Samantha Jacques, PhD
Mar 31, 2023
• 41:44
SUMMARY KEYWORDS
htm, cybersecurity, hospital, devices, fda, patches, organizations, called, biomed, medical device, legacy, cyber, omnibus bill, equipment, cms, secure, bill, manufacturers, conversations, patch
SPEAKERS
Chyrill Sandrini, Samantha Jacques, PhD
Chyrill Sandrini 00:13
Welcome back to HTM Insider. Gosh, we have such a great program for you guys today. I’m so excited to bring Samantha Jacques to you. Wow, what an honor to have her on as a guest. And we’re going to talk about some really serious stuff that you might not know what’s going on in some bills and legislation and the politics behind cybersecurity, and some things that might be coming out here really soon. So without further ado, I’d like to introduce Sam and she likes to be called Sam, tell us who you are and what you do and where you where you’re out of.
Samantha Jacques, PhD 00:49
Sure. So hi, everyone, my name is Dr. Sam Jacques. I am the Vice President of Clinical Engineering at McLaren Health. McLaren is a 14 hospital system in Michigan and Ohio. And I’ve been around the HTM field for decades now. So. So thank you so much, Chyrill, for having me on the podcast today.
Chyrill Sandrini 01:10
Oh, it’s definitely our pleasure. I mean, you are so, gosh, you’re so recognized in the industry, and you’re such, you’re just such a go getter. I just love your spunk and your smile. And, you know, it’s just such an honor to have you on. So with that said, I don’t know if you guys know about this. And I had to do a lot of research. So I’m learning along with you. There’s this bill called the Omnibus bill, and there’s a subsection in it 3305, you might want to Google it. And it’s over 4000 pages. I’ve narrowed it down to a few sections. And we’re gonna pick Sam’s brain here a little bit today and kind of educate you, and kind of what’s coming down the pipeline for the HTM industry and cybersecurity in your hospital. So with that said, let’s just talk about first we ask you what is a cyber device for those that don’t know?
02:11
Sure, so So the Omnibus bill that got passed this past December was part of the the funding bill right that the government passed right before December. And in it included a whole bunch of content around cybersecurity, especially with medical devices. And so one of the items that were was in there was some statutory authorities that they gave the the Food and Drug Administration. So to take you guys back for those of you that aren’t aware, there was this act floating around Congress for a while called the Patch Act. And so every year, you know, those of us if we remember our sixth grade civics classes on how this stuff actually works, right, bills have got to get passed by both the House and the Senate. Right. And then they have to go to the President’s desk and be signed. Well, the Patch Act passed one house but not the other. And so the Patch Act allowed a whole bunch of other rules in requirements related to cybersecurity. So as a last ditch effort, way back in Fall, the FDA spending bill came through Congress. And so the FDA spending bill is called the FDA User Fee Agreement Legislation, right? So it makes a lot of sense. So right, the FDA is not actually funded by the government. It’s funded by the manufacturers, right, who go to get their products approved, right, they get their 510 Ks, they get their premarket authorizations. That funding bill had to be reauthorized by Congress. So it went through Congress. And there were a bunch of requests, none of which got passed. And so we thought all of the cybersecurity stuff that was happening in Congress was dead last year. Lo and behold, right. The 12th hour in December, right of 2022. It got added to the Omnibus bill, so the omnibus bill was actually spending bill, what we’re going to talk about has nothing to do with spending. But in typical Congress faction, right, they added it in Section 3305. To your point, it’s a 4000 page bill. So those of us that have time to, you know, sit and read 4000 page bills know exactly what’s going on. So we’re gonna spend a whole bunch of time telling you guys today exactly what’s in here so that you don’t have to, you don’t have to do that.
Chyrill Sandrini 04:28
Right. I mean, it. It’s crazy. I mean, they put bills like they’re sitting on Capitol Hill, right? I remember the song Schoolhouse Rock. I just think, wow, you know, this is shoved into something that it shouldn’t even be in, in my opinion. So what does this mean to the FDA?
