John Riggi (Host): Hello, everyone. Thanks for joining today. I'm John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity Providers Bringing Value, a podcast from the American Hospital Association.

Today's topic, very timely, is the missing link in healthcare cybersecurity programs, medical device management. As cyberattack continue to increase dramatically, both data theft and ransomware attacks against healthcare, it is an imperative for us to have full visibility on our networks, including medical devices. Often medical devices may fall outside the purview of chief information officers and chief information security officers generally under the responsibility of clinical engineering or the bioengineering folks. But it is very important for those devices to be part of a cybersecurity program and to have full inventory and patch status.

Just last week, the Energy and Commerce Committee held a hearing on legacy medical device technology, a very important issue. As hospitals face continued financial pressure, there are less funds available to upgrade medical devices, meaning that, within our inventory in hospitals and health systems, we are often faced with a great deal of legacy medical device technology, which may not be as secure as new technology, which had been approved pursuant to the FDA's regulation to have cybersecurity plans in place for new technologies approved after October 1st, 2023.

So today, I really have one of the great experts in the field here to talk about medical device cybersecurity. My friend and colleague, Scott Trevino, Senior Vice President, Cybersecurity at TriMedX. TriMedX is recognized as an American Hospital Association preferred cybersecurity provider. Scott, to kick things off, let's begin with a little bit about your background and really what brought you to your current position at TriMedX.

Scott Trevino: Thanks, John. I spent my entire career in healthcare. I spent the first 20 years in a large OEM. I'm a software engineer. I did a lot of product and services technology development. I've run service repair operations and remanufacturing, And also spent a good deal of time in quality and regulatory, leading design controls and quality engineering, having helped implement quality processes for medical devices, including cybersecurity processes for the business, as well as secure by design processes.

The last seven plus, going on eight, I've worked at TriMedX leading the quality and regulatory teams helping implement our ISO certifications for 13485 and 27001. I also spend a great deal of time doing advocacy work on Capitol Hill and with our regulators. I helped launch our initial products in the product management team at TriMedX. And currently, I'm leading our commercial strategy and thought leadership around cybersecurity as well as our alliances and channel partnerships.

Host: Thanks for that, Scott. So interesting with the combination of work that you're doing, obviously, for medical device management, but the advocacy piece. Lots going on on Capitol Hill these days besides tariffs as we speak today, but really a challenge it's been for the past several years with new regulations, software, bill of materials, so forth. I know we'll get into that in just a bit. Can you tell our listeners, Scott, what some of the core challenges posed by medical devices and what differentiates medical devices in cybersecurity programs? And then, follow on with why is it having a distinct medical device-specific program in place so important to protect hospitals and health systems and, really most importantly, patients from cyberattack?

Scott Trevino: Yeah, absolutely, John. So, a couple of core challenges with medical devices or things that make them unique from IT and OT. First, these are regulated devices. So, what that means, practically speaking, is you can't change the form, fit, or function of the device. And when you talk about cybersecurity, and I know vulnerabilities discovered, the OEM must validate that patch or any compensating control that's implemented does not change the form, fit, or function of that device before releasing it.

So even if you have a known vulnerability from an operating system from Microsoft that's well-known across the globe in laptops, you can't just go and install that patch without the OEM validating the patch. Furthermore, you can't do things like install agents on devices. Technically, that would be adulterating the device. You're adding something that hasn't been validated to work. So, that poses significant challenges.

Also in healthcare, it's not unknown that inventory is a significant challenge. And understanding what devices are, where they're at creates a significant problem. You mentioned earlier the amount of legacy devices with old and outdated OSes presents a significant and unique challenge for unsupported devices there.

And finally, what I'd highlight is you have the culmination of two different unique and highly technical skillsets that are required to work on medical devices. One, InfoSec type skills and secondarily, biomed services. We have more biomeds retiring than are replaced on an annual basis. And you need the combination of those skills so you have somebody who can work on the medical device, apply the patch or the fix, but also understand cybersecurity.

