Healthcare has become the target of increasing cyberattacks. But why is this? And what can we do about it? Shankar Somasundaram, CEO of Asimily, joins Ryan Chacon on the IoT For All Podcast to discuss securing the Internet of Medical Things (IoMT). They cover what makes the healthcare industry unique, IoMT security challenges, why cyber attacks are increasing and examples, medical device security regulations, the challenges of IoT in healthcare, and IoMT security best practices.
Episode 285’s Sponsor: Avnet Silica
The We Talk IoT Business Podcast is back! Explore best practices, IoT use cases, and formulas for success on your preferred streaming provider. Or visit avnet-silica.com/podcast.
Shankar Somasundaram is the CEO of Asimily, an IoMT and IoT risk management platform. Previously, he worked on IoT analytics and security solutions at Symantec.
Interested in connecting with Shankar? Reach out on LinkedIn!
Asimily provides a risk management platform that secures IoMT and IoT devices (with a particularly big customer base in the medical, diagnostic, life sciences, and pharmaceutical industries). With the most extensive knowledge base of IoT and security protocols, Asimily’s platform (Asimily Insight) inventories and classifies every device across an organization, both connected and standalone. Because risk assessment – and threats – are not a static target, Asimily monitors organizations’ devices, detects anomalous behavior, and alerts operators to remediate any identified anomalies.
Key Questions and Topics from this Episode:
(02:03) What makes healthcare unique?
(13:01) Challenges of IoT in healthcare
(16:34) IoMT security best practices
(19:46) Learn more and follow up
– [Ryan] Hello everyone and welcome to another episode of the IoT For All Podcast. I’m Ryan Chacon, and on today’s episode, we’re going to talk about all things IoMT and IoMT security. With me today is Shankar, the CEO of Asimily. They are a risk management platform that secures IoMT and IoT devices.
Great conversation. Give this video a thumbs up, subscribe to our channel, and hit that bell icon, so you get the latest episodes as soon as they are out. We have a quick word from our sponsor that we’ll get into here in a second, so please enjoy this episode.
The We Talk IoT Business Podcast is back. Explore best practices, IoT use cases, and formulas for success on your preferred streaming provider. Or visit avnet-silica.com/podcast. That’s the We Talk IoT Internet of Things Business Podcast. If you want to check it out on the website, it’s www dot avnet a v n e t dash silica s i l i c a dot com/podcast. Welcome Shankar to the IoT For All Podcast. Thanks for being here this week.
– [Shankar] Thank you for having me, Ryan. Really appreciate it.
– [Ryan] Absolutely. Yeah. I’m excited for this conversation. Let’s kick this off by having you give a quick introduction about yourself and the company to our audience, if you wouldn’t mind.
– [Shankar] Yeah. So thank you for that. So I’m Shankar, CEO and founder of Asimily. Asimily’s focus is on inventory, cybersecurity, and operation management for medical and lab and IoT devices across different environments. Healthcare has been a very big focus area for us. Prior to assembly, I used to run the IoT business at Symantec
where healthcare was one of our key focus verticals, and I looked at other verticals like retail and industrial. Prior to that, I have a product and engineering background. I helped build the iPhone 3G modem many years ago. I had built some of the early cell phones that have came out in the industry 20 years ago.
And I have done some other work in cybersecurity and networking as well.
– [Ryan] Fantastic. So, I want to dive into the healthcare space as it relates to IoT, IoMT, which is a new acronym a lot of us are hearing these days. Let’s start by talking about what is so unique about healthcare compared to other industries when it comes to IoT?
– [Shankar] Healthcare is, when I define healthcare, healthcare is not a single vertical. I call healthcare, not a system, but a system of systems. That’s how I define healthcare. And that’s what makes it the most unique. And what I mean by that is within healthcare you pretty much find devices from every vertical. You find IoMT, which are medical devices, which are connected.