Samantha Jacques, PhD 04:49
Alright, so the Omnibus bill gave the FDA all kinds of authority. Okay. So again, you Congress is the only one allowed to pass laws. So FDA doesn’t actually write law, right? We we have instead something called guidance, right. So the FDA publishes guidance documents to help medical device manufacturers know exactly what to do when they’re building and designing and submitting their products for approval. Those guidance documents don’t have the weight of law behind them or didn’t prior to the Omnibus bill. And so it was really a please do this type of agreement. Right. And, you know, you’re going to submit to the FDA as a medical device manufacturer, please, please, please, right? Include all of the stuff that we find best practices. Now, of course, the FDA can deny publications or deny products coming through if they don’t do it. But fundamentally, it didn’t have the weight of the law. What the Omnibus bill did is it gave the FDA something called statutory authority to actually make laws. And so this is a very tightly designed authority, so that they can take the role of Congress in in creating laws around medical device cybersecurity, it’s very specific to medical device cybersecurity.
Chyrill Sandrini 06:08
Wow, that’s in a way kind of scary, right?
Samantha Jacques, PhD 06:13
Yeah. And in there are the there are other government agencies that have the statutory authority and something the FDA has been asking for for quite a long time, it’s actually going to help us not only in the HTM community, but also right as patients, right, we want our devices to be cyber secure. And so we can now look to the FDA to write laws and regulations and hold individuals and corporations accountable if they don’t meet those laws. So even though it sounds a little bit scary, right, to your point, and it is a little bit different. I think it’s actually a very positive step right to ensuring the safety and effectiveness of devices that are in hospitals today.
Chyrill Sandrini 06:54
So that being said, All right, so it’s great for cybersecurity. It’s great for patient safety. What’s the response from the manufacturers?
Samantha Jacques, PhD 07:06
Yeah, so the manufacturers have a lot of work to do, which I know a lot of them have been scrambling, because in the omnibus bill, there’s actually deadlines for some of the things that are required for both the FDA and for manufacturers to do so. The bill outlines two different paths. Okay. And so for those of us that live in htm, we know, we have stuff in our hospitals today, right? We’re gonna call those current products on the market, I can buy them this minute. Current products on the market, of course, it’s very hard to go ahead and create new laws around because they’ve already been approved, right? They’ve been through the approval process, they’re currently on the market. So for any product that’s currently on the market, manufacturers are required to submit a plan. And that plan has got to monitor identify and address in a reasonable timeframe, any cybersecurity vulnerabilities and exploits. And that includes disclosure, right? How do we tell everyone there’s an issue? How do we know that there’s an issue? And then how do we go ahead and turn around and create a patch and deploy that patch? So that process right a lot of a large manufacturers already have right, we have large organizations that have a process to tell us about cyber vulnerabilities today. What this does is it requires all manufacturers to do the same thing. So it’s really setting a level playing field for anyone that has products on the market. Now, for products that don’t exist on the market today, there are additional requirements. So anybody who is now going to submit to the FDA starting, I want to say it’s 30 days, but I’d have to check prior after the authorization, anybody who needs to submit has got some additional requirements. So first, they have to design and develop processes to make sure their systems can take post market update. So when they’re in the field, they can actually get patches and can be updated, right, we’re not going to continue putting legacy devices out there that can’t be patched. Secondly, and probably most excited for those of us that live in in a lot of cybersecurity worlds is that all medical device manufacturers and products coming to the market will now require something called an SBOM. If you haven’t heard of an SBOM, an SBOM is a software bill of materials. And what that is, is it’s truthfully just a list a big list of every piece of software, firmware, etc. that lives in the device itself. So when vulnerabilities come out, we’ll now have a list to look at to say is this product affected? All I have to do is scan down my s bomb is that software in my product, then we have to worry about my software is not in my product. Right? I have a I have no concerns right over whatever exploit vulnerabilities out there. So it’s really a communication tool. It’s helpful for those of that own the products to know are we in fact vulnerable to something that’s going around in the environment?
