Taimur Aslam Of Cytex On Why the US Government is Getting Serious About Medical Device Cybersecurity

Make sure you dispose off your device properly and if possible, reset it to factor default settings to erase any private data. Most people don’t realize that devices can store data even when they are powered off.

In an era where technology is revolutionizing healthcare, medical devices — from pacemakers to insulin pumps to hospital imaging machines — are becoming increasingly interconnected. While these advancements offer unprecedented benefits, they also expose healthcare systems and patients to new cybersecurity risks. Cyberattacks on medical devices can result in compromised patient safety, data breaches, and even loss of life. Acknowledging the gravity of the issue, the US Government is ramping up its focus on medical device cybersecurity through regulations, initiatives, and collaborations with industry stakeholders. As a part of this series, we had the pleasure of interviewing Taimur Aslam.

Taimur Aslam is the co-founder and CTO of Cytex, Inc. a first of its kind SaaS based full-spectrum cybersecurity platform technology company focused on providing clarity and certainty to cyber defense through AI. Mr. Aslam founded health-tech company Argole Systems that developed Oncology EHR and revenue management systems, architected a PCMH initiative covering over 3.5 million lives, led a hospital chain with 82 hospitals and HIEs through the MU-2 and MU-3 certifications. Mr. Aslam’s Masters thesis became the basis for the internationally recognized CVE index database and 7 patents related to his work in cybersecurity. Taimur graduated from Purdue with a BS and MS in computer science and an MBA from the MIT Sloan School of Management.

Thank you so much for joining us in this interview series! Can you share the most interesting story that happened to you since you began this career?

Many years ago, I was trying to figure out why my Netflix was buffering. I started to look at the network traffic on my home network and discovered many devices (including a baby monitor) that were accessible over the network and were sending/receiving information. The baby monitor incident also led me to research into medical devices and how these devices connect and share data without a lot of security.

Is there a particular story that inspired you to pursue a career in this field? We’d love to hear it.

I started my research in cybersecurity as an undergrad and then followed a career in it.

Are you working on any exciting new projects now? How do you think that will help people?

We are working on bringing enterprise grade cybersecurity to small and medium sized businesses. Cybersecurity implementation can be intimidating for SMEs, who would rather focus on their core business than worry about cybersecurity. Our Cytex project simplifies cybersecurity implementation and protects SME from the bad actors.

We are also launching a consumer cybersecurity app to protect individuals against phishing, social media account take overs, and identity theft.

For the uninitiated, can you explain the nature and scope of cybersecurity threats to modern medical devices? How significant is the risk in comparison to other sectors?

Modern medical devices are increasingly becoming more network aware, where these devices can connect with computers networks over Bluetooth, Wi-Fi, and Ethernet connections. While the device connectivity provides convenience to users by making it easy to share data, it also exposes these devices to the following vulnerabilities:

1. Unauthorized access, which can be exploited to harm patients.
2. Data breach of Patient Health Identifiable (PHI) data.
3. Ransomware attacks, where the device may be rendered unusable.
4. Malware infection that can be spread to or from the device to the connecting network.
5. Denial of Service (DoS), where an attacker may shut down the device.
6. Supply chain attack, where components (software or hardware) may be manipulated during production or transport.

While these vulnerabilities are also present in other network devices, the risk medical devices have in comparison to other sectors is:

• Direct physical harm: A cybersecurity breach of a medical device may result in a direct physical harm to a patient.
• Data sensitivity: Health data is the most sought-after data on the dark web and an unauthorized data leak can have significant privacy implications for patients.
• Regulatory impact: Medical devices are regulated by the FDA and manufacturers are required to notify and remediate any vulnerabilities. Lack of action by a vendor may lead to regulatory penalties.
• Complexity: The complexity of medical devices makes it even more difficult to incorporate cyber security without significantly impacting cost and performance.

