Security

Q&A: IU Health’s Nick Sturgeon on Connected Medical Device Security and Collaboration

Indiana University Health’s executive director of information security discusses the creation of a new testing lab.

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

Connected medical device security is a major focus among healthcare leaders. An average hospital room can contain 15 to 20 connected medical devices, and any vulnerabilities could seriously impact patient care.

One 2022 survey found that healthcare organizations with a higher number of connected medical devices were more likely to experience a cyberattack. With connected medical device security top of mind across the country, the U.S. Food and Drug Administration and MITRE have released an updated playbook to address evolving concerns.

“Healthcare needs to be more collaborative about cybersecurity,” says Nick Sturgeon, executive director of information security at Indiana University Health. “If the bad actors are sharing their data and knowledge, we need to do so as well.”

In 2021, IU Health opened its own lab to test connected medical devices; the following year, it announced a partnership with clinical asset management company TRIMEDX to further develop the Medical Device Security Lab.

Sturgeon, who founded the lab, spoke to HealthTech about the its creation, the importance of centering patient safety and security lessons learned last year.

Click the banner for access to exclusive HealthTech content and a customized experience.

HEALTHTECH: How has healthcare cybersecurity grown in recent years? What are some top concerns today that weren’t an issue a decade ago?

STURGEON: Technology usage has evolved and grown more complex, which means different risks have come up that weren’t necessarily a worry 10 years ago. If we’re talking about just telemedicine, for example, as providers and patients connect virtually, the perimeter is no longer contained within the four walls of a hospital. It expands to where the patient is, and the vulnerabilities that may exist in a patient’s home. The patient’s cyber hygiene has a potential effect on the hospital as sensitive data and that technical connection are shared, and that’s something we need to worry about.

Cybersecurity to protect patient safety is really important, but considerations must stretch beyond HIPAA. In recent years, cyberattacks that hamper hospital operations can seriously impact outcomes, as cases in Alabama and in Germany have shown.

Part of the impetus for the Medical Device Security Lab was a patient safety conversation. Yes, we still need to protect the data. That’s a natural assumption at this point. But we need to take the conversations further and really center the care of patients.

Let’s really have conversations in partnership with clinicians. I work with clinicians, but it’s a small number, so how can we expand that and speak about cybersecurity and patient safety with nurses, doctors and medical assistants in a language they can relate to? How can device safety be a key part of the conversation when it comes to implementing pacemakers or insulin pumps so that we’re prepared should vulnerabilities come up?

Healthcare organizations also need to stay updated on global threats, especially from nation-state actors. These conversations need to happen in public, not only among cybersecurity professionals. It needs to spread industrywide, including all health system leaders. We need to have transparent conversations and stop burying our heads in the sand.

We need to have transparent conversations and stop burying our heads in the sand.”

Nick Sturgeon Executive Director of Information Security, Indiana University Health

HEALTHTECH: Tell us about the creation of IU Health’s Medical Device Security Lab.

STURGEON: I joined IU Health in 2019, and in early 2020, my boss came to me and said, “Hey, I want you to take over leadership of our offensive security team” — basically, our ethical hackers. And, “Oh, we need to do more with medical device security.”

I come from a digital forensics and defensive background, so the offensive side was new to me. Then, the COVID-19 pandemic hit, and on top of that, we were in the early stages of a new hospital being built in downtown Indianapolis where our cyber offices were, which were going to be demolished.

I knew that my team needed to get their hands on these devices to test for patient safety, and obviously we don’t want to hack these devices in a patient care setting. We needed a place to do this testing work, and from there came the idea to get a lab started. Let's have a dedicated space where my team can come in, physically or remotely, to do device security testing. Eventually, we landed on a space at 16 Tech.

EXPLORE: 5 steps to secure Internet of Medical Things devices.

Being able to independently test devices is crucial. We run on a “trust but verify” perspective. Yes, we have great relationships with the manufacturers we do business with, but once a device leaves its facility and comes into ours, that’s an unknown for us. How’s that going to impact our network? What are the actual risks being introduced into our environment?

Previously, we were just taking a vendor’s word on device security, but things can work differently in a new environment, so validating devices and making sure we have the tools to protect these devices is so important. The lab gives us the ability to do key testing.

HEALTHTECH: What have you and your team learned since the lab opened?

STURGEON: We knew that devices would vary from capability to user interface and how they store and transmit data, but it’s been another thing to see it work and test it out first. We’ve got all these different variables based on all these different devices.

Our conversations with the manufacturers have gotten better. Our processes for handling the data and decommissioning the devices have improved. As my team gets more familiar with these devices, we’ll get better at testing new devices as they come in. It’s been a nice playground for my team of ethical hackers to be able to learn and explore.

HEALTHTECH: What are the top security lessons you learned in 2022?

STURGEON: Collaboration is key for success. As a hospital system, our top priority is to care for patients. But healthcare alone cannot solve all of its cybersecurity problems. We need others from different areas of expertise, different viewpoints. We need to work together, and that’s especially true for working closely with manufacturers and vendors. How can we broach the subject of “trust but verify” in a respectful, collaborative way? Manufacturers have one perspective, we have another, and we need to find common ground to address security concerns in the name of patient safety.

UP NEXT: Learn tips to secure the Internet of Medical Things.

ivan68/Getty Images