Chyrill Sandrini 10:07
Wow. So how much time is that going to take? We have so many biomeds out there that are just waiting for a job. Because I think that means a lot of extra work sounds like? I could be wrong.
Samantha Jacques, PhD 10:25
No, you’re exactly right. Manufacturers have got to provide all this information now. But But to your point, what does that mean for us? Right? Oh, those of us that live with hospitals, there is an immense amount of work that’s going to be coming our way, okay. And that work, some of your cyber departments do it, some biomed departments have cybersecurity within them. They have monitoring and patching as part of their scope. What it really means is, we’re gonna get a whole bunch more information, and we’re gonna have to figure out how to organize and categorize and accept, and even figure out how to how to review that when stuff is happening. And so, if you’re part of right, if any of your listeners are part of cyber departments, now’s the time to start thinking about what those processes need to look like. What kind of staffing do you need? What kind of work do you need to do internal to your organization, either with your IT partners or with your cybersecurity partners? Where do these roles and responsibilities live? Right? We all love to talk about who owns what, right in the IT-cyber-HTM world. We can’t wait right until stuff starts hitting our desk to start having these conversations. Now is the time for departments to start thinking about, how do we ingest and digest all this new information that’s going to be coming to us, right? Part of our role as HTM leaders right and HTMs within the field is we have to make sure devices are safe and secure. And now that safety and security includes cybersecurity, and I realize those of us that have been the field for years like I have, that’s new, that’s not something historically we’ve had to deal with. But now is the time right now the FDA is getting all these great new authorities, we’re going to be getting all this great new information, we have to find a way to do something useful with it, because it will help our patients in the long run.
Chyrill Sandrini 12:20
Are you guys collaborating as htm leaders to use each other’s ideas to make a process that might be easier to implement in hospitals across the United States? Because I see, honestly, you’re at a 14 hospital system. In my mind, I’m thinking, what about all those rural hospitals?
Samantha Jacques, PhD 12:40
Yeah, there’s a lot of groups that are trying to come up with processes and policies and tools that are available to help those departments. And it’s not just in the area of medical device cybersecurity, right, which is near and dear to my heart. But General cybersecurity in and of itself, right. To your point. rural hospital systems may not even have a chief information security officer, right? They may have the three guys that run all of IT. And they don’t have the subject matter expertise, they don’t have the knowledge. There are organizations out there that are trying to help rural and smaller organizations define exactly what that looks like. I know health and human services, as well as some of the large government organizations like seesaw are really trying to put together best practices and minimum recommendations on what cybersecurity needs to look like. But none of that is baked yet right. We’re still flying the airplane while we’re building the airplane, which makes it very challenging, right. And, you know, one would think we all can easily figure this out. It’s very different from hospital to hospital hospital, what equipment you have, what infrastructure you have, what staff you have, even who owns what, right from a roles and responsibilities, perspective is different. You know, and so I advocate very, very highly that now’s the time to start having communications and conversations, right. You don’t necessarily need to own everything. You don’t need to be the subject matter expert, but you need to be in these conversations with your it and your cybersecurity folks. I can guarantee you most of them don’t understand medical devices, right? Just like most of our HTM folks are just learning about cybersecurity. It’s time to start cross pollinating those conversations so that we can all be in this together. Again, with the with the focus that we all have in healthcare, right? We’re here to make sure everything’s safe and effective, right? Our patients are number one. So it’s not about you know, who’s whose little scope there there is or we’re treading on somebody else’s expertise. We all got to start learning from each other to make it safer and better for the future.
Chyrill Sandrini 14:47
Yeah, and I also think like working with the, you know, independent service organizations out there, right, that’s another component that falls into, you know, the conversation right because who owns it? As you say, Who’s responsible for it?
