Terrence Carroll's presentation at the EBME Expo -- Cyber Security in an Era of Smart Pump InteroperabilityObviously I'm American. So I'm going to do my best to speak slowly. I'm going to do my best to also speak without using American sports analogies. So if I get lost, please help me. It's a wonderful thing that you invited us here. I bring greetings from the US. It's really amazing as well. I know that I'm about to present this topic and Nana has a question from Bath that says tell me about device interoperability. Makes me excited that you are interested in what we see is not necessarily what's coming, but what's now. So I'm very excited to tell you about what that means. So the way my presentation is going to break down is in two ways. First, I'm going to level set what interoperability means for those who don’t know. Then we're going to talk about the state of cybersecurity. And then we’ll give you some pointers so you can ponder how to verify if your device vendor is doing the things that are needed to make sure that you're safe. Good?

So, while this is up, I'll give you the background. My name is Terrence Carroll. I'm global director in infusion systems for ICU Medical. The name may not be completely familiar to you. We were once Legacy Hospira. Before that, we were the Abbott Hospital Product Division. So we went from Abbott to Hospira to Pfizer to ICU Medical all in about a 14-year period. We are globally known for our infusion therapy and technology. We are celebrating 10 years of this achievement: making the device talk to the EMR, to the e-prescribing system. So 2008, two hospitals - one in Lancaster, Pennsylvania; one in Baton Rouge, Louisiana - started the process with us and Cerner to make smartpump programming where you take the complete physician order and put it on the pump. Then in 2010, the next advent came, between us and Cerner as well, and at this point no other vendor has decided to join this space. So we decided to do this infusion documentation, taking all the data that’s generated off the system and putting it to INOs, patient charts, what have you. We’ll continue on that push of growth. The next part for interoperability for ICU Medical is also including Alert 40.  OK. So where the industry is going in the US is to talk about alarms, alerts and how do you move them smartly in an escalation path to the clinician.

So let's walk through what smart programming is first. So, normally, when you start an infusion, what you do is you scan the patient wristband if you're doing any type of medication administration to get the order. Then you scan the bag to confirm that the bag is appropriate. But now it's disconnected from the IV pump. The nurse goes through the process of programming all the different infusion parameters. Once it's done: yes, that’s correct; and start influent delivery begins. That’s what you're doing today. Some of you may not be scanning the bag, some of you may not be scanning the patient, but you're doing the manual process in pressing all these buttons. The DERS solution helps if the clinician programmes the wrong value. The DERS will say stop, that’s inappropriate for this person, this patient, put in a new value. That’s the benefit of DERS. What SmartPump programming does, we’re going to take away those steps. We're going to say instead scan the patient, scan the med, then scan the pump. By scanning those together, now the order comes over from the physician directly onto the device.

So think about that. We no longer have to add in those steps, reducing the number of steps from 17 to about seven. So you’ve got a Sigma Black Belt in the room and they're going to say oh the efficiencies gained through all of these people, it's going to be amazing; they're going to love it. We engineers say is that really nursing? Is it really bringing clinical value to press a number, or is the clinical value to see the interactions of those numbers to the patient? So this is SmartPump programming. This is what we pioneered 10 years ago. All the data that’s generated from this, the number of starts, stops, bag changes, alarms, we take that data and we put it into the record. So that's SmartPump auto-documentation. You'll hear various different terms.

We just did a pioneering project here in the UK just this week at one of your trusts. But where we are really seeing this change is hey can we take an alarm off a device, send it to our gateway then hand it off to Cerner and then have Cerner put it in dashboards and then alert the primary nurse. But if that nurse is busy, can I escalate it to the next? So the pump's not just alarming, the patient's just not completely out of sorts. Instead, there's a way to ensure that we are attempting to better utilise our resources and use all that data that’s gained and not have it disconnected. Is everybody good with what integration means for us? If you grab these concepts then, now we've got the big bad bogeyman. Very, very scary! But my job is to sell you why this is important, right? So let me say why it's important.

Now, because there's so many numbers on the screen I've brought some paper because I want to make sure I get the numbers right. The NHS had a WannaCry problem. And the numbers started off at $19m, then up to $25m, then went to $92m, and the last thing said now it's up to $100m to try and clean up the problem, and we don’t know exactly how bad it really was. We see hackers are targeting healthcare data at a level that’s completely off the charts and it's all because of the money. If you go to the Dark Web, you can buy a US social security number for about $1. You can buy a credit card for $110. You can a medical record for $1,000. So what am I going to go try and steal to sell? Medical records! And why do I want to sell and steal them? It has everything about you: name, age, birthday, mailing address, parents, next of kin, I can become you.

