Defining the IoMT Perimeter
The CISO explains why the hospital firewall is no longer the boundary; the embedded operating system in room 202 is the new frontline.
The Reality of Device Hacking
A blunt look at whether a threat actor can truly change a patient’s dosage and the “dramatic” impact of unpatched legacy firmware.
The FDA Approval Bottleneck
Why clinical efficacy often comes at the cost of security, leading to devices being deployed with years-old, vulnerable software.
Cyber Malpractice & Liability
How courts and regulators are redefining “reasonable care” to include the cybersecurity of medical instruments.
The HIPAA Compliance Trap
Why asking “Are you HIPAA compliant?” is the wrong question during procurement and how to dig deeper into technical controls.
// INCOMING SITREP
Move beyond HIPAA checkboxes. Access the technical dossier on IoMT targeted sabotage and legacy device defense.
ACCESS THE BRIEF »In today’s briefing, we analyze a critical shift in the healthcare sector: the evolution of medical tools into interconnected network nodes. As IV pumps, pacemakers, and anesthesia machines join the Internet of Medical Things (IoMT), they bring unprecedented efficiency—and terrifying new vulnerabilities.
The Evolution of the Clinical Perimeter
The perimeter of a healthcare organization is no longer just the firewall or the server room. It is now every embedded operating system sitting in a patient’s room. In this episode, our CISO highlights that a single hospital can have thousands of these endpoints, many running on unpatched legacy versions of Windows or using generic default passwords.
From Data Privacy to Mortality Risk
While the industry has spent decades focused on HIPAA and data privacy, we are entering an era where targeted sabotage is the primary threat. We discuss scenarios where a breach doesn’t result in a stolen credit card, but in a disabled fleet of infusion pumps. This isn’t just a technical debt issue—it’s a mortality risk.
The Triage Framework for Healthcare Leaders
We conclude with actionable “marching orders” for Healthcare CISOs and VPs of Risk:
- Inventory is Security: You cannot protect a device you don’t know exists.
- Network Segmentation: Air-gapping high-risk clinical devices from the guest Wi-Fi is a “basic” requirement that many institutions still fail to meet.
- Procurement Overhaul: Security must be a “selling pitch” and a core requirement during the purchasing phase, moving beyond simple compliance checkboxes to evaluate the Software Bill of Materials (SBOM).
// DECODED TRANSCRIPT
Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. Today’s briefing is about the new extension of the doctor’s hand. 15 years ago, an IV pump or pacemaker was just a machine. You plugged it into the wall, it did its job. Today, it’s a computer node on your network. It communicates, pulls data, receives remote instructions. But what happens when that node doesn’t belong to the doctor anymore? What happens when it belongs to a threat actor?
What do you think, CISO?
The CISO (00:25)
Well, you know, let’s talk about that, right? Because everybody hears about IoT, which is the internet of things. But very few people think about the internet of medical things. So modern health care requires connectivity for telemetry and your patient data integration. So you really have hospital networks that are connected to multiple devices, not just
And it could be thousands, because if you think about a hospital, the last time you were in hospital, everywhere you walk, there are medical devices. And so there could be thousands of them. These are all endpoints. And many of them have direct clinical functions, like anesthesia machines, CT scanners, insulin pumps. So the reality here is that your perimeter as a security person
is no longer just your firewall and your network and your laptops and your servers. It’s now also the embedded operating systems on things like an infusion pump sitting in room 202.
Actual (01:27)
Got it. So yeah, and let’s be blunt about this. Can someone actually hack an infusion pump and say change a patient’s dosage?
The CISO (01:35)
Well, you can look it up, but they’ve done many, they’ve actually proven that you can hack into. I mean, it says here that hypothetical risk, because that means researchers have done it, but in the reality, if a researcher can do it, then a bad actor can do it. So they can do, and it’s simple because unpatched firmware, generic passwords,
Exploiting legacy, you know window versions that the device runs on I mean, these are these are basic things that bad actors have been aware of for a long time It’s not it’s not hard for them so you know the really it’s it’s very it’s kind of dramatic because The impact is so great, right? So it let’s let’s take a case What if a bad actor and let’s say they were?