Samantha Jacques, PhD 15:02
Right. And that goes exactly back to roles and responsibilities, right? Some hospital systems have have very robust in house programs, right. Some hospital systems have a mix of in house and outsourced, and some programs are 100%, outsourced, right, and they’re outsource to ISOs, or outsource to OEMs, right? You know, Vee, has a program where they can do your entire in house biomed. I’m not gonna argue whether that makes them an OEM or an ISO, fundamentally, they’re responsible for safety, just like any of us in the HTM field. And so those conversations become more critical, you know, in my opinion, because from a role and responsibility perspective, we need to understand who’s doing what, right, who was monitoring, who’s,right? Who’s looking at all this information, who was who’s managing the risk, who’s identifying the risk. And then when something happens, who’s responding, right, we need to have a robust response plan, right? When something occurs, it’s no longer none of us talk about if something occurs anymore. Now it’s when something occurs, right? What what are we going to do? And so to your point, this affects in house, this affects ISOs, this affects OEMs, all of us need to be on the same page with our playbook.
Chyrill Sandrini 16:12
And then who’s going to, I mean, just thoughts coming into my head here, Sam, who’s going to regulate this from the FDAs perspective into the hospital? Is that going to become another part of Jayco or any other? I’m gonna just think it like who’s gonna be the watchdog?
Samantha Jacques, PhD 16:34
Yes. So this gets complicated again. So for those of you listeners that don’t know how the regulatory world works, right, of medical device manufacturers are regulated by the FDA. Right? So the FDA has authority to go ahead and put products on the market. But the FDA is not the one that regulates hospitals, right? We all have either drug commission or DNV that come in to follow our regulatory burdens. Now, drug commission and DNV aren’t government agencies, they’re deemed organizations from the Center for Medicare and Medicaid, right? So CMS technically, is the government agency that regulates hospitals, right, and physicians practices and all that kind of good stuff. So CMS and the FDA both live in the same Health and Human Services section of the government. So there is work being done in Health and Human Services to start aligning some of this, right, because rules and regulations on the MDM side don’t match rules and regulations on the CMS side. And those of us for years have been fighting with different regulations. They align generally, right? Generally, we all want to do the same thing. But when we get down to specifics, they’re different, right? CMS cares about patient care, and they care about how patient care is delivered. Yes, they have specific regulations around medical devices, we’ve got a whole chapter right around medical devices, but that doesn’t align right to the FDA requirements. So there is a government group, right, working together to try and start aligning some of those ideas. In once you throw cyber into the mix, I hate I hate to tell you it gets even more complicated, right, because CISA right, the cybersecurity infrastructure agency, does it report to Health and Human Services, and CISA’s actually responsible for all cybersecurity, not just hospital cybersecurity. So a lot of the guidelines that come out of CISA have nothing to do with health care, right. And they’re written very generally, for every different industry that’s out there doesn’t matter if you’re in manufacturing or finance, right, or health care. CISA’s regulations cover all of those. And so the government is really trying to put together a group to go ahead and streamline that. So again, it depending on how into government relations, you are, Biden’s administration created the Office of, under Biden’s administration, they created the Office of the National Cyber director, who whose job it is to start wrangling right, all of the cybersecurity requirements across all of the government. So that office has been working throughout Biden’s term to go ahead and start streamlining some of this. HHS is very engaged. And they’re they’re working diligently to try and get us some some streamlined recommendations and regulations that can then flow down to everybody, right, whether it be CMS or FDA.
Chyrill Sandrini 19:28
So what does that timeline look like? Oh,
Samantha Jacques, PhD 19:31
I hate to say I wouldn’t even hazard a guess at this point. There are some recommendations that are that are they’re being worked on. But I can’t I can’t give you a timeline as to exactly when they’re going to be out. The good news is they know it’s a problem and they know they’re working on it to go ahead and try and get us some some clear regulations and recommendations to start moving towards.
Chyrill Sandrini 19:54
So if you had the chance to put everybody in a big room All right, what are some takeaways? Like, what can you give some advice or insight or just your opinion, Sam, because it does matter, we’re all we’re all listening. Because I feel like this is gonna be a lot of work for a lot of people.