So what are hospitals doing to protect against this? Their spending lags on digital security. Hospitals are spending, apparently, approximately 5% on security; the financial space, spending 10%+. So we have a treasure trove of data that allows someone to become you and you spend 5% a year on it. The one thing I've learnt in this job is don’t go to the hospital. It's the worst place to be! Because, one, you're in the hospital and, two, you don’t know what things are going to happen to you while you're there: hospital-acquired infections. Is there a standardisation of medication practices? What's really happening? Now I know I don’t want to go because I would like to be me. Or it gets even worse, because now it becomes how is this going to work when you are interfacing your medical devices? So the US FDA has issued some different talks about this, but the one at the third from the bottom, cybersecurity threats cannot be completely eliminated, rather manufacturers and hospitals and facilities must work together to manage them.

So what are you doing with your vendors? What are your vendors doing without you knowing to protect you? Do you have any idea? You don’t, do you? I was here visiting some accounts a few months ago and I asked them tell me about your cybersecurity plans. Oh, we don’t have any. Oy vey! You have national healthcare; everybody's in the database. And then I hear a speaker right before, our competitors from Braun talking about interfacing the device. The data's going to go someplace and you want that data. I heard a speech before about population, healthcare and putting all the data in so you can learn all these outcomes. But you're not protecting the data and you're not protecting the systems.

Let me give you some things to consider. One, is the data secure in transit and at rest? Is the data protected on the network, is it encrypted? Braun just talked about having dataflow across the network. This is great. They said their product uses encryption standard. That’s great. You need data to be protected. But then are there any industry certifications available from your manufacturer to say hey, other people have vetted this out? I'm sure you’ve bought a product in your personal life that the salesperson told you it was going to do something great and it did not. It's a terrible thing. So your other thing you have to do is make sure that we’re being honest with you.

Certificates, so anyone watch the TV show 24? There's a US TV show about this guy who never slept and for 24 hours he fought a battle. And every show was one hour of the day. In one of the episodes, our president, they triggered a heart attack remotely from a pacemaker. Do you know how to answer customer questions about if I could kill someone remotely with my device? A serious question though right, I'm exchanging data. So we said why don’t you put certificates on systems to ensure the digital handshake is secure. Are your vendors doing this for your products, do you know? Or do you not care until the door is kicked in? And one that really should not be lost is that there should be no unsecured ports of entry on the device. If you have unsecured ports, then that means I don’t have to be on your network, I just have to grab a device. It's called owning. Because if I own a device then I own the server, and if I own the server I own your network. But go ahead and spend your 4% on that.

When you're doing cybersecurity components, you have to remember one thing: it is not retroactive. I travel a great deal for ICU Medical. I have a system to tell me if the garage door in my house opens. Within two minutes I know. I had to think about processes and put them in place ahead of time. When we are designing products at ICU Medical, we have to first take our design input, define how the product's going to work, test it, release it, but then get the feedback from customers to put it back into a design component. So what are your vendors doing to ensure that they're building quality and security from the bottom, not necessarily trying to make it retroactive to a product? OK I live in a box under a bridge. How am I going to secure this? OK, so I'm going to move the box to another bridge – didn’t really secure it. I'm going to put a little bit of rope around it – didn’t secure it. But you're letting your vendors do this because you're not holding them responsible.

So what we've done at ICU Medical is to say how do we ensure that we continue to be confident in the security of our product? So we actually take all these input sources, dump them into an analysis system automatically where we have software products that look at this database and this list, figure out if there's vulnerabilities, do a scan of our systems to all of our software code bases to determine are we open to a vulnerability without it being reported to us. And then we will score that vulnerability based upon a standard score mechanism, which then tells us how we need to respond. What are your vendors doing? You need to be asking the hard questions. If WannaCry didn't teach you, what's the next thing that's going to teach you?

When you have that design, when you have that analysis after the fact, then you have to figure out how to get it to the device. Braun was right: trying to update 1,000 pumps is painful when you have to plug them in. So can we push it out over the network? Do you have a secure network? Is the firmware validated? You have to update the firmware. So we have a digital certificate on our firmware. So that means that you're going to have to break into our headquarters to break into the certificate system, get the keys, make a false certificate then get onto your network and then try and put it on and then push it to the device. That's a high order of difficulty. I'm not daring any hackers in the room. I'm not daring you to try this. We're just trying to be sure and make that level so hard that they do something else. So if your devices aren't on the network, how do you protect them?

But then when you're interfacing a device, as I just showed you, do you want the patient data on the device? So one time I'm driving to a hospital in the US. And I'm not going to tell you the city, just know it's a big city. Because of how our healthcare system works, this is a hospital of last resort. It's a county hospital. So I'm driving and there's a guy walking down the street with an IV pump on a pole in a gown. The gown's open and he's just walking down the street, he's gone. And I'm blocks away from the hospital and I'm like OK, he just left, he took the pump. And when I got to the hospital they said yeah we lose pumps all the time. So what if doing your interface, you put patient data on the device? The device walks away. Is that one decision enough to say hey this system's not secure; we need to change the methodology? Vents, monitors, same thing, if those devices walk away, is there patient data on there which then makes you exposed, exposes your patients and your customers?