You find generic IoT devices like printers, IP cameras, surveillance cameras. You find industrial control system devices like elevators, building management systems, HVACs. And then you also find lab devices, which you would find in traditional laboratory environments, like diagnostic devices, cell analyzers.
So if you look across the environment and even we have even seen cars connected to the some of the network. So if you look across the environment and then you find point of sale systems, retail systems, every vertical has certain devices and you find pretty much all of them in healthcare. And then, the more interesting part is not only are they present in healthcare, they actually interact with each other.
So you’re not talking about disjointed systems that are disjointed devices present, but these devices that are coming from different verticals, all interoperating with each other in some form or the other, which makes it very complex and an environment which is very different from anything that you would encounter anywhere else.
– [Ryan] Yeah, that’s a great way to break it down. I mean, it’s something that I know is a pretty prominent use case in the IoT space, or I guess industry for use cases to be built around. But, it’s, for a lot of people it’s not understood as to why it’s not only so important, but at the same time why it’s a challenge to bring these solutions into this kind of environment.
And I wanted to ask, one of the other areas that we talk about a decent amount is the security aspects of IoT. And each industry itself does vary from the level of security that’s required, the difficulty in the implementation of security, keeping up with security threats and trends as deployments get out there.
But when it comes to the healthcare sector, why are healthcare system IoT devices such a unique challenge on the security front or what are the unique challenges in the healthcare sector for IoT solutions when they’re deployed in those environments? And if you just talk us through that compared to other industries, that would be fantastic.
– [Shankar] Yeah, so first of all, healthcare is very unique. That it’s not just a cybersecurity issue, it’s a patient availability issue. It’s a patient care issue fundamentally, right? So you are talking about the life of patients that are at stake, the life of people like you and me who are at stake when we are talking about securing these devices, right?
If you are in an operating table and the device were to go down, were to get attacked, and that device were to monitor your heart rate and it were to go down, I mean, that has significant consequences to it, or something went wrong about the device. So first of all, the criticality is very different.
There are other industries which are very critical. Don’t get me wrong. Power plants are very critical, but here you’re directly attributing something to the life of an unwell patient and that has worse implications. So that’s problem number one. You’re dealing with something that, if you get it wrong, can effectively affect somebody’s life.
And that is a big bar you have put right there. In terms of the cybersecurity challenges itself, a couple of them are unique to healthcare. A couple of them are similar to other industrial verticals. So for example, the legacy of devices. Healthcare is one of those verticals where, like industrial, there’s a lot of devices which are very legacy in the environment.
You don’t get supplemented. The unique part about healthcare is some of these devices, I mean some of these legacy devices are being used on patients. Going back to patient availability, that creates great risk. In healthcare, especially more so in healthcare than other verticals, you cannot scan or you cannot scan some of these medical devices.
You cannot scan some of these legacy devices. You have had a study from one of the customers where they actually scanned a medical device, they did it in a test environment to see, and it changed the gain of the device. They changed the gain of the ECG, so the ECG was still working, like it still appeared like it was working fine but was giving completely erroneous readings.
And how do you know whether the ECG readings are right or wrong? Unless you’re an expert and how would you know or ever find that out? Right? So, it has adverse implication on the operation of the device, which cannot scan it. And then it goes back to my point, a system of systems. You cannot just secure a device in isolation, which is very unique to healthcare.
You’ve got to look at it across how it operates across different devices and environments. So understanding the overall environment is as important as understanding healthcare ourselves, it’s not just about identifying, which is important, but also identifying where the attackers are going to come from, what parts are going to take and how they’re going to all work across the entire environment.
That’s very important as well because there is a lot of interoperability in this environment, which is very unique to healthcare compared to many others that I have seen.
