May 10: Today on Townhall, Samuel Hill, Director of Product Marketing at Medigate interviews Justin Heyl, Director, Enterprise Risk Management for Baxter International to discuss the challenge of closing the vulnerability reporting loop between Hospitals and Device Manufacturers. Healthcare systems know their threats. They know their vulnerabilities. And if they see something that needs to be changed or fixed, they want to be able to know what to do. How does Baxter approach the idea of vulnerabilities in the devices? How do they work with their customers to make sure that they have the right level of information? What advice would they give to a CISO looking at clinical devices?

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

What we really need to have is a way we can look at a product, look at that vulnerability and how that affects that product and be able to communicate what we're going to do. If we do need to upgrade, update or patch, or if there's other compensating controls they need to do in the meantime. A lot of times there's some additional information that you'd love to communicate to those healthcare delivery organizations. It's a difficult challenge to be able to address all the deployments of your products.

Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Hillrom, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now onto our show.

Hello everyone. My name is Samuel Hill. I'm the director of product marketing at Medigate. I'm joined today by Justin Heyl. He's the director of enterprise risk management with Baxter. Justin. It's great to have you here today. We're going to be talking about one of the unique challenges within a hospital's organization.

There are thousands of devices and they all cost thousands of dollars, but they have software and structures inside of these devices that we have to maintain great security posture for. And that's a challenge. I've, I've seen statistics, we've done some research on. That it takes on average, about two hours to confirm a device vulnerability inside of your hospital's environment.

And talking about that with other peers, they're like, yeah, that's actually a really fast, that's really quick to be able to confirm that. So one of the things that I wanted to talk with Justin about today is this idea of collaborating with hospitals, the medical device manufacturing companies and data platforms like Medigate to start closing the loop on reporting of these vulnerabilities, confirming them and ultimately getting to the point where we take the appropriate action based off those devices.

Justin, thank you for being here. It's wonderful.

Yeah, I appreciate it. Thanks for inviting me. Looking forward to the conversation. And something we all know is one of the big challenges is this kind of open loop way of looking at vulnerabilities and working with between manufacturers and hospitals and addressing these challenges.

every device out there it's got software, it's got hardware, it's got all sorts of different pieces in it. And it is one of the biggest components of a threat vector, a threat surface area, if you will, in a hospital. And so how are you guys at Baxter approaching this idea of vulnerabilities in the devices?

Cause you can meet every single hospital customer. Probably thousands of Baxter devices floating around somewhere doing something. You guys have a very wide portfolio. How do you guys go about confirming vulnerabilities and working with your customers to make sure that they have the right level of information? What what's kind of the current state today?

Yeah. Well, the current state is we definitely work with CSR ICS, cert H ASAP. And when we see new vulnerabilities, we run it through our quality management system. Yeah. Yeah, the effector device to a certain level. So we definitely have to have a product security teams look at those.

Are we running those libraries are what, what things do our devices? How hard are they built and how they deploy? And then after we do our assessments and analysis we have to do outreach and other than we have to update our product security bulletins, and that's kind of the traditional way of doing things. you notify certain healthcare delivery organizations based on criticality and other ones they'll look and get pointed to a product security bulletin, and that's what a lot of medical device manufacturers do. and there's no, a lot of times there's no real traceability.

That's why it takes so much time, right? There might be a vulnerability bolt, something that comes out, that people are aware of. And so first step is being aware that there is something that might affect the devices that are in your environment. It requires a lot of data about the devices that you have, the application versions of software versions, all of the different pieces that go into that device.

So you got to know if you are potentially affected by something that's published or something that could compromise the device. And then the hospital has to then take that information and they have to call Baxter or go to the website or try and get in touch with some folks there to get their guidance on, Hey, is this thing real?

Is this really a problem? Or, or are there existing compensating controls that are already in place that make this not that big of a deal or what's the real story? They're looking at those products, security bulletins, they're looking at websites, they're reading emails and it's this collaboration back and forth that can take again on average, about two hours per vulnerability, which again, we think is maybe a little fast. So how, how can we make that better? Just so whatever you're working on to make that better for hospitals.

Yeah. I mean, and. You mentioned some things about communication is the product with the defense in depth, the way it's architected. if that vulnerability were exploited, would that create patient harm, safety, performance issue, or would that an, a being a pivot point?

Also based on compensating controls, how the device is deployed as a behind a V land segmented has a siren SSA D. Certain other areas that could protect the device based on compensating controls and communicating that is very difficult. Because if you're, if we're dealing with a hundred different healthcare delivery organizations and what, what have they seen, what do they know?

Do they actually have those compensating controls in place or not? urea, that's one of the big challenges. And what we really need to have is a way we can look at a product, look at that vulnerability and how that affects that product and be able to communicate what we're going to do. If we do need to upgrade, update or patch, or if there's other compensating controls they need to do in the meantime or if it is a low risk inherently, but then a lot of times there's some additional information that you'd love to communicate to those healthcare delivery organizations. it's a difficult challenge to be able to address all the deployments of your products.