Samantha Jacques, PhD 20:13
It is. And I think the one thing that I would tell you is don’t go at it alone, right. So there are tons of resources and recommendations out there that you don’t have to create on your own right, we don’t expect HTM leaders, we don’t even expect CISOs right to create the rulebook on how to do this. And so I’m going to recommend one organization that you can either join or if you’re not willing to join it, that’s fine. They have tons of free documents out there for you to use, digest and pretty much just implement. And that organization is the Health Sector Coordinating Council, the Health Sector Coordinating Council is a group. Again, that’s that’s designated under US national policy, to help work with the government and private agencies to create recommendations. NSCC groups have been very prolific about writing guidance on how to do all kinds of stuff in this area. So please, if this is new to you, if you have no idea where to start, do not recreate the wheel, use the resources that are out there right to to understand and learn first, and then you can put a plan together for you and your teams to go ahead and start implementing don’t don’t try and start at Ground Zero. There’s just too much out there.
Chyrill Sandrini 21:29
Well, yeah, I just can’t even imagine, you know, there are still a lot of in house single hospitals that are out there, that I just feel like this is going to be a huge task for them. Especially when you’re comparing legacy devices to new devices. And when your budget, you know, can only allow for you to buy pre owned equipment and a lot of circumstances. Can we talk about that? Like what are the legacy devices to the manufacturer buying pre owned equipment, or even rentals, you know loaners that come in? Um, how does that all work together?
Samantha Jacques, PhD 22:06
Yeah, so legacy devices are a huge issue, right. And so just for just for the audience, the a legacy device, especially if you’re going to use the official definition is a device that can’t be secured, right from a cybersecurity perspective. And so that may be a device that’s fully supported by the manufacturer. So I might buy it is a pre owned device, it may still be supported by the original equipment manufacturer, I still could buy parts, I still could buy service from it for from third parties and such. But should an event occur? Should a vulnerability occur if that device can’t be patched? It can’t be protected? Right. And so if all of us look at our inventories, right, the majority of our inventories are considered these legacy devices. And that’s very problematic, right? If I’m not able to secure a majority of my equipment, according to this definition, right, we should all be concerned, right? Because we need to, we need to figure out other ways to go ahead and ensure the safety of the equipment without actually touching the device itself. And so that involves it that involves network security that involves other compensating controls to go ahead and mitigate the risk of having all of these legacy devices in my environment. To your point, I don’t think hospitals are going to get away from buying pre owned equipment, right, from having myriads of equipment within their organizations that are legacy, we’re going to have to find other ways to go ahead and protect those devices outside of getting a patch or outside of right, traditional cybersecurity support for those devices.
Chyrill Sandrini 23:55
Yeah, I mean, and I’m also thinking right now, like, the funding, right? Where’s this money gonna come from? And you and I both know, hospitals across the nation, man, can we just dump some money into them? You know, especially the smaller hospitals in smaller regions that are serving a population. So they don’t have to drive two hours to get to an ER, right? Where’s this funding in a drop out of the sky yet?