So, the criticality to your question of having a specific medical device cybersecurity program really relates to those things. You have to have the right people with the right expertise. You have to have specific processes in place to know when and how to touch medical devices, fix them, and make sure you validate them and verify that they're safe to use before being putting them back into use.

Host: Thanks for that, Scott. Interesting what you mentioned there about the patches need to be validated by the OEM before they're installed for good reason, right? We don't want to break the device, cause a malfunction of the device or interoperability, again, because it's connected to the patient directly, indirectly, direct the type of technology that most affects patient care and safety.

You know, when I'm on the Hill, Scott, we talk about why it takes healthcare so long to patch devices. We're often criticized in this field. You know, there was an outdated patch and that device patch was not updated, and we explain to folks, we just can't patch without testing it. Having the patch validated by the OEM, as you said, and then testing it within our environment, mainly for patient safety reasons. Scott, so it's evident that many cybersecurity programs struggle to incorporate the unique risk factors and needs of medical devices and their strategies. What strategies and best practices do you recommend healthcare leaders employ to protect hospitals and health systems and patients from cyberattack, which are due to those vulnerabilities, which take us time to identify and patch?

Scott Trevino: A couple strategies. First, establish a baseline knowing what your inventory is. And that may sound simple, but what I see typically is we only have about 60% accuracy between what's in a CMMS and what you see on the network in a hospital. So, getting that inventory is critical because, without it, it's difficult to know what your true risk is across your full medical device ecosystem.

I would look at doing a risk assessment of those devices and understanding the context of use for those devices because although you may have the same medical device in an ER, you might have a CT in an ER versus in a radiology clinic, the risk may be different for those two devices, given the necessity of that device being often able to be used in its use level. And then, put together an action plan to prioritize what risks are going to mitigate first and assign the work and make sure that that work gets done.

I mentioned earlier it's important to have the right people and processes identified as well as having technology. In order to reconcile your inventory, you need to know it's on the network. So, employing technology to understand what's on your network profile, its behavior, understand what's anomalous behavior and not, and know what you have, what comes on and off the network is critical.

And finally, I would say you should assess as part of that baseline, your overall program. And we tend to use the NIST cybersecurity framework to understand all components of identification, protection, detect response recovery as well as governance for your program. I would say that's a great place to start.

Host: Thanks, Scott. You know, your key point-- inventory, such a challenge, whether it is medical devices, desktops, all of the inventory IoT devices, and to do it on a dynamic basis, right? It's not one and done. And we need that network monitoring to understand how devices, especially as clinicians, connect and disconnect devices at will often, but for good reason-- patient care, right? Patient care is job one in a hospital. And if the device needs to be plugged in, a surgeon, physician needs a device, that is the priority at that moment. But of course, then, we're left to deal with potential vulnerabilities in that device.

So, Scott, medical device technology, constantly growing more complex and more prevalent, both in how it delivers diagnostic and therapeutic care to patients, as well as how it integrates with hospital networks that can be compromised in a cyberattack. Sometimes the device itself might be the vector, which the bad guys use to get into a hospital's network. Help our listeners understand what is the best place for hospitals or health systems to start better understanding and prioritizing the various risk factors of medical devices as part of their overall cybersecurity plans.

Scott Trevino: Absolutely. You know, I mentioned before, but I'll go back to it again, having an inventory is critical. And why is that? In order to perform a known vulnerability assessment. So, knowing what you have and then knowing what devices have vulnerabilities. And the reason I mentioned this is that the latest statistic shares that over 50% of medical devices have a critical known vulnerability that hasn't been mitigated or remediated.