– [Ryan] Sure. Oh, absolutely. Absolutely. And you mentioned the different attacks that can happen. Can you talk through some of the kind of examples or recent examples of either ransomware attacks or just any type of attacks that have been happening when it comes to getting healthcare data and why that’s being targeted so much and really how it affects healthcare organization’s IT device security thoughts and plans. Like when we’re seeing things out there, I know like the Clop ransomware attack for instance. Can you just talk through that and what happened and what was learned or sorted, or I guess discovered through that situation?
– [Shankar] So basically, so the first thing is why the attacks are increasing on healthcare is an average healthcare record sells at, like an average credit card record, if somebody stole a credit card, sold it, you get cents on the dollar. But an average healthcare record is probably, I don’t know the exact number right now.
I’ve heard anywhere from 50 to 100 dollars last I heard many years ago it was $50 on the black market. You can see the financial incentive of going after this. So that’s one. Plus there’s also a lot of regulations that effectively means that the hospitals are going to pay or somebody’s going to pay. At least that’s the idea they have.
That’s why attackers are going after it. In terms of the ransomware attacks, the attacks have increased. Recently there was an attack, I think it came through the FPP server. It came through an FPP client application, so it was actually exposing itself to the internet. And for a lot of ransomware attacks are generally because of misconfigurations that are happening, and the number of attacks have happened across health systems, not just across the country, but recently, I think nine months ago, there was also a ransomware attack.
It was some malware attack. I don’t remember exactly, in DACH, in Germany where there was an operation being operated on in the theater and there was because of some ransomware attack or malware attack, there was, some percentage of the hospital was cut down, like cut off from the rest of it, and that caused an adverse reaction on the patient care, that on the availability, the treatment for the patient.
And then the patient ended up losing their life. It was not directly because of the cyber attack, but the lack of availability of systems to manage the thing, which is also an implication of cyber. It actually brings down your availability on things that you need. And in many of these cases is misconfiguration. Like one of the recent attacks, like I said, the client application was exposing its ports, its services to the internet and had left open the attacker to easily log in, like easily attack the device and to easily attack the application, get information about it, and launch an attack on the system. There’s also a lot of default credentials in all of this.
Like in that case, there was some default credentials with a lot of medical devices expose their default credentials, which actually also allow attackers to take advantage of them and launch cyber attacks. So I think some of it is lack of configuration, misconfigurations. I would say some of it is lack of right configurations and controls, and some of it is less- lack of awareness and processes outside of all the other issues that are there in healthcare.
That along with the richness of financial, along with the financial incentives that come along with it, that has actually exponentially increased it.
– [Ryan] Yeah, that’s, I didn’t know that. I mean, I’ve never really dove too far into this knowing and to discover what the, like you mentioned, credit card records and what they’re, what they sell for, credit card numbers, what they sell for versus medical records. That’s a, it’s incredible and obviously it makes sense why they’re attacking this space.
You mentioned something in your answer there that I wanted to ask a little bit further about, you talked about regulations. So, when it comes to device security regulations for the healthcare industry, what does that landscape look like now, or how is it evolving or what’s happening in that space that our audience should be paying attention to or understand?
– [Shankar] Yeah, it’s a great question. I think the awareness has definitely increased to a point where we are seeing greater regulations. So there have always been guidelines. There have always been those which talk about this is how you should look at it. But globally, we are seeing the regulations play a bigger role.
For example, in US there was the omnibus bill that came about a few months ago that requires manufacturers and they’ve given certain amount of time for manufacturers, but it requires manufacturers to start looking at cybersecurity. When they sell the device, they require them to give some kind of documentation along with the device. That is now expected to percolate to the health systems. Now health system, a little more complex space.
So there are already some guidelines that have come out from the 409D, which actually talks about some of the things that health systems need to do. They are guidelines, but they’re being used more and more by auditors and regulators to actually audit the health system to make sure they actually have a risk mitigation plan or they have a risk awareness plan in the environment.
We are seeing similar guidelines and regulations coming in. European markets, for example. I have some regulations that I’m very aware of that have come in some European markets and this is actually percolating in other parts of the world. I would say because the environment is so complex, you can’t tell a health system, Hey, shut off your service.
