Developing & Implementing New Technology • Data Security • Program Management
Data Security, Digital Health, Electronic Payments, and More
42TEK LLC provides business and technology consulting to help organizations address cybersecurity concerns and conceive, develop, implement, and maintain secure technologies in healthcare, payment processing systems, critical infrastructure, and environmental systems. Program management, project management, and compliance experience at Apple, Google, PayPal, Yahoo!, First Data, Kaiser Permanente, and startups, plus earlier environmental engineering and patient care experience.
Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP). Experience at First Data, Apple, Yahoo!, Kaiser Permanente, and others protecting credit card data under the Payment Card Industry Data Security Standard (PCI DSS) and personally identifiable information under the Health Insurance Portability and Accountability Act (HIPAA) and other laws and standards.
Consulting on cybersecurity for network-connected devices ("Internet of Things" / Remote Patient Monitoring / Environmental Sensors).
Clinical and engineering experience to help securely architect and implement technologies for mobile health, remote monitoring, and healthcare payments. Helping clinicians and technologists understand each other. Respiratory therapy experience in Intensive Care Units. Healthcare financial systems at Kaiser Permanente. Telemedicine at AppMedicine, Inc. Organizer, moderator, or presenter at more than 20 conferences and seminars on digital health, data security, and payments topics.
Over 20 years of experience in the payments industry at Apple, Google, PayPal, Kaiser Permanente, ViVOtech, Yahoo!, and BBPOS, ranging from transaction processing to card issuing, merchant card acceptance, POS equipment deployment and service, and PCI DSS compliance. Special experience in contactless (NFC) and healthcare payments.
MOVE Community Outreach, an IEEE-USA Initiative, is an emergency relief program committed to assisting victims of natural disasters with short-term communications, computer, and power solutions. Services include phone charging, internet & communications support, and lighting to disaster victims. MOVE also offers educational outreach.
In conjunction with the presence of the MOVE truck at the IEEE Global Humanitarian Technology Conference (GHTC), this is a panel discussion among representatives from organizations involved with emergency response and disaster recovery. The focus is on communications, computing, and power, but expanded from there. After a brief description of the MOVE truck, the emphasis is on stories about what works and lessons learned.
see link above for photos and biographical paragraphs for moderator and panelists.
this video from Zoom contains
first few minutes: introduction about the Consultants’ Network of Silicon Valley (CNSV)
– I’m assisting a medical software startup with setting up its cybersecurity program for its Software as a Medical Device (SaMD) product.
– I’m doing program management work related to Public Key Infrastructure for a large Silicon Valley technology company. Lots to do to maintain compliance with WebTrust and CAB Forum requirements.
– RSA Conference (https://www.rsaconference.com/usa) and BSidesSF (https://bsidessf.org) in San Francisco are deferred from February to June 2022. I’ll probably volunteer again at BSidesSF, assuming it is reasonably safe with respect to COVID-19. Maybe hang out on the exhibit floor at RSA for a day.
This Spring and Summer there’s a lot going on relative to cybersecurity for medical devices. Check these out…
Defcon 30 Biohacking Village – is targeted for August 11-14 in Las Vegas. We’ll see whether that actually happens and how risky it may be to attend, depending on the status of COVID-19. https://www.villageb.io
It’s been a whirlwind week and it’s not over, yet. Defcon29 (aka “hacker summer camp”) was August 5-8 in Las Vegas. HIMSS21 (the Health Information Management Systems Society’s global conference) started August 9 and runs through August 13, also in Las Vegas. Temperatures have been as high as 108 degrees F. Both have been hybrid conferences with some online and some in person.
I volunteered with the Biohacking Village at Defcon29, which this year mainly involved monitoring the online discussion boards in case there was any inappropriate behavior. The in person things included villages regarding IoT Hacking, Car Hacking, Voting Machines, Cryptocurrency, Satellite Hacking, and a new group called Security Leaders. There were also some good sessions on Public Policy pertaining to cybersecurity.