And we had talked about this, remember, where let’s say I’m an assassin from a nation state. And, you know, and when our when our leaders are in the hospital, it’s all over the news. So, So if you know where they are, you know, the hospital they’re in, you can go in and you can deliberately, you know, disable
pump that’s providing critical care, critical medication, right? And, you know, and just do all kinds of damage and assassinate someone without ever having to touch them. It’s not just about changing medicines, about a threat actor looking at a hospital’s entire fleet of and then chaos, right? So so I talked about an assassin. What if you’re a terrorist? What’s the best? What’s one of the best ways?
is to, you know, take, look at a hospital that has, you know, hundreds of thousands of patients. And then you go and you say, okay, there’s like, you know, 500 infusion pumps, right? And you, and you say to the hospital, pay up or these pumps don’t work. Right. And if they, yeah, and if they were to,
Actual (03:32)
Hmm. Yeah.
The CISO (03:36)
to stop those pumps, is there enough medical staff to deal with over 500 patients at one time? It would be chaos.
Actual (03:43)
Definitely and I guess you know where my mind goes with this is when do we transition from? Like hey, this is we have data protection or you know We’re thinking about security or two. We’re not thinking about it at all and it just becomes negligence Like you know I knew somebody who was in the tech startup space in the Bay Area Who was making one of the first in my opinion one of the first ⁓ wearable? Devices in kind of the medical field
And I mean, I wasn’t necessarily involved with it, but it didn’t sound like there was much conversation around security, right? And maybe there was, but it doesn’t seem top of mind. And I guess when I’m hearing it from this conversation, the way you’re putting it, the way we’re talking about it is, it should be. I mean, and it was, it could have been for them. I wasn’t too involved, but it just made me think. It made me think like, wow, I wonder if back then when I was talking with them,
about this product, I wonder how focused they were on the security or what things they put in place or implemented. so it does make me wonder when, so, cause you’re more in this field, especially in the healthcare field than I am. So how would you view this topic? Like from what you’ve seen, you think that many of the devices out there are designed with security first or what’s your thought on that?
The CISO (04:57)
I think the challenge is that, you know, when you’re building medical devices, you’re thinking about clinical efficacy. And how well is that device going to perform its life saving, potentially life saving service. And it takes so long to go through the FDA approval process.
So the thought here is really, and the focus, the focus is really how well does this device manage the patient care? And it should be, right? But the problem is that because that’s the focus, security is usually an afterthought, something that is put in later.
or they’re not even thinking about it because they’re just trying to figure the device out and figure out how to get through the FDA approval process to take it to market because the longer it takes to go to market, the more capital, the more resources they are expending without any revenue.
So what happens is it takes years for the FDA to approve. So by the a device is approved and deployed, the software running might be years out of date and even unsupported anymore. But hospitals are forced to maintain insecure legacy devices because the device works so well. There was a ⁓ device, ⁓
You put a pacemakers, right? Yeah. mean, you know, because people were, you know, people were dying from heart attacks. And so these pacemakers, they wanted to get them into market as soon as possible. So they put them into
Actual (06:30)
Yeah, yeah, of course.
Well, guess, hold
on, hold on for a second. We just said, yeah, but let’s say for someone listening, they don’t know what a pacemaker is, for example. So why don’t you go ahead and just quickly like explain what it is, what’s the function of it.
The CISO (06:54)
Okay, so in your heart you have what you know, think of it as an think of it as an orchestra, right? So you have a conductor who tells the orchestra, you know the rhythm right so You know your heart’s playing this music and the conductor is telling your heart what the rhythm is Well, if something happens to your conductor, right then your heart has problems, right?
palpitations, fibrillation, I mean all kinds, your heart’s out of whack. And so it can cause your heart to stop to have a heart attack, right, to fail. And so pacemakers are these little devices that really become the conductor of the heart. And the pacemaker keeps, like it says, pace. It provides the rhythm, the pace for your heart. So that way it doesn’t get out of…
out of whack and it continues to work, your heart works effectively. So great, great. So now you have these pacemakers that they wanted to get out because a lot of people were passing away from heart attacks and it was preventable. So they took it out to market. They implanted about 465 devices, 465,000, right?