Samantha Jacques, PhD 24:23
The good news is people at the right levels are asking that exact question. So again, for those of you that don’t follow all of the stuff going on in Washington, Senator Warner pushed out a policy paper policy recommendations paper a couple of months ago, and one of the recommendations he made was that hospitals need incentives, right? We need additional funding to go ahead and implement some of these minimum security practices because smaller hospitals and even some of the larger hospitals don’t have the resources to go ahead and secure themselves in an appropriate manner, we all know, you know, cyber events are increasing, especially in the hospital world. Ransomware happens much more often than it did, you know, even two years ago. And so a concerted effort needs to be made to go ahead and get every hospital in the US up to a minimum standard. Now, I wish I had better news for you that there’s a magic pool of money the government has not that I’m aware of at this point. But but it’s being talked about, right. And it’s being talked about at the right levels of government that we can’t truly secure what we have without the appropriate funding. And funding is is is an easy way to say it. But But reality, its resources, right? Because even if we get a nice pool of money, are there the individuals out there that have the knowledge and expertise, right, we have a workforce as she was well, right? I can probably count on my hand, right, the number of really robust medical device security personnel that are out there, you know, it’s a whole new field or each teams are getting into, but the subject matter expertise is not nearly as broad, right? As, as it could be. And so, workforce development is an issue, we need to find more staff, we need to train those staff appropriately, right. And then we need to put all of these requirements in place to go ahead and ensure that our devices are safe and secure. So there’s work to be done on the hospital side. Obviously, there’s work to be done on the manufacturer side to make those devices even more secure when they hit the market, and are able to be updated when they hit the market. But but like I said the work. The work is out there. Right? One of, and you asked before what some of the recommendations I would make one of the other things I would say is we as htm organizations do not need to do it. All right, we’re very used to risk ranking, right? When we have high risk equipment, and we have low risk equipment, we can use some of those same risk techniques to go ahead and prioritize our cybersecurity work as well. So even for those hospitals that don’t have a ton of resources, right, we don’t need to do it all we need to start with our high risk stuff. We need to secure the stuff that is truly risky, and put processes and policies and procedures in place. And then continue to eat the elephant for a better term, right? Well, we can’t do it all. And we can’t do it all to your point without some additional funding. But we have to start somewhere with the resources that we have today.
Chyrill Sandrini 27:25
Yeah, and I’ll and I’ll be honest with you, like, at MMS, we’ve been getting, you know, request to do implementations by 2024 people are starting to plan now. I mean, we see it, and that just all comes home now that I’ve read all this, it’s all starting to make a little more sense, just to me, you know. So a couple things I want to explain because I didn’t know exactly what they were is HSCC and the SCC’s like, how does that all come together?
Samantha Jacques, PhD 28:00
Sure. So the health sector Coordinating Council started a while ago. So the government designates what it’s called critical infrastructure. Right. So healthcare is considered one of the 16 critical infrastructure sectors, finance, right? Water, transportation, energy, all of them are critical to the functioning of the United States. Right. So healthcare, right is one of those 16 things. So the Healthcare Coordinating Council is a group of organizations that represent health care, that is the partner to the government, right. So we work with the government and represent the sector of the healthcare sector. So this public private partnership is coordinated by Sisa. Right. And Homeland Security. So infrastructure security agency, and Homeland Security is responsible for making sure all these critical infrastructure sectors work so the US can actually function. So the health sector Coordinating Council is one of the 16 coordinating councils, right, so well as one of the 16 sectors. So that’s the group that I mentioned before, that really creates all of this guidance that’s out there for you guys to go ahead and read and review. Members include everybody we have industry partners, right all the medical device manufacturers, there’s pharmaceutical manufacturers, there’s insurers, there’s independent service organizations, there’s hospitals, advisory groups, this is a massive group of agencies of anyone truly that has a health a stake in health care. So you guys listening to the podcast, if you want to join the healthcare sector Coordinating Council, you can and learn about what’s going on in participate in creating these guidances. The free guidances are out there for you guys to go look at and they cover all kinds of topics. The ones I’m going to recommend to you: there’s a health industry cybersecurity practice. Right. So it’s a document that talks about basic cybersecurity, what are we supposed to do as healthcare organizations? What should we be doing? There’s this Pacific Medical Device and health IT security plan. Right? So how do we work with our IT counterparts to put a plan together, I don’t need to recreate the wheel, I’m gonna go download the plan, and I’m gonna go work with my IT people on the direct plan that’s already been developed. One of the newest things that’s coming out and we’ll be released any any day now is actually a legacy medical device document. It’s called the health care industry cybersecurity managing legacy technology document, we’ve just completed it, it’s a it’s over 100 pages of things that we can do in our healthcare organizations to secure legacy devices, right. And so that guidance is out there for you. Again, you don’t need to recreate the wheel, go get it, go download it, and review it. And then you can start planning on exactly what you and your organization can do to start securing everything that you’ve got within your organization.