Understand that the way we have built our system is to provide encryption, provide that signatures. And when we're doing the SmartPump programming, there are only certain modes that can accept that order. The nurse, there is no automatic process, it doesn't just automatically start delivering fluid, the nurse has to say yes, because we're not ready for automation just yet. But then we don't put the patient information on it. It's on the server gateway. The server gateway's the one that handles the matching of what's happening on that device to the patient and the record and then handled off to Cerner, Epic, Allscripts, whoever, iCHEMO, it hands that data off, and once again no patient data on the device.

The problem when you talk to salespeople is understanding what's true and what's not. Ask for other ways to confirm what they're saying is true. With ICU Medical, we have put our devices through something called UL 2900, which is a new security standard. The security standard about not only how you build the product and how you support it, but how you design it, we're the only medical device that has gotten through so far. And we've done it three different times. We're the only gateway that's also been UL 2900 secure. One reason why that's so impressive: when we submit to the US FDA, they ask about cybersecurity, what are your metrics, mechanisms, what have you – if you have this certification, you can skip that. So they believe in it. Does your vendor support this? You need to trust but verify.

Do they have third-party hackers playing with their system, providing them responses? Because no one is smarter than the group, right. So we think we know what our systems are. Let's have a white-hat hacker. Let's have someone else poke at the system and provide responses to us. And then they can provide attestation letters to you to say look, we verify that the system is clear. Because what customers are going to do is say tell me about your vulnerabilities and I'm going to say tell me how to hack into your system. You're going to say no, I don’t want to tell you that. Well, I'm not going to tell you that either. Apple doesn't want to put a backdoor to get to passwords and text messages because there may be one key. It doesn't mean that they can secure that key. And that key gets out: it's over.

So we're not going to tell you all of our vulnerabilities or what we've tried. You're not going to tell us yours. So how do you find trust? Use a third party. And the third party can actually vet that under a certain level of nondisclosure and let you know if it's secure or not. So what we've done in our classes is to not only try and design, build, deliver, but have these other third parties give you the comfort that we've done this in the appropriate way. And because of this, we've now put security at every point of the process. Not only the infusion devices, but also the gateway, our DERS system, but now we're working to build secure communication components over to the Cerners, Epics, Allscripts, etc. etc. But this is apparently what you're doing in the UK. And you tell me you're safe. Really, really? You're putting a device with an unsecured RS-232, connecting it to some gateway that's not secure and then trying to connect it to your EMR. If you don't connect it to your EMR, it's on your network for your drug libraries, your DERS. Are you serious? After WannaCry, this is what you're going to do?

In summary, Healthcare spends 5% of their budget on cybersecurity. Do you even know what it is at the trust? Do you know what it is for NHS? You could be at 2%. The highest black-market commodity is those patient records, because they want to be you. Go read the stories that a person is no longer that person because someone took their complete identity. That's what they want. You need to interface systems with all that patient data, because you need to determine things that happen. I'm a New Orleans native. Some years ago, I had a sore throat. I used my own big data approach. I needed a home remedy in training. What can I take for a sore throat? I went Google tell me what to do. And Google said gargle cayenne pepper. I'm from New Orleans. I have some in my bag. So I take some out and gargled it, it worked, but then it stopped. So I went back and I said Google, what do I do? Google says hey, eat pineapple. If you have never heard this: eat pineapple if you have a sore throat. It's amazing. It works every time. But Google told me that because they had all this data acquired. And that's what you're trying to do with your population health and putting into the EMR, but you've got to do it in a secure way. Security should not be an afterthought to us or you. It needs to be a high level: if you don't do this, you do not get the business. You cannot make exceptions. Because the moment someone hacks the network from that system, it doesn't matter, you made an exception, right? Verify, confirm, talk to third parties. Make sure it's not just the word of the vendor.

And my last quote: no one really cares about a home security system until the door is kicked in. And then after it's kicked in, they'll put up burglar bars, an alarm. They'll dig a moat. They'll get a dragon. They'll get a guard tower. Medtronic had an insulin pump. I knew a guy that worked on an insulin pump. The Medtronic engineers told the company it will cost us $1m to add security. How are we going to get it to market? They got it to market. At DEF CON, they showed that they could dump the fluid from across the street because of unsecure ports. Medtronic went on recall, FDA hell. And they would have paid $1bn for it to go away. How much would you have paid to make WannaCry go away right then when it happened? Do not make it an afterthought. You are going to interface these systems today and tomorrow. It cannot be an afterthought. You will pay the price. That's all I have, thank you.


Terrence Carroll's presentation at the EBME Expo Cyber Security in an Era of Smart Pump Interoperability


Like what you see?

Hit the buttons below to follow us, you won't regret it...