That’s 465,000 people. And then what they’ve discovered later was that there was a vulnerability in these pacemakers where somebody could tell it to, you know, to remotely, you know, just, just use up all the battery or to, you know, or to modify the conductor, right? So to change the rhythm and cause a heart attack or, or, or, you know, trigger
the heart to go into defibrillation, right? So, you know, that’s, you know, so it’s like all that time, these people, 400, about 465,000 people are at risk.
Actual (08:44)
Yeah, so we’re in stepping into new legal territory, right? That’s where my mind goes when I think about what you brought up. I’m somebody who brought a product to market. I’ve said it can do all these things, these life-saving functions. You know, it works. You put it on a bunch of people, a lot of people, and all of sudden now there’s these vulnerabilities that
threaten people’s lives. So as the manufacturer of the product, like what’s the liability there, I guess is the question is, is it a, you know, what do we, what do we call that? Like a technology failure, medical malpractice, like let’s say if a patient is, is harmed because of an unpatched, anesthesia machine that, maybe failed because of some kind of vulnerability, some kind of hacker or what have you. So what does that
What does that lead to?
The CISO (09:31)
So you’re talking about like the, like, let’s start with what’s the definition of reasonable. Every medical practitioner knows that you have to provide reasonable care, right? But when we talk about reasonable care in court and with regulators, what does that mean? Is it just the doctor’s care to the patient?
Or does it extend to the medical devices and tools that the health professional uses? Well, when you’re at an organization like a hospital, right, or what they call providers, like doctor offices, things like that, it actually goes beyond just the patient care and into the devices that the health care professional uses. That’s how regulators and
courts view that. So if you know that you have a device that’s old, that’s not separated from your guest Wi-Fi, that’s not segmented, and you have the folks who know how to do it and you do it for other things, then of course a court is going to be like,
Why didn’t you also do it for your medical devices if you are already doing it for other things on your network? So again, reasonable. That’s very reasonable. So the courts are going to, mean, there’s cases, you can look it up. There’s cases where the required the hospital to fix this or a manufacturer to.
patch or a hospital to patch their devices. And that can, that now is forced as money that you didn’t plan for. It’s a project you didn’t allocate for, right? So there’s an expense and sometimes there’s a fine with that, right? If the courts deem it so negligent. So if that were to happen, what do you think would happen to, they document all this, all of this is public information. If you’re talking about
you know, a regulator finding you or ordering you to do something. So now, you know, your, your reputation, the patient trust, hey, you know, that kind of, you know, that kind of thing is hard to recover from. You know, maybe you can recover the money, you know, but you can’t recover the trust. And then, you know,
I would say that you just have to be aware that malpractice used to be only something doctors worried about because of misdiagnosing. But now malpractice also means your CEO, your information security leader.
Actual (12:08)
Yeah, and that makes sense.
You we’d have that kind of liability and other facets of, you know, organizational leadership, especially depending on what industry you’re in. You’ll see CFOs will get pulled into things and whatnot. And it’s a leadership, you know, it’s just one of those things that you know, you’re walking into as a leader of an organization. And I can see that, how that would happen. And so I guess as we’re on that topic of
the leadership. let’s say we’re going to give our marching orders on this topic. You know, we can’t throw away some of our legacy devices. We also can’t tolerate mortality risk. So where do we go from here? What’s the next step?
The CISO (12:42)
This is an interesting question because every security leader should know this. It’s nothing new. You need your inventory. Inventory your medical devices. You can’t protect what you don’t know. And there are so many in a hospital. So first, get your inventory. Know what you have.
Know what’s connected to your network. Know what’s connected to other things such as the alerting system for the nurses station. Segment that out. Create a network that is separate from your Wi-Fi. Because everybody has Wi-Fi now. You go into a hospital, they have a Wi-Fi available. So make sure you separate that out.
that you segmented out, that it’s air gapped, that there’s a separate re-land. So that way, it’s harder for someone from outside to connect to those devices. Those are very basic things. And if you can’t do the basics, why you need to really think about what you’re doing? Because these are basic things that you can do to protect a patient.