At the end of the day, like the goal is we want to help separate signal from noise. Like what's really real. What's actually something that needs to be acted on versus when there's a lot of noise out there. There's, there's all sorts of our world is just inundated with noise and getting to the point where we actually understand. This is something we have to take action on. And ultimately the goal is to get there as quickly as possible.

And so that's where the collaboration and this closed loop reporting idea of our, our hospitals. First, they need to know a lot about the devices they have in their environment. They need to know down to a really fine granular detail. So that they can ask the right questions of their MDM partners and then the MBM partners.

Like you guys have Baxter, you guys can close that loop of saying we are actively pushing and actively recommending either a strategy or a patch or whatever the next step is so that we can take. It properly, and we can take it quickly to get to a secure state or maintain and remain at a secure state with all of these devices. So Justin, talk to me about how, how are you seeing this feedback loop get closed with some of the customers that you're with?

So I still, one of the big areas is some of the solutions like Medigate doing the Deepak and analysis and giving the hospitals information saying, Hey, there's products on our that are deployed that have these vulnerabilities.

Well, They, it doesn't really understand the architecture of the device and sometimes how they're deployed. So if we have a variable to communicate to reduce those false positives that will help the hospitals react faster and target the high-risk devices that they need to address. Right away and then also plan for the other devices that are on their network.

So I that's really, the big, the big thing is getting through the false positives, but then closing that communication loop, because if you can have a vendor come in and validate here's, here's a first assessment here's a CVSs score. And if we can go in and look at that and know our product and be able to communicate what the adjusted score would be.

Or if it's already adjust for your compensating control, that will help the hospitals. And like I said, if we can do that for one and be able to communicate to multiple healthcare delivery organizations, it's in our best interest and their best interests to address it.

And I know like a lot of this collaboration is it's kind of been, it's being driven by the CISOs that we all work with. Like those that are, are leading their organizations. And we were joking earlier today, Justin, about Hey, our job is to make the CISOs life easier. But whatever that, whatever we have to do to make that happen, because ultimately they have one of the harder, maybe one of the more thankless jobs in technology.

It's got a lot of risk and a lot of things that could go wrong and. Anything we can do to make their life. And they've been asking, saying Medigate you guys have all this data about our devices and using that data and using the power that is within that, the accuracy that's within that, to help us confirm quickly, anything that might be a threat to us.

We know our threats, we kind of know where we're vulnerable, and if we see something that needs to be changed or fixed, we want to be able to know what to do. Wrap up. And that's what I think are the best benefits of kind of closing that loop. And I think that's also something that medical device manufacturers, you guys actually are very concerned about security it's in your best interest to have secure devices that are out there treating patients and keeping patients safe and delivering real value to hospitals.

And it's in all of our best interests that we're creating. The most useful and secure and continuous environment for patient care to happen. And that's why this collaboration I think, is so vital, valuable, where we have an HDL, that's generating a lot of data through their devices and we have a platform like medicated.

Collaborating with the data, collecting it and analyzing it, and then helping to provide some of that data in a, in a way to our MDM partners so that it can be again, closing the loop for all of the reporting and the vulnerabilities management of them, all of these pieces that come together, it really becomes a powerful tool and a CSOs toolkit, so they can get to work on making their environment a secure as.

Yeah. I mean, you almost think of it as a potential marketplace for a medical device manufacturers to be able to disclose and communicate. And I understand from the CISOs point of view with the hospital, with respect to cyber security, they may have a thousand. Manufacturers that are making devices for whatever they have on their network.

And if they have to individually reach out to all those groups, when a new vulnerability or groups of vulnerabilities come out, that's very time consuming. And this is could be a potential kind of lifesaver for everyone. And then the other thing that we discussed earlier is the communication making sure that. The right messages, go to the rates stakeholders that can create action plans based on these two. So that's another area that is, is missing and, and in certain communication programs.

Yeah, I know we were, we were talking about it, like sometimes like formal communication about like a vulnerability or what you should do about a vulnerability. It's sometimes it's sent, still using a written paper in an envelope with a stamp on it and it arrives at someone's desk in a hospital. And by that point it's been multiple days. It's been probably a very long time since that vulnerability was disclosed and maybe a plan was put in place. By a company like Baxter to, to, to fix it.

And so then that person who receives that envelope opens it up and says, I don't know what this is. I don't know what I'm supposed to do about this. And that's that lack of communication because communication is both the sending them information and the receiving of information. And as we have to be able to have both of those.

Stops on the journey of communication, working at an adequate level. And so taking information around that comes from a company like Baxter that says, Hey, this is what we should do about this published vulnerability. We got a patch in the works. It's going to take us 60 to 90 days to get it updated.

And then we'll let you know when it's there. But in the meantime take this this step or do this, or try this. That information being published and delivered and a place that device security operators, those that are in the security team, working with clinical devices, where they're already looking at it and namely a tool like mitigate or a data collection and analysis platform is really going to be a powerful step to make sure that that reporting loop, that information loop is closed very quickly.

