory requirement. I don't think the normal consumer is smart enough, or not smart enough.

Why the Cybersecurity in Healthcare Couldn’t Afford To Be Competitive

Eric: I don't think they think about it. I don't think they're educated in the requirements. When I say consumer, I'm not talking about somebody buying a thermometer at home. But maybe there's a clinician or a board of clinicians who's deciding which MRI system to buy. I don't know that they're looking at security typically, at least in my experience.

Carolyn: I love what Axel just said. It should be built in. But you're right, Eric. Axel alluded to this earlier about needing this to be at a national level. When you buy a car, you expect it to be as safe as possible and same in the medical industry.

Eric: But they're not. That's the reality in my experience. Certain manufacturers aren't putting things into cars unless they're regulatory required. I was dealing with a consumer products company a couple years ago, before Forcepoint. I may have told the story once. It was an extra dollar to put some embedded security OEM-based security. Built into a device that this consumer products company was creating.

Eric: It was too much money. These were expensive devices, five to 1500 US dollars. An extra dollar of cost, then the downstream cost of documenting, understanding how, it's already IP connected. Which is why they were doing that. But it was just too much. They decided they couldn't afford to be competitive.

Axel: Clearly security has to become a competitive argument. Security has to become, I think we're slowly getting there, a buying decision on the side of the consumer. Meaning that the hospital or whoever is the decision maker, to buy a particular device over another. We are on the path that regulations and standards on medical device security are evolving.

The Balance We Need To Take In Healthcare Technology

Axel: The FDA has had an effort on the way since their first pre-market service, Guidance, in 2014. Recently, the IMDRF, International Medical Device Manufacturer Regulatory Forum, released their Guidance. Guidance has come out in Europe on a European level, in France, on national level. In Singapore, in South Korea, in Japan and China, Canada, Australia, and the list is getting longer by the day.

Axel: Clearly, the regulatory pressure is building. But it’s also an interesting balance as we are in this transitional time. There's the real risk that if we step up regulatory enforcement too quickly, certain beneficial technologies will not be available anymore. A manufacturer may say, "The effort is too high to make this particular device, this particular type of treatment, more secure. Therefore I'm going to discontinue it."

Axel: Or smaller manufacturers may decide that, "Hey, this whole healthcare market is way too complicated for me. I’ll just exit the market." And medical devices are always directly tied to patient benefits, care delivery, treatment, diagnosis, you name it.

Axel: The balance we need to take right now, and I think that is often overlooked. It’s a balance between making sure that we steadily improve security without negatively impacting the availability of critical medical technology. That is a very fine balance and it's a very difficult balance, I realize that.

Carolyn: But it sounds like there is some hope that the regulatory pressures are mounting. At this point, that's something. To keep it to the point, we're going to have to wrap up there. But thank you, this is a lot to think about and an interesting discussion. Thanks  for joining us today, Axel.

About Our Guest

As Chief Security Strategist, Axel Wirth provides strategic vision and industry leadership to MedCrypt and its customers. In this role, he helps guide the company in critical security strategy decisions. And supports the adoption of leading security technology to the healthcare industry. He’s an advocate for compliance, privacy, and security - and ultimately patient safety - in healthcare. Wirth draws from over 30 years of international experience in the industry.

He is an active participant in industry organizations, and he serves on boards and committees. He’s a frequent speaker at conferences, forums, and webcasts on subjects such as healthcare cybersecurity and privacy. Medical device security, regulatory compliance, and related healthcare-specific topics.

In recognition of his accomplishments, he has been awarded the “2018 ACCE/HIMSS Excellence in Clinical Engineering & IT Synergies Award”. He also received the “ACCE 2019 Clinical Engineering Advocacy Award”. Recognized as a Fellow by AAMI (Association for the Advancement of Medical Instrumentation) and HIMSS (Healthcare Information and Management Systems Society.

His extensive background in the healthcare IT and medical device industries includes engineering leadership. It also includes strategic business development and marketing roles with Siemens Medical, Analogic, Mitra, Agfa Healthcare, and Symantec. His education includes a Bachelor of Science in Electrical Engineering (BSEE) from the University of Applied Sciences, Düsseldorf (Germany). And an MS Engineering Management (MSEM) from The Gordon Institute of Tufts University.