Actual (13:48)
Yeah. And it’s, got me thinking on, on something here. It’s a, know how you see those commercials, talk about this pill that does this thing for this problem. Right. And, and, know, they show all these happy people living the life and then they spend like the next five minutes talking about all the horrible things that will happen when you take it. And then at the end of it, they say, well, ask your doctor for a recommendation or if, know, if they will approve it. And on the flip side of that,
I think you go into the doctor’s office for whatever reason and they prescribe you stuff that they know is like, is the good stuff or this stuff is gonna work. I have experience with it, I trust it. know that everything has side effects but this one, I trust it. So with that in mind, I then take that same thought to the devices and go, does the thought process work there?
maybe staff that is used to a certain device, they like it, they trust it. How is that sort of maybe, I don’t know, maybe it’s just my naivety on the subject, but how is that documented or how do they come to a determination on that topic of this is what we’re going to use for you? Like for example, here’s an example for me. I’ve had two shoulder surgeries.
And in one of them, they were like, this is the way people have done it in the past with these tools, but instead we’re gonna use these tools and this is how we do it over here. Like this is how we do this specific type of surgery moving forward. And so on the concept of vulnerability risk, how is that factored in?
The CISO (15:22)
Well, it’s a it probably is not, right? Because, you know, the the clinicians are the ones who oftentimes, like you mentioned, choose the devices, right? Not the security team. But this is pretty common across all industries, right? You know, the clinicians, the operators, they choose the tools and then security has to, you know, deal with them. I would say
that you want to embed yourself in their process, get to know them. If you’re a security person and you’ve never been to a medical device conference just to walk around and learn about medical devices, that would be one recommendation. You need to see what’s out there. You need to go with your clinicians. You need to go with the people who are procuring these devices, who are reviewing them, who are procuring them.
get to know them, talk to them, because once they understand that part of the review of a device shouldn’t just be how it feels in their hand, how easy is it to use, but also how secure is it for the patient care, to provide full patient care, not just partial, but the entire time that patient is, and that device is touching that patient.
Actual (16:36)
You know, you bring something up that’s good. We were at a conference and there were medical devices and I’m thinking about it from both sides is let’s start with the, you know, I’m the purchaser. I’m looking for a device to do X. I send a team maybe to go and check it out. Should we start, you know, having a different process where if we know we want to go look at something or maybe we have an idea, we have our list, right, our top five or whatever.
Now is there the new process is let’s send a security person alongside the technician or whoever the purchaser is. So then we can have a security conversation as like a way to narrow down the field to like filter out and help you get to the one that would be best suited that meets maybe your security requirements. And then I guess on the flip side, as on the selling side of it, are we now using security as a way to sell our products like
I can say this, when we talked to people, nobody had, there was no conversation about security, not really. And what I did see was a lot of conversation about AI. I have this tool also AI, right? It was, I have this tool also AI. AI is in all my tools, AI, AI, AI. So like, I guess when I’m there, I’m going, okay, you have these tools, I have AI that do all these things. Maybe the next question is, how secure is it? And do you have, do they have an answer for that?
The CISO (17:52)
I don’t think you can ask them how secure is it because they’ll give you some answer, you know, and the person with you, you know, it’s like, that’s not my job. That’s his job. I think what you need to talk about is, you know, and because everybody in the healthcare talks about HIPAA, like privacy, patient data. So if you talk in terms of that, I mean, they’ve done such a great job of promoting HIPAA and
patient privacy, that everybody understands that. you have to be, if you say, hey, is your device HIPAA compliant? they’ll, they right away will tell you, yes, it is. No, it isn’t. Right. And then what you want to do when you say, Hey, are you HIPAA compliant? And they say, yes, then you dig a little bit deeper. Right. Because part of being HIPAA compliant is being secure, right? Protecting that patient information.
And how do you protect patient information? You have to have security controls on it. So that’s the way I would say for security professionals to deal with, to integrate into the process for medical devices is go through the regulation. A lot of times security people, I think, want to talk about the controls first.