Don’t service patients if you don’t do this. So it’s a little more, that’s also another complexity of healthcare. You can have a health system and you can’t audit them. You can’t tell them, you can’t ask them to shut off services and not work with patients. So it’s a fine balance between what you need to do from a cyber and the availability.
In some ways it is a related problem because if you’re not secure, you are going to have problems with availability in the future. But the way you roll this out has to be done carefully. All of these regulations. And that’s why regulations sometimes in healthcare is a very fine balance between what is should be done versus jeopardizing the outcome that you want to achieve.
So, we are seeing greater regulations. We are seeing it get a push from the government, regulatory authorities, but how we roll this out in a manner that doesn’t jeopardize the operations of the health system as a whole is something that is being worked through slowly.
– [Ryan] Okay, fantastic. Let me ask you, we touched on little bits and pieces here, but obviously most of our focus so far has been on security. But what other challenges are you seeing healthcare organizations running into when it comes to modernizing, scaling these IoT deployments in their environments?
You talked about their legacy systems and the challenge of interacting with them. You also talked about the systems of, or system of systems and how being able to integrate in or be interoperable with all those systems is always, it’s can be a challenge. But what other challenges are you seeing that are continuing on no matter how far along we get with technology and it just, or is there anything that’s persistently staying around this space that you think really needs attention or something to really be thinking about?
– [Shankar] So, I think the landscape is shifting rapidly, so I don’t know if there’s a problem that’s persistent because the landscape itself, I mean, the problem is one of technology modernization. That’s the fundamental underlying theme. That it shows up in different ways. So, for example, during the entire COVID, like health systems for a long time have spoken about how the healthcare is moving from the hospital to more towards the home environment where patients are actually more comfortable sitting in their home environment.
You’re more comfortable sitting in your home and being taken care of than actually sitting in the hospital and lying on a hospital bed. Right? So hospitals have always known that the health of a patient, the taking care of a patient is moving more to a more decentralized world, but COVID accelerated it, and as COVID accelerated it, you’re seeing more of a remote care and patient environment.
And that requires a set of technologies that weren’t there before. And some hospitals have had to do more than others in getting there. So that creates a different set of technology problems. Now you have remote home healthcare. You have devices sitting in the home monitoring the patient. That data has to be gotten securely and that has to be serviced.
And then that data then effectively is used to make patient decisions. And then the patient comes in the hospital, that data has to be used now, what you actually gathered from a remote and correlated with the data you’re coming inside the hospital. Now you’re talking about a new technology stack.
I mean, it’s not new, new, like people have been remote, but in the hospital environment it’s now changing the way patient and still you have to follow all the regulations, data privacy, data regulations, all of this, ton of regulations around that, HIPAA, GDPR and so on. So I think, I would say that has created a greater push for technology modernization of remote healthcare, telehealth monitoring, and combining the data while keeping it all secure.
So the underlying theme is one about technology modernization that are, why we talk about cybersecurity, it’s broadly health organizations, healthcare organizations have to adopt new sets of technologies that are coming in and at the rate at which AI is evolving right now, that’ll create a new set of challenges.
People are using ChatGPT to get predictions about their health or like diagnosis, and then they’re going to the doctor as a second opinion. Some of them are even doing that. So each of this technology, and so healthcare’s biggest challenge is being able to adopt technology as they come in a way that they can’t be the first adopter because you are also dealing with patients’ lives.
You can’t start making experiments on people’s lives, but you got to be a fast follower. And that is the underlying problem, which has in some ways affected healthcare. They aren’t always the fastest follower of what’s happening. But the way the industry is moving, the way cyber is moving, the way technology and landscapes are moving, healthcare as a fundamental thing has to do it whether it’s telehealth, AI, whether it is cybersecurity. I mean, all of this, healthcare has to catch up on pretty quickly.