The other challenge here is that many of those devices do not have a validated patch. So, a compensating control is critical. So knowing what you have, knowing its vulnerability profile, and understanding the risk factors with those devices. I mentioned before some devices have a criticality to the patient. They may be connected to the patient, they might be life-sustaining. So obviously, those are higher risk both from the known vulnerability, but also how and when you're going to go remediate that risk with that device. So, doing a risk assessment and prioritization based on that is important. Understanding whether you have a patch, whether it needs a compensating control, the context of use of the device, and its importance to patient safety all factored in with the risk tolerance for the hospital. And all hospitals tend to have different risk tolerances in establishing what that is and how you're going to prioritize is critical.

Beyond that, having an action plan with assigned owners and taking that action and following through on that action is critical and governing that process. So, putting the right people with the right processes, having technoogies, so that you can know what those devices are, understand their behavior, and also record the current state.

As you mentioned earlier, John, a number of devices have known vulnerabilities without patches. Being able to record the status of that device and if you apply to mitigating control, some form of compensating control, having that history is critical, so that you can understand your true risk profile.

Host: A key point again, inventory. You know, it starts there. You can't protect what you don't know is on your network. And really, I like what you said too about taking that patient-centric approach as well. Those devices that are most important for life-saving, life-sustaining, directly connected to the patient. Then, those other critical systems that perform key services for potentially saving the life of a patient, those labs and diagnostic technology as well.

So Scott, we have learned through hundreds of high impact ransomware attacks against hospitals that these attacks can cause massive disruption in delay to healthcare delivery, posing a risk to patient safety. The key factor causing the disruption and delay is that these ransomware attacks cause internal networks to be shut down and, often, the victim is forced to disconnect from the internet. And as we've spoken about, more and more of our medical device technology is network and internet connected for full functionality or for base operating functionality.

So when we lose the network and the internet, such as during a ransomware attack, this causes a cascading disruptive effect to network and internet-dependent medical devices and technology. What is your advice to help prepare for such an event? And what can hospitals do to make their medical technology and devices more resilient during a ransomware attack?

Scott Trevino: Absolutely, John. So, a couple things to repeat previously. You need to start burning down your risk, your technical risk debt, I like to call it, by patching and putting in compensating controls for known vulnerabilities. All the things we just talked about.

But more importantly is to be prepared. And what do I mean by that? So, it's not just enough to establish a program to understand your current state for your medical devices, monitor for known new vulnerabilities and anomalous behavior of devices and control and work on that and apply patches and compensating controls. It's important to establish processes that go beyond the day-to-day operations contingency plan.

So, having a business continuity or continuity of service or an incident response plan is critical so that you can pressure test the system. What do I mean by that? Well, you can audit or do tabletop exercises to simulate exactly the type of event that occurs with a ransomware attack so that you know who's on first, what the roles and responsibilities are of the team, and learn from it and continue to improve that process.

I like to say it's really with the amount of threats and attacks that are ever-increasing and becoming more sophisticated. It's really not a matter of if, but when that occurs. So, it really behooves hospital systems to integrate medical devices into their incident response and recovery plans and test that, not just have a process but actually run an exercise that really pressure tests that process, learn from it, and continually improve that process.

Host: Thanks, Scott. You know, here at the AHA, one of the concepts we've been helping the field understand and develop is the notion and distinction of clinical continuity versus business continuity. In theory, it should mean the same thing. But in healthcare, over the years, we've kind of developed this idea that business continuity means the technology part of the business, and that's IT's responsibility when we lose our systems due to a ransomware attack. And the clinicians wait for that magic, these IT folks, to quickly restore from backup within minutes or hours. And of course, we know that just doesn't happen. It's not possible. It takes 30 days, 30 days on average for a health system to restore after a high impact ransomware attack.

So, we want folks to think about, and as you've touched on it, clinical continuity. What are the systems, devices, processes that we need to maintain safe and quality care for patients for 30 days or longer due to a technology outage for any reason, ransomware attack, tornado, whatever it is, we lose our technology. So, appreciate your points on that, Scott. Before we wrap, how do you expect cyberattack against medical devices and technology to evolve in 2025? And what can hospitals and staff do to prepare against this constantly evolving cyber threat?