I co-authored and co-presented a short talk at HIMSS21…
Cybersecurity in a Complex Healthcare Ecosystem David Snyder, 42TEK, Inc. & Mitch Parker, Indiana University Health
Managing cybersecurity risk for supply chains with multiple vendors is complicated. Each vendor is clearly responsible for its own system, but who minds the overall end-to-end concerns? These concerns affect both products, such as medical devices, and services, such as telehealth platforms. Healthcare delivery organizations can have over a thousand vendors, many of which connect to the organization’s network. Cybersecurity attackers can invade a supplier’s network, interrupt service, steal information, upload malware, and even get into the healthcare delivery organization’s network to do damage, install ransomware, or steal information. In this presentation, best practices were described for assessing risks, avoiding cybersecurity vulnerabilities, and for network-connected vendors and business partners to maintain security. Special attention was given to hospitals and remote patient monitoring. Containerization, Application Programming Interfaces, and modern virtualization techniques were also covered.
This talk was based on the paper posted elsewhere on this web site.
equally important with designing, implementing, and maintaining online systems securely is the need to anticipate and expect failures and malicious attacks that will require response and recovery. Sure, cyber defense, but plan for cyber resilience [recover quickly]. Offline backups, emergency contact lists, contingency plans, legal and technical consulting standby contracts, and table top practice session are essential.
there is a shortage of trained cybersecurity professionals, so start investing in training for your existing staff while continuing to seek the expertise you need
More and more RPM devices are being introduced for healthcare providers to use in managing post-acute and chronic care patients. The diagram below shows the variety of ways in which these devices may transmit information from the patient’s home to the clinician. Other posts on this site discuss cybersecurity relative to RPM.
This is a work in progress. Watch for updates to this post and the full article. (Last updated March 18, 2021)
Cybersecurity risk management for supply chains with multiple vendors is complicated. Each vendor is clearly responsible for its own system, but who minds the overall end-to-end concerns? This article asserts that coordination across organizational boundaries is needed to assess and mitigate cybersecurity risks in remote patient monitoring (RPM) systems.
Examples of network-connected RPM devices include wearables (e.g., smart watches), glucose monitors, pacemaker monitors, blood pressure cuffs, pulse oximeters, continuous positive airway pressure (CPAP) machines, scales, and more. Such devices are part of the family of the Internet of Things (IoT).
A 2019 survey of physicians showed “Two in three, or 68 percent, of physicians surveyed strongly intend to use remote patient monitoring technology…” However, the survey report also indicates “Health care professionals view data security as the main barrier to technology uptake.”
The majority of recent cybersecurity analysis for medical devices has focused on devices used within hospitals and clinics. Cybersecurity for RPM is different in a number of ways.
RPM is a “system of systems” – a physical and digital chain consisting of devices connected to networks, connected to other networks. Typically, there are multiple stakeholders involved in the provision and operation of these systems These include device manufacturers that depend on a supply chain for software and hardware components, communications networks, data integrators, and the clinicians who are the ultimate users of the data (Figure 1). Also, various interfaces with humans, including patients, caregivers, developers, network engineers, and system administrators.
Attacks on healthcare delivery organization (HDO) networks via device or interim partner vulnerabilities are a bigger concern than attacks on individual devices. This is because more harm can be done if a healthcare delivery organization network is compromised. Attacks on these networks can not only result in theft of personally identifiable information, but also interruption of service, such as what occurs in a ransomware attack.
In a RPM digital supply chain with multiple vendors involved, it is necessary to take a “trust, but verify” approach. Clauses can be put in a contract or a “Business Associate Agreement” to require a supplier/partner (vendor) to maintain a good cybersecurity posture, but it is unlikely that the vendor can absolutely guarantee protection. When only written assurances of “best efforts” to prevent cybersecurity incidents are provided, it behooves the buyer/user to perform due diligence and monitor whether these efforts are effective.
One possible solution is for the healthcare delivery organization that is the receiver of the data to oversee the end-to-end process. Alternatively, the data platform vendor that consolidates, analyzes, and formats the data may be in a position to provide the needed coordination. On the other hand, it is difficult to imagine how device manufacturers could coordinate all of the stakeholders.
As a final thought, remember that the ever-changing cybersecurity landscape means it may not be possible to anticipate and mitigate all threats. In the event an incident occurs, there needs to be a plan to respond and recover. In an environment with multiple vendors, response coordination has to be planned and rehearsed before something happens. The objective is to make sure the entire remote patient monitoring system is resilient.
If you work for a health care delivery organization that is on the receiving end of a remote patient monitoring system, what are you doing to make sure all of the components in that system are secure and that you are ready to respond to problems?
If you are one of the vendors in remote patient monitoring system, what are you doing to make sure your upstream and downstream partners in the system are secure?