Chyrill Sandrini 30:58
So let’s circle back. So it I think it’s kind of confusing, again, Legacy device, I want you to define that how it’s being defined today. And maybe in this document that’s coming out.
Samantha Jacques, PhD 31:10
Sure. So those of us that have been around in htm free for years have all kinds of words, right we have end of production, we have end of support, we have end of… right? You name it. And what this group did is they aligned with a group called the im DRF, the International Medical Device regulators for so globally, we set the definition of what a legacy devices. So it’s not the same as end of support, it’s not the same as end of production. A legacy device is a device that cannot be reasonably protected against cybersecurity threats. And so it’s very mind bending, for those of us that have dealt with all this end of life and of service stuff for a long time. It has nothing to do with end of life or end of service it has to do with Can you protect the device related to cybersecurity. So in my mind, as I’m talking cybersecurity legacy equipment, right are ones that we have a hard time securing, right, we can’t patch it, we can’t protect it in a way specific to the device itself, we’ve got to use different methodologies to go ahead and secure that device.
Chyrill Sandrini 32:23
So let’s just talk one more time about patches and SBOMs. Because I think for the newer biomed, or even the new clinical engineering manager at a small hospital, this might be some really good, like, takeaway is talking about that SBOM and talk about what patching actually is.
Samantha Jacques, PhD 32:40
Alright, so patching is probably the easy one, right? So think about your phone, right or your, your tablet, right? Every once in a while, right? Generally on Tuesdays, Microsoft will send out right patch Tuesdays, we’re going to patch all of the issues that are wrong with our operating system, you get a nice little notification on the bottom of your phone, please install the update, right, you install the update, and all of a sudden you’re secure. Now, think about all your medical equipment, how many of them have an automated, please patch our device, it doesn’t exist, right? larger, larger medical device manufacturers have created ways for you to download patches usually requires you going to their website, right or them as manufacturers coming in and doing the patching for yourself that you’ve got to take the piece of equipment down, you’ve got to update the software and then reboot the piece of equipment. Those patches are not regular, right? So if we again, if we align them to Microsoft Patch Tuesday for Microsoft is a thing every other Tuesday, right? You get patches. medical device manufacturers don’t have a schedule like that, right. And so we as biomed, we as information security personnel need to go out and look for these patches. And so part of your cybersecurity program should be a methodology, again, for risk ranking your equipment, and for high risk equipment going out and actually looking to see if patches are available. If patches are available, one of your tasks as a biomed is to implement your patches which may require downtime, you may have to coordinate with your clinical folks, right to get access to the equipment and down it to actually do that patch. We should, as Biomeds, be patching stuff on a regular basis. The number of organizations that do that is not nearly as large as it should be. So patching methodology is as a requirement may be coming in right now. It’s not a joint commission requirements, not a CMS requirement. There’s been a lot of talk about it. But nothing is required now. We should be building those programs into our biomed departments now, if that’s not something that your department has today, now as bonds are something completely different. Again, an S bomb is a software bill of material. It’s a list of software and firmware that is in the device. Today, these are not readily available, right? It’s not like, you can call up Phillips or GE today and say, hey, send me all the SBOMs for the equipment I have, they don’t exist. There is a group working out of NIST, which is the Standards Institute, the National Standards Institute to develop what a standard s bomb looks like. The problem is right hasn’t been implemented yet. So if you get your hands on an SBOM, right, we’re going to you’re going to have some people have them in spreadsheets, some people have them in Word documents, some people have them in machine language, you can’t if you can’t actually read them. And so as a as an htm department, I’m going to tell you, tools will be developed to go ahead and ingest SBOM. You don’t need to create, recreate the wheel on how to go ahead and get the SBOM. What I would tell you at this point is you need to start having conversations with your IT group, your cybersecurity group, and what you’re going to do when they start coming to you. The whole process is going to be very much like the the MDS choose when they came out to begin with, right? How do you collect them? How do you review them? How do you risk rank them? What do you do with them once you’re done with the initial risk ranking? So it’s much less of a detailed process right than the patching is? What you guys should be doing as htm departments at this point is starting those conversations to say, when we start getting these, what are we going to do with them? Who’s going to look at them? Right? What do we care about? What do we want to keep as information? And how are we going to keep those documents, I promise you is this continues to grow and morphic field tools are going to start becoming available to make this much easier toss. Right now those tools don’t exist. And so we’re left to our own devices to try and figure out a way to do that. So I hate to tell you, if I were going to prioritize as a small, rural Regional Hospital with not a lot of resources. SBOM is a conversation, right, and the roles and responsibilities thing. Patching is something you’ve got to figure out how to do. And so patching, of course, will be the priority at this point to make sure that your devices that can be patched are and you guys are keeping up to date with all the security features that are out there.
