Authors of Medical Device Cybersecurity for Engineers and Manufacturers Axel Wirth and Chris Gates share what prompted them to write their book:
Chris: I was born to this. I really didn’t have a choice. My father was an E.E. in the broadcast industry (radio and television) so I grew up around electronics. I was soldering by age 6; by 7th grade I was building complex electronic projects, such as medical detectors (it wasn’t on the project list, I just wanted to build one) for my beginning electronics class. Some of my early toys were locks (yes, for lockpicking) and plastic computation toys such as the DigiComp and the electronics breadboarding toy called Lectron.
In college, I would use an old Teletype Model 33 and a Novation CAT acoustically-coupled modem to explore (and break into) the far reaches of the ARPANET (the internet’s precursor). There was always amazing research being conducted, especially on MIT’s TOPS-10 systems. Not to mention the university’s local network. All of these systems demonstrated a complete lack of awareness of how brittle their designer’s assumptions were about security – almost like an opt-in approach.
Decades later, having worked at many different medical device manufacturers, developing many medical devices, I was only occasionally utilizing my “skillz” as a hacker to prevent hacking of devices to expose intellectual property or to prevent counterfeiting of disposable parts in a medical device I had created. Cybersecurity activities were all secondary to my normal day job as a development engineer.
Then one day I was working as a consultant to a large medical device manufacturer, working on their proprietary low power radio frequency protocol, when they were very publicly hacked via a Black Hat presentation. This caused all sorts of fear and uncertainty at this manufacturer, as no one had any training in device cybersecurity, no one had any clue as to how this hack was even possible, let alone how easily it had been accomplished.
This security posture reminded me of the early ARPANET, where security was based on the delusion that everybody was playing “by the rules” (spoiler alert: They aren’t!). So I started a quest for how best to incorporate cybersecurity into the development culture of a manufacturer, which launched me into several years of refining approaches and training the engineering staff at this manufacturer in how to identify design vulnerabilities, implementation phase vulnerabilities, and existing threats lurking in third-party software components (AKA “SOUP”).
Since then, I have continued to train and evangelize this method of creating secure products that are manageable during development and satisfy regulatory agencies with artifacts that prove the device has incorporated security into its development. The future looks bright as I see more vulnerable industries (beyond medical devices) start to realize the risks of insecurity and the advantages of being secure. Now if I can just train all of them in time!
Axel: Chris and I have a number of similarities in our careers. I also started tinkering early on, and turning my hobby into studying electrical engineering was inevitable (although math and physics were competing contenders). However, the fact that I ended up in the medical device industry was sheer coincidence. My interest was triggered by an article about medical imaging in the Sunday paper. I thought that this sounded interesting, applied to a couple of companies in the field, and landed a job as an engineer designing power supplies for x-ray systems.
My career in the medical device industry took me across analog and then, later, digital x-ray; ultrasound; plus a number of research projects in biosignal acquisition and processing. Eventually I transitioned into marketing and business development roles as well as health IT.
In 2008 I was offered the opportunity to help a major cybersecurity company launch their healthcare business. Shortly after, one of our health system customers experienced a malware outbreak that shut down over 100 of their medication cabinets (via a computer worm that was introduced by a service technician’s USB thumb drive). For me, this event was the cumulation of my entire career as it drew on my experience in the medical device industry, IT space, and now cybersecurity.
The topic of medical device security has been with me ever since, and I have made an effort to not only help solve the problem, but also to educate industry participants on the topic to enable us, collectively, to develop a path to a more secure and therefore safer medical device ecosystem. We need to recognize the scope of the problem and develop a strategic approach to solving it. There is no need to panic, but we do need to proceed with a sense of urgency.
Recognizing this need, our current employers – Medcrypt and Velentium – are exploring ways to partner beyond the authoring of our book. Our goal is to “move the ball downfield” toward a cybersecure future for medical device development. While publishing Medical Device Cybersecurity for Engineers and Manufacturers is a big step in the right direction, we expect it is just the first step. Soon, we hope to begin offering embedded cybersecurity training based on the book. Follow us (Axel, Chris) or our companies on social media to get the latest announcements about that.