If you are not sure how to do this, you’ll probably want to obtain assistance to reach out to each of the organizations that comprise the end-to-end system and figure out an approach to make sure a holistic security framework is conceived and implemented.
* * *
David Snyder is a cybersecurity professional experienced at facilitating discussions among ecosystem members, analyzing complex processes, and orchestrating cross-functional and cross-organizational efforts.
This 3-hour workshop on December 10, 2019 in San Francisco explored similarities and differences between network-connected medical devices in clinical settings versus residential environments, relative cybersecurity challenges, and best practices throughout the lifecycle of remote devices.
Several trends are driving increased interest and adoption for using network-connected medical devices outside the clinical environment to diagnose, monitor, and treat patients. These include an aging population living longer, often with multiple chronic illnesses, looming shortages of doctors and nurses, and incentives to reduce hospital readmissions.
“88% of health systems and hospitals surveyed have invested or plan to invest in remote patient monitoring solutions to support their organizational transitions to value-based care.” (Spyglass Consulting Group)
The FDA, hospitals, researchers, and device manufacturers have been working hard to define best practices for cybersecurity for network-connected medical devices in hospitals. Attend and see what you need to consider.
I volunteered at the Biohacking Village and was able to network with some excellent people about developing and maintaining network-connected medical devices securely. Ten medical device manufacturers provided approximately 40 devices for hackers to examine and explore. There were about 30 workshops, presentations, and panels, including some of the premier security researchers in this space and representatives from the FDA.
December 11-12, 2018 at the Hotel Kabuki in San Francisco.
On December 11th, I was joined by a great team to conduct a 2.5-hour workshop entitled “Cybersecurity for Medical Devices is a “Team Sport.” Assisting with the workshop were:
Jason Johnson, Information Security Officer, Marin General Hospital
Matthew Jones, Clinical Engineering Security Specialist, Intermountain Healthcare
Deb Muro, Chief Information Officer, El Camino Hospital
Christine Sublett, President & Principal Consultant, Sublett Consulting, LLC
The workshop focused on how device developers can collaborate with hospitals and clinics to help make sure medical devices are set up and managed to protect patients’ privacy and safety.
The highly interactive session was conducted by a team with diverse backgrounds, including a hospital CIO, a clinical engineer, a hospital information security officer, and two neutral cybersecurity consultants to facilitate and moderate. Topics covered included:
Considerations during procurement, integration and operations
Defining best practices for device inventory management and monitoring device behavior and network traffic for potential cybersecurity attack indications
Ways of thinking about the issues in terms of people, process, and technology
Views on how connected medical device cybersecurity can be approached as a ‘team sport’ involving collaboration among manufacturers, regulators, providers (hospitals and physicians), supply chain, and patients
Currently focused mostly on cybersecurity, David Snyder helps organizations develop and implement new technologies. His experience includes program management and product management at companies like Apple, Google, Kaiser, First Data, PayPal, Yahoo, and various startups for data security, electronic payments, mobile applications, and healthcare systems.
He has worked on e-commerce in the credit card industry at transaction processors (First Data and PayPal), as well as large merchants (Apple and Kaiser Permanente) and manufacturers of point of sale terminal equipment for “contactless” or “NFC” payments (ViVOtech and BBPOS). At a telemedicine startup (AppMedicine), he used his clinical experience in Respiratory Therapy to help guide the development of digital health solutions.
Mr. Snyder has been the producer, moderator, or speaker for more than 20 conferences, seminars, and networking events on innovation in healthcare, data security, and payments.
Originally trained as a civil engineer, Mr. Snyder also worked in the areas of environmental impact assessment, energy facilities planning, hazardous materials management, and contaminated site investigation and cleanup.
Mr. Snyder has an MBA in Technology Management and is a Registered Professional Engineer (PE), Certified Information Systems Security Professional (CISSP), and Certified Cloud Security Professional.
David gets things to work for information-intensive industries (like health care, electronic payments, and data security), resulting in new product launches, global expansion, and process improvement. Typically, this means program management that involves explaining business requirements to developers and explaining solution features to business people. It also means leading and coordinating the activities of cross-functional teams, often with multiple companies involved.
He has worked as a staff member and as a consultant for both large and small organizations in the above industries.
Email us at email@example.com or click on the link above to use the Contact Form.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.