Chyrill Sandrini 37:16
Man, you know, gosh, that’s a lot, Sam, it’s a lot of man, would you maybe put together maybe a resource page, and sites and locations that when people listen to this podcast, we get throw it up, but get put it out there are places where people can go and read marks, I think there’s gonna be a lot of questions.
Samantha Jacques, PhD 37:38
Well, then I hate to tell you, you know, part of what, what’s very difficult about this is there’s not one location for you to go learn about this. And as an HTM, right, the true source of knowledge is not in a single place. And a lot of the information that’s out there is not specific to medical devices, right? It’s coming from NIST, or it’s coming from CISA. Right in and it’s very hard for individual biomed to try and figure out how does this apply to me? Right? Or even managers? Right? How does this apply to me? How do I implement this, I will be happy to put together a resource page for you guys, I will be happy to put together places you can go learn more. Because fundamentally, cybersecurity is now one of those things that is becoming part of our day to day life. And even having a vocabulary, right where you understand all of these crazy nomenclatures that I’ve been throwing out today has taken me years to get to right. And I still Google stuff all the time, right? Tell me what this acronym means because it’s a very difficult field to try and break into. What I’m going to tell you and your HTM folks is that even though it’s difficult, it’s work we need to be doing right. It’s education, we need to be continuing, right and we need to educate ourselves. We need to educate our staff on cybersecurity practices and what we can be doing to go ahead and assure that that safe and effective care is provided to our patients on a daily basis.
Chyrill Sandrini 39:07
It’s a lot to take in and gosh, I’ve learned a lot today. I didn’t I am glad it’s called SBOM. I was calling it the S-B-O-M or whatever it was. Now I got it down, Sam. But wow. I mean, what what a great conversation. So we’re gonna wrap it up. But I want to know we always close with Wow, your word of wisdom are your words. What would you like to leave the listening audience?
Samantha Jacques, PhD 39:33
My words of wisdom today are really just around continuing education, right? Cybersecurity is new to all of us. And all of these topics are things we don’t deal with on a day to day basis. I would encourage you guys to continue growing and educating yourselves around all of these topics. The continuing education piece of HTM is so incredibly important, because stuff like this continues to develop in our field and if you don’t continue your education, right, you’re going to be left in the dust. So please, please, please continue learning continue growing in your field. And there’s those of us around here, obviously, to help teach you all of these very complicated things that are occurring today. So thank you very much for the opportunity. And I appreciate all the time we took today.
Chyrill Sandrini 40:19
Oh, it was just definitely our pleasure to have you on HTM Insider. I really want to encourage you folks out there, attend the conferences, beg borrow plead. There’s some coming up. There’s the MD Expo. AAMI is coming up. AAMI has a terrific lineup of educational classes at a very minimal or $0 to you. If you want more information and you don’t have Sam’s information, I’ll be happy to connect you. But yeah, keep growing and keep learning. You know, it’s important. This is patient safety patients are come first. And that’s why we’re in this industry. I know everyone listening is you know, one with a servant’s heart and they’re there to provide right patient care and this is patient care. You know, it really is. So continue to follow us on HTM Insider listen to wherever you listen to your podcast if you need CEU credits, listen on Tech Nation anytime to any one of the episodes and you can pick up one CEU credit and we will see you next time. Thank you