Scott Trevino: Absolutely. Well, unfortunately, I expect to see growth and sophistication impact, not just quantity of attacks on healthcare. Healthcare data is valuable as part of our critical infrastructure. It's a national security concern for the country. And so, I expect more sophisticated ransomware attacks that will go probably beyond just the hospital systems attacking connected devices, I think we might see that. Expansion of supply chain and third party attacks. I failed to mention before, but part of the risk assessment should be not just your devices, but also looking into critical vendors and third parties that you rely on as part of your approach to risk and being prepared. I think also an exploitation of the legacy devices or unpatched devices. So, it's critical again to start understanding what you have, what its risk profile is, and start patching and putting compensating controls in place. And finally, I think more sophisticated use of AI. It's ever-evolving and becoming more and more difficult to defend against. So, it really behooves hospitals to stay abreast of what's going on, not just understanding what vulnerabilities exist, but what are the trends with attacks.

Finally, I would say, and you alluded to this earlier with things happening in the Energy and Commerce Committee last week, I expect to see more activity around legislative considerations for new regulations, new legislation. We've got the HIPAA security rule that was just commented on. I think there's going to be a lot of activity around that. My question here though, or something to consider-- and I don't have a crystal ball on this, but I know health systems struggle with staying profitable-- so, unfunded mandates would be a challenge. So, my perspective for this year is legislative or regulatory requirements for cybersecurity are good and needed in terms of improving the security overall for our healthcare critical infrastructure. However, unfunded mandates create their own challenges.

Host: For certain, Scott. And that's been a big issue here at the AHA. We're all about trying to help hospitals improve cybersecurity, because we believe that cyber safety is patient safety. We help push forward this notion that these ransomware attacks against hospitals are not digital crimes, they're threat to life crimes. And the issue though, and of concern as we've expressed directly, is that the funding for these. And that hospitals operate at razor thin margins, razor thin. Most are nonprofit. And we want to do the right thing, but another unfunded mandate, especially when we're facing potential massive cuts to Medicaid, it's going to make a really challenging and tough environment for hospitals to meet any type of unfunded mandate.

Scott, the other point I just wanted to emphasize, you mentioned the national security piece as well. Scott, you and I spoke recently about the identified vulnerability in the Contact CMS 8,000 monitors where apparently there was a software backdoor-- according to the federal government software backdoor indicated anomalous communications between the device and some university in China. What's that all about? It doesn't look good given what the Chinese have done in terms of repositioning potentially destructive malware in our parts of our critical infrastructure, again, according to the federal government. So, we need to consider all of these things in our purchasing decisions.

Scott, again, great discussion. I want to give you an opportunity here for any last thought or words before I close out.

Scott Trevino: Well, first I just want to say thank you, John, for the opportunity to talk about a subject I'm very passionate about. Little repetition. I would say, you know, the key thing here when you think about cybersecurity for medical devices is you got to have the right people and processes. You cannot rely just on technology. And I think that's critical and it's better to start somewhere than to not the start at all, and that's no longer really an acceptable excuse, is ignorance around cybersecurity. There's been too much in the news around cybersecurity, too many attacks, and it's critical to take action with the right people, implement the right processes, and invest in the right technology.

Host: Thanks, Scott. Thanks for being here joining us on this podcast, but most importantly, sharing your expertise, which will help hospitals and health systems better secure their medical devices and better defend against cyberattack. Folks, thanks all for our listeners today and for joining as well. Thank you again to TriMedX for their generous support that has helped bring this podcast to you. And if you'd like to learn more about AHA Cybersecurity programs, please visit aha.org/cybersecurity. This has been an AHA Preferred Cybersecurity Providers Bringing Value, brought to you by the American Hospital Association. Thanks for listening.