Yeah. And the other thing is we're all busy. We're, we're addressing a lot of things and if something that makes things more efficient and more actionable for both sides of the fence, that we can all be more efficient. and then truly meet the expectations of the industry and the ecosystem. And it's great to be part of this pilot, because this is something that we've talked about for a while. And what's good, better and best. And this is where I see that this is, could be one of those best practices

Speaking of best practices, Justin, you've been working in this space for a long time and you've got a lot of different background experiences that kind of lends some credence to this. what advice would you give a CISO in their organization in healthcare as they're looking at their clinical devices? What advice would you give them? Just, it can be very generic. It could also be very specific. However you want to take this question is fine, but advice for helping to make sure that their clinical devices are as secure and reliable as possible.

One of the big areas, assets understanding where your assets are and understanding what the bills of those assets are that you've deployed and managing those and constantly checking and scanning and making sure what your software building materials have, how it's developed and keeping that front and center otherwise things fall through the crack. You know what What you have out there are new vulnerability or scrambling to assess what products may be impacted or may not be impacted. That's that's one of the first big steps is making sure that you have a handle and control over that. And you're consistently have surveillance over those products

And then how would you encourage them or coach them if you would on working with their medical device, manufacturing partners folks like Baxter and you guys, again, you guys have a very large portfolio that makes a lot of devices that support so many hospitals all over the world. How would you coach, what advice would you give them? As far as working with their MDM ECOS?

Okay. Are you talking for more from the healthcare delivery organizations?

Yeah, I forgot to say a few. I see. So you're, you're talking to someone that's a CSO healthcare, a hospital organization, and they know they need to work with their MDM partners. Obviously they got a million other things that they're trying to take care of and, and get on the job and all those things. But. If you were to give them some advice about working with their MDM partners what kind of advice would you give them? And you guys were all on the same. We kind of had the same goal. Like we want to make devices that are secure and deliver great patient care and the Seesaw. They want devices that obviously continue to deliver great patient care and remain secure. So really a lot of the aims of the same, how would you encourage them to reach out or work with some of their MDM?

Yeah. And so that's one of the big challenges is to be like a pre procurement. that's one of the big challenges we're running into all the questionnaires that, that are being done. A lot of them have hard, it spin on them, but when you're really dealing with a medical device there there's different things that you have to deal with. But one of the big things that I see that is sometimes missing is. We run through the procurement process where the devices are placed are, are procured. It goes through a security review, and then sometimes it's a handoff to the clinical it team that now they're responsible for deploying that.

I would recommend that there's still oversight and how those products are figured how the active directories are configured. Because sometimes those groups get a little liberal on how they're integrated or deployed that could create risk because it's just easier for them to work with that product.

So I, I think that's one of the things that the others. Th the due diligence that is done on pre procurement is, is pretty solid nowadays. But just making sure as, as it's deployed working with the manufacturer to review and validate and make sure things are deployed correctly and configure correctly with respect to security.

I mean, that's kind of the core of the zero trust model. So you've done all the work ahead of time before you bring it onto your network to make it as secure as possible. Validate every. But then once it's on your network, we're still not going to give it full trust unless it's earned it or validated trust so continuing to maintain, I know a lot of organizations in healthcare actually are, are bringing biomedical and clinical engineering.

They're kind of bringing some of that underneath the security organization and the it organization in general. So that they can have a better cause they don't either. They know these biomedical professionals are so good at working on these devices, making sure that they function and there they're wonderful, wonderful, hardworking people, but they you're right.

They don't necessarily think security first. I think patient care for us, which is what we want them to. So having security give oversight or give some extra level of let's make sure we filter our devices and continue to filter them through a security framework. I think that's really great.

Yeah. Yeah. And then there's still the challenge too. When you, when you look at the best practices for hospitals and how to deploy products and micro-segment those devices, and now you configure villans and kind of what we recommend. And then you see other things in the ecosystem where let's have less. So let's, let's have less of these because that's how we need to set up the hospital architecture.

it kind of goes against with some of the recommendations that we gave on how to protect and how to protect those devices and those types of devices that are. So we're still going through some changes.

Yeah, certainly it obviously, yeah. There's a lot of considerations that go into network planning, security planning, device, deployment, planning, all of those pieces. But I think that would be the piece of advice I said, let's, let's make sure all of those conversations do happen. Bring something into the environment, slap it on the network and think that we've, we've solved the the patient care problem or, or whatever it is. And then the final piece was making sure that we take the data about the devices get really accurate there and then filter it through and be able to collaborate on that common data set.

With our manufacturing partners so that we can close that loop and get really good information back about the next steps that we should take to make, to manage vulnerabilities and lower our risk overall. So it's been a really great conversation with you today, Justin.

great talking to you too, as well. Thank you, Samuel.

Thank you everybody. For listening to today's town hall episode, it's been an honor to host it and we'll look forward to catching up with you next time.

I love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors Olive, Rubrik, Trellix, Hillrom, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. If you want to support the show, let someone know about our shows. They all start with This Week Health and you can find them wherever you listen to podcasts. Keynote, TownHall, Newsroom and Academy. Check them out today. And thanks for listening. That's all for now.