– [Ryan] Absolutely. No, great points. Last thing I wanted to ask you before I let you go here is for our audience out there, we’ve been obviously talking a lot about security, a lot about the unique elements of the medical space, the healthcare space, the environments in which solutions are deployed in. But if I’m listening to this and wanting to have some takeaways on best practices or advice when it comes to the deployment of an IoT solution or thinking through those security steps, what general advice do you have for companies, whether they’re building a solution for the healthcare space or they’re a healthcare organization, a hospital, what have you, looking to adopt? What should really be the top few things that they think about when it comes to that adoption phase?
– [Shankar] I would say there are broadly four or five steps we have. So first one is on the process side. We are a technology company, but I always tell everybody I talk to like process is as important as technology, process and people. Got to make sure people are aware. You got to make sure you have a cybersecurity plan or process in place.
People are your weakest link. If nobody’s aware of cybersecurity and people are clicking on malware links left, right, and center, what difference does it make what you did in your organization, right? So that’s process and people are number one. When you look at it from a technology perspective, you have to have obviously inventories
are number one in that journey. You got to understand what’s in your environment. But the mistake people make is they think of inventory as an end all be all, and they think, Okay, if I have visibility, I solve the problem. Inventory is just step one. You’ve got to have very clear and strong understanding of how are you going to mitigate your risk?
How are you going to manage your vulnerability? One part of it. Because if you don’t have that understanding, you have not get a notice on a ton of vulnerabilities. And if all you have to do go, if all you can do is go and micro segment the life out of your network, you’re not gonna be able to mitigate your risk in a timely fashion, in an efficient fashion, and in a timely fashion.
And so having a way to mitigate, to prioritize your top critical vulnerabilities or risk, and being able to mitigate them in an efficient manner is the second step in the technology stack. You have to be able to do it, and you have to consider it as part of the visibility because without that you’ll have visibility, and in a few months you won’t know how to proceed.
And then the other piece of this is you need to have a very strong incident response program in place. We just spoke about a few minutes ago on how attacks are increasing. If you, I mean, God forbid you got into an attack and you can’t say, I’ll never get into attack. You got to be prepared for it. Right? Everybody has to be prepared. So you need to have an incident response program in place that is effective, that knows, how are you going to detect it, how are you going to collect data, how are you going to analyze it? How are you going to baseline your environment? All of those programs have to be in place, and technology can play a big role. Want to have a solution that actually takes care of the entire journey as well, or at least as a plan to address the journey.
Otherwise, if you’re only thinking of it in one dimension, I’m going to get some visibility, you are going to find yourself in a very hard position in few months. So having the program in place, thinking of in terms of visibility, not just in visibility, but also in terms of risk management efficiently and in a time, in a decent timeframe.
And then talk, thinking of it in an incident response initiative program is, like from an incident response perspective, I think is very important. And I think that’s what I would advise organizations to look at.
– [Ryan] That’s wonderful. That’s a fantastic way to end this. Thank you so much. For our audience out there who wants to learn more about what you all have going on, maybe follow up on this topic, this discussion, get in touch in any way, what’s the best way that they can do that?
– [Shankar] I mean, they could email us at email@example.com, or they could, I mean, there’s- I’ve been a speaker at many events. They could always get my information, like it’s there, all my information, my email, my phone is all there. They can just email me, and I can put them in touch with somebody as well. Even if it’s not about Asimily, I’ve been in the industry for more than a decade, so.
– [Ryan] That’s awesome. Okay, perfect. Well, I really appreciate you taking the time. This has been a great conversation. IoMT is becoming more of a popular conversation by the day. So I’m glad we were able to have this discussion and get this out to our audience hopefully relatively quickly. But yeah, thank you so much for your time, and it was a pleasure speaking with you.
– [Shankar] Yeah. Thank you so much, Ryan. I appreciate it.