Securing Healthcare Insights from Cybersecurity Expert Ben Kokx
Transcript
00:00:06 Carita
Welcome to the E Health 24 podcast, where we explore the digitalization of healthcare and
the potential of new technologies. Today, we are thrilled to have Ben Kokx with us an
experts in healthcare and IoT security. Ben has over 22 years of experience in product
security and has worked extensively in developing global standards and security
frameworks. Welcome, Ben.
00:00:35 Ben
Thank you very much for having me. It's a pleasure to be here, at Tampere.
00:00:39 Carita
Good to have you. Could you share a bit about your background? How did you come to work
in cybersecurity, particularly with healthcare and IoT?
00:00:49 Ben
I started out many years ago as a software designer on forecourt equipment. Products like
control systems and point of sale systems for petrol stations. At certain point in time,
I switched to Phillips. There's now over 22 years ago and also there I started as a
software designer on X-ray Systems. But soon after I started within Phillips there were
some triggers for the Phillips organisation to really start like we need to address
product security. So over 20 years ago, product security was made a forefront for
Phillips and there I switched my role from being a software designer to someone who
focused on security but also, later on, privacy. Done so, initially within the business
unit, so for the X-ray systems, but later took on a global role addressing process and
policies throughout the organisation. And I'm currently in the regulatory organisation
trying to deal with standardisation and regulations in the field of cybersecurity.
00:01:52 Carita
With the IoT devices becoming more common in healthcare, security concerns have also
grown. What do you see as the biggest cybersecurity challenges for IoT in healthcare?
00:02:05 Ben
We have to recognise that healthcare is a critical infrastructure and of course the last
thing that we want is that people are denied access to healthcare. With the current
explosion of cyber crime really extortion attacking hospitals which can have really
devastating effects. As an example, in a recent attack in May in the US, 142 hospitals,
their IT services were unavailable for over 5 weeks, really impacting care, and this is
really done by cyber criminals, but we should also not forget that cyber warfare is going
on. Hospitals are under attack, critical infrastructure is under attack, so one of the
biggest challenges here, in my view, is, of course, it's difficult to address cyber crime
and cyber warfare with the current political situation. So we need to improve the
knowledge of those who develop solutions of those who use the solutions and this
knowledge gap is something that really needs to be addressed to improve security overall.
00:03:10 Carita
You have a long background in product security. What role do harmonise standards play in
ensuring product security and how do they impact industry players?
00:03:21 Ben
So what we see as a reaction from everything that is going on in the field of
cybersecurity and the risks is indeed that the regulators across the globe are addressing
cybersecurity in new regulations. In Europe, we use harmonised standards to demonstrate
that you fulfil these regulations, and for me, these harmonised standards are really
means that all the players have a common understanding of what are the requirements. For
me, standards is a way to do to communicate to each other, everybody has an
understanding. So when we talk about harmonised standard, this means that the regulators
have an understanding of what needs to be done. Also the main manufacturers, but also,
for instance, market surveillance authorities at the test houses and also the users, we
need to make sure that everybody has a good understanding and that's why these. Harmonise
standards play a role also, of course, to support what we call self-assessment, that the
manufacturer self can test whether the product complies to the regulation. Otherwise
everything needs to be done by the test houses by the notified bodies, which is really
not only costing more money but also delaying access to the market.
00:04:34 Carita
Cyber resilience has become an important theme in healthcare. What does cyber resilience
mean in practise and how can it best be strengthened with healthcare?
00:04:46 Ben
So we talk about cyber resilience because there is no such thing as security you can
never ever claim a product is secure because a new vulnerability might be discovered and
the product will become insecure. So we rather use the term cyber resilience, which means
that yes, something can go wrong but product is resilient. It can resist of being hacked
and if it gets hacked it can easily recover so resilience is a more yeah appropriate term
to say something is secure because it just does not exist, important in healthcare, but I
think in every or every part in every sector where we talk about security is what I would
call shared responsibility.
As a manufacturer, I cannot ensure that a product is resilient, that nothing can go
wrong. I can, for instance put an ultrasound system on the market and when that
ultrasound system should be typically connected to a hospital network which is isolated
from the internet. But if the hospital directly puts it onto the internet, then there's a
higher risk that this system get attacked. So there is both the responsibility of the end
user, the hospital and the main manufacturer. Both have to make sure their products are
secure. And they both have to work together to maintain that security overtime. And that
has a wide impact, for instance, also on old equipment, but also on the behaviour of, for
instance, the medical staff in hospitals, they have to be made aware that, for instance,
if you have a browser on the medical device, don't go shopping on the internet, on the
medical device, please don't and.
00:06:32 Carita
Go to the social media.
00:06:35 Ben
Or go to the social media. That's not what these devices indeed are designed for, and the
example of that have the 142 hospitals that that were done. This was someone of the
hospitals staff downloading, clicking on the link in an e-mail, downloading a malicious
file so people should be trained and all of this together everybody has to play its role,
his or her role in the field of cybersecurity.
00:07:00 Carita
Cybersecurity is a global challenge. How does international collaboration help improve
cybersecurity and are these specific initiatives you've been involved with?