They want to talk about the security controls. How secure is it? Is it encrypted? And these people don’t understand that. That’s not their priority. Their priority is how quickly, how accurately can this device perform its function? So that way the patient can have the surgery quickly or have the least damage during surgery or
or provide whatever medication, like in the case of a pump, an infusion pump, those are the things that they care about. So that’s why you’ve got to use their terminology, what’s important to them to get what is important to us, which in the end is important to the patient.
Actual (19:49)
Yeah, and that makes sense. guess I just, I’m envisioning a future where, you know, security is a bigger part of the conversation. You know, like I would like to see from, you know, the creator’s side, the, the, the manufacturer’s side, the developer’s side of we’ve developed this product and because we’re living in the day and age where everything now is becoming connected in some way, or form. Here’s how ours stands out above the rest in terms of security.
Like maybe we all are compliant with these regulations. However, we’ve taken an extra step. So I guess I’m looking at it for how can we utilize proper security that kind of goes above the baseline, right? Kind of the, the like the floor that everyone has to meet, but how can we use security as a selling pitch? How can we use it as, you know, putting your product above the rest, standing out above the rest, right? Does that make sense?
The CISO (20:38)
one. It
does. It does. And I think you can do it. I think as a vendor for medical devices, you can absolutely do that. But you’ve got to talk about patient safety that, you know, patient, like you have to go from that direction. Because if I, I’m a doctor or, you know, uh, and I’m going to, or, know, or someone at the hospital who’s going to look at medical devices, what I’m there for is how do I provide better care for my patient? Right.
So you’ve got to come and approach it from that. Like if you’re a vendor and you just talk about, my devices are more secure than the booth next to me. Okay, right. But what does that mean? So you have to say, we save lives too. And we save lives because our devices will protect the patient’s information, protect the patient from getting
like, I don’t know what’s the term like, you know, incorrect care, right, or incorrect doses or incorrect, you know, surgeries, whatever you want to call it. but you have to, this comes down to just sales and marketing, right? How do you market security? it, so it talks to a, you know, a healthcare provider, right? Who’s providing care directly to the patient. How do you, how do you talk to them?
to the things that matter to them. So if you want to market to them, I would say, again, our devices are really secure. And so it protects the patient through multiple ways, right? It does what it’s supposed to do. And on top of that, you don’t have to worry that that patient’s information or the care that you’re providing to the patient is gonna be sabotaged.
Actual (22:23)
compromised.
The CISO (22:24)
compromised and sabotaged, yes.
Actual (22:26)
Yeah. And so right now, let’s just say I’m, I’m on the, purchasing side and let’s say I, you know, I’m looking at my inventory. Maybe I’m in the process now of going, we’re ready to get new stuff, right? Like we’re good. Like we, we know that we’re phasing this out and we’re bringing this something in and we’re in that process. And so let’s say I’m listening to this podcast. I’m like, okay, I get it. You know, I, I do need to have some focus on security here.
What are some questions to ask? Like just, just to make sure I’m covering my bases.
The CISO (22:56)
So if I’m coming from the provider side, so if I was coming from the provider side, I think you really need to just be more educated in terms of what you’re looking for. And it’s going to be a little bit hard, I think, but I would ask this. I would ask this.
What is your, you
What’s your stance on protecting the patient? Besides giving me a device that should work and do what you say it does, what other things does your company do to protect my patients? I would ask that if I was a provider, right? And see if they say security. See if that’s something that’s important to them, that they’re protecting my.
you know, the device from sabotage, right? So yeah, I would ask that, you know. So that would be one definite question. Do you need more than one question? I think that’s a pretty good one.
Actual (23:56)
Yeah. Yeah. And I, and I think too, it’s, you know, it’s mindset as well, right? Even just thinking about it and making sure it’s, part of the conversation. Yeah. So, and I think we’ve, we’ve covered this pretty good and, yeah, we’re ready to move on. So, and we’re done with this episode and we’ll see you guys next week. And so the perimeter that we’re talking about here is no longer just your network, right? It’s embedded software on the instruments that save lives. So when the doctor’s hand is network.
The doctor’s responsibility is then networked. Right? So on this topic, our mission success is about patient safety. And so let’s get out there and execute to that standard. See you next week.