Could you highlight some key regulations or initiatives that the US Government has introduced or proposed specifically targeting medical device cybersecurity? How have these been received by industry stakeholders?

FDA has issued its guidance “Cybersecurity in medical devices: Considerations and content of premarket submission”. This authorizes FDA to require cybersecurity information in medical device submissions and require that manufacturers take certain actions to demonstrate reasonable assurance that such devices and related systems are “cybersecure.” The new statutory provision also makes it a prohibited act to fail to comply with FDA cybersecurity requirements. With this new legal authority, the government will be able to prosecute violations of FDA cybersecurity requirements criminally or to pursue injunctive relief against a company that is out of compliance, including for failure to maintain processes that reasonably protect against cybersecurity threats once a device is on the market.

The industry stakeholders realize the need for better cybersecurity in medical devices, but they are also apprehensive about the time, cost, and complexity that these regulations will add to the development cycle. It’s also pertinent to note that the manufacturer’s responsibility doesn’t end when a device is approved, they are also responsible for keeping track of any vulnerabilities that may be discovered during the operation of these devices. Once a vulnerability is discovered, vendors must notify patients, come up with a remediation, test the fix, and deploy the fix.

From a manufacturer and healthcare provider perspective, what are the most pressing challenges in adapting to and complying with these cybersecurity regulations? Are there any unforeseen hurdles they’ve had to navigate?

The biggest challenge is the complexity of these devices. The device manufacturers have expertise in developing these sophisticated devices to help patients and cybersecurity is often an afterthought. The biggest challenge would be to figure out how the design and manufacturing processes can be modified to incorporate cybersecurity best practices.

The hurdles would be time, complexity, cost, and lack of personnel who understand both cybersecurity and medical device design. There is a severe shortage of both cybersecurity personnel and medical device designers so training folks across two very complex and rapidly changing domains is going to be a problem for some time to come.

With regulations becoming more stringent, do you think this might impede or slow down the innovation of medical devices? How are manufacturers ensuring both security and the continuous advancement of medical technology?

I don’t think it will slow down the innovation. The medical device manufacturers will continue to focus on solving problems using their ingenuity. Cybersecurity has (for the most part) remained an afterthought in not just medical devices but in other connected devices as well. I don’t see that changing anytime soon.

What are your “5 Things Everyone Should Know About Medical Device Cybersecurity?”

1 . Medical devices are computers, and you should protect both your computer and medical devices by following a good cyber hygiene.

2 . Medical devices collect and transmit patient health data. This data is more valuable than financial data on the dark web, so be aware that bad actors are trying to steal this data. You need to be vigilant and ensure data at rest and data in transit is secure.

3 . Just as you keep your computer software up to date by installing updates, you should actively monitor any updates or recalls issued by your device manufacturer and act accordingly.

4 . The FDA provides a list of recalls vulnerabilities in medical devices at: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfRES/res.cfm. This is a good resource to check if your medical device has been recalled due to a vulnerability or other issues.

5 . Make sure you dispose off your device properly and if possible, reset it to factor default settings to erase any private data. Most people don’t realize that devices can store data even when they are powered off.

Considering the pace of technological advancements and the growing emphasis on cybersecurity, where do you see the future of medical device security in the next 5–10 years? Are there emerging technologies or methods that hold particular promise in safeguarding patient health and data?

As far as technology advancements go, I don’t see any significant change or improvement in the cybersecurity of medical devices. However, I think that consumers are becoming more cyberaware. The consumers through their actions will help reduce the cybersecurity incidents and may even force the vendors to adopt stricter cybersecurity measures by opting to buy devices with better cybersecurity.

If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Good cybersecurity practices such as using Multifactor Authentication, strong passwords, and keeping software up to date on devices and computers are simple yet effective steps to keep yourself and your data secure.

How can our readers further follow your work online?

Twitter: @tai6dur

LinkedIn: www.linkedin.com/in/taimuraslam

This was very inspiring and informative. Thank you so much for the time you spent on this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.