00:07:15 Ben
Yes. So for cyber security is indeed an international issue and fighting cyber crime is
very complex. Often we see that for instance, the attackers are for instance in Russia
and it's not easy to get someone from Russia convicted here in Europe. But on the other
hand, we see for instance cooperation happening a lot and these criminal networks are
taken down. Recently, huge criminal network that was trying to steal personal information
from people that really had set up a call centre to try to rob people from their banking
accounts. It was discovered that they operated from service in the Netherlands and the
Dutch government, together with other European governments and for instance, the FBI got
involved and they really were able to bring down this criminal network. If they're going
to get the owner, the Russian person who was responsible, that's unlikely, but the
network is now down. So this is where and the enforcements working together to try to
fight cyber crime.
On the other hand, we also have, for instance, organisations like the international
medical Device Regulators Forum, which is a public private association where we try to
harmonise all kind of items, topics for the medical devices and cybersecurity is one of
them. So this is where we really try that across the globe, we bring cybersecurity to a
higher level.
Also a standardisation you typically see that standards are more or less regional
startup. So for instance, in the US they have their own standards. In Europe, we are
developing our own standards. But then again, we do recognise that we have to cooperate
together. So there are for instance talks between Europe and US how can we recognise each
other's work in the field of cybersecurity standardisation.
00:09:09 Carita
Very interesting. What do you see for the future of cyber security and standards in
healthcare? Where do you envision the biggest advancements over the next five years?
00:09:22 Ben
I think we will see more and more specific standards for a specific type of products and
that will help these specific products. Cyber security is of course dependent on what
does the medical device do, is it for use in a hospital or is it for use patients home
and depending on these requirements, these intended use you need other security types of
protection, and I think we will see more and more standards specifically to certain types
of equipment. This is also part of what we expect, of course from the regulatory
development.
If we look at cloud environments we see, for instance, in Europe that there is now
developments for what we call a European cloud scheme and this is a certification scheme
that can harmonise cloud providers across Europe. I think this will be a huge advantage
that will happen in the coming years. Because now as a manufacturer, if you're gonna
bring a product on the market in Germany, you have to comply with other certification
schemes then when you go to the Netherlands or when you go to France.
And of course, if it's this is not harmonised that has an impact on time to market, so
takes time to bring a product on the specific market, which means that access to new
technology, more secure, more advanced technology is being delayed. So I think that these
kind of developments in standardisation, in harmonisation really will bring things
forward. Most impactful though on looking at the five year outlook are that we have new
regulations like the NIS 2 Directive which will require hospitals and their supply chain
so also the manufacturers to address security. From there, we will also see what we call
implementation regulations and standards that really tell like no hospital, these are the
requirements you have to fulfil on the cybersecurity manner, and also that applies to the
manufacture.
And also we will have developments under the Medical Device Regulation IVDR, but also for
those products who are not on the MDR, IVDR, we will see that the Cyber Resilience Act
will really enforce products to be secure and standards underneath to underpin that. So I
think we will see a major shift for security in the coming years and the good or bad
thing behind that, I think is that with these regulations also come with penalties. I
would say that in Europe, we always thought that privacy is high good, we value that in
Europe, but only when the GDPR came with the fines, organisations really responded,
really reacted and start started to implement. Now with the NIS 2 Directive and this
upcoming Cyber Resilience Act, where we also see these fines where senior management is
personally accountable. I think we also will see this major shift over the coming years
to really advance security here in Europe.
00:12:17 Carita
What advice would you give to young professionals and students interested in cyber
security and its role in healthcare?
00:12:27 Ben
Yeah. thank for that question, first of all, for me, cybersecurity is something that I
would call foundational. So everybody needs to know about security, of course, as an
appropriate level. If you for instance work even as a clinical scientist, you need to
know the data that needs to be secured. You need to know, you don't click that e-mail
that link in that e-mail from this stranger, so basic security and the basic
understanding of what we call the cyber hygiene is essential. So, everybody should be
exposed to cyber security and I hope we'll see an uplift of course, in everywhere where
there is that there is an appropriate focus on the cybersecurity risks.
Then again for those who develop solutions, they really of course need to have a higher
understanding because every solution you might build will have security risks and it's
not if they have them, they will have them. And of course, how can you reduce the risks
with that? So anybody developing solutions of course needs to be trained on security,
needs to understand that they make the right choices when they develop a solution, that
security is really taken into consideration from the basis from the ground up. It's
really a foundational issue.
And then of course we really also need the cybersecurity experts that can help the users
that can help people who design solutions and those are designing products but also the
hospitals they need security experts and at this moment there is an enormous shortage on
workforce in the field of security and this is from security in application in
development as security, that really in the operational side in hospitals, but then again
security, everybody should be exposed to security.
00:14:16 Carita
Should we teach our children cybersecurity?
00:14:18 Ben
Absolutely. We need to ensure that our children are aware about cyber security as well as
they, for instance, need to be away aware about the risks that AI and the ethics around
AI, but absolutely also with security. And unfortunately there are a lot of bad people
out there which really want to exploit people.
Information is worth money, and for instance, if they have your health records, they can
do insurance fraud. They can do all kind of fraud because of all the information that
they have, but they can also use that to attack the patient him or herself because of all
the information. It's easy to persuade people to do certain actions, so it's very risky
and therefore we need to make sure that everybody is aware about security.
00:15:03 Carita
Thank you so much Ben, for joining us and sharing your valuable insights into cyber
security and standards in healthcare. This has been a pleasure. So thank you and goodbye.
00:15:17 Ben
Thank you very much. Goodbye.