HEALTHTECH: Tell us about the creation of IU Health’s Medical Device Security Lab.
STURGEON: I joined IU Health in 2019, and in early 2020, my boss came to me and said, “Hey, I want you to take over leadership of our offensive security team” — basically, our ethical hackers. And, “Oh, we need to do more with medical device security.”
I come from a digital forensics and defensive background, so the offensive side was new to me. Then, the COVID-19 pandemic hit, and on top of that, we were in the early stages of a new hospital being built in downtown Indianapolis where our cyber offices were, which were going to be demolished.
I knew that my team needed to get their hands on these devices to test for patient safety, and obviously we don’t want to hack these devices in a patient care setting. We needed a place to do this testing work, and from there came the idea to get a lab started. Let’s have a dedicated space where my team can come in, physically or remotely, to do device security testing. Eventually, we landed on a space at 16 Tech.
Being able to independently test devices is crucial. We run on a “trust but verify” perspective. Yes, we have great relationships with the manufacturers we do business with, but once a device leaves its facility and comes into ours, that’s an unknown for us. How’s that going to impact our network? What are the actual risks being introduced into our environment?
Previously, we were just taking a vendor’s word on device security, but things can work differently in a new environment, so validating devices and making sure we have the tools to protect these devices is so important. The lab gives us the ability to do key testing.
HEALTHTECH: What have you and your team learned since the lab opened?
STURGEON: We knew that devices would vary from capability to user interface and how they store and transmit data, but it’s been another thing to see it work and test it out first. We’ve got all these different variables based on all these different devices.
Our conversations with the manufacturers have gotten better. Our processes for handling the data and decommissioning the devices have improved. As my team gets more familiar with these devices, we’ll get better at testing new devices as they come in. It’s been a nice playground for my team of ethical hackers to be able to learn and explore.
HEALTHTECH: What are the top security lessons you learned in 2022?
STURGEON: Collaboration is key for success. As a hospital system, our top priority is to care for patients. But healthcare alone cannot solve all of its cybersecurity problems. We need others from different areas of expertise, different viewpoints. We need to work together, and that’s especially true for working closely with manufacturers and vendors. How can we broach the subject of “trust but verify” in a respectful, collaborative way? Manufacturers have one perspective, we have another, and we need to find common ground to address security concerns in the name of patient safety.