Rob Ferrill, Chief Information Security Officer, UAB Health System
Ferrill talks at the summit Medical Device Security. Medical Devices range from “simple tongue depressors and bed pans to complex programmable pace makers with microchip technology and laser surgical devices” and categorized by the FDA. Ferrill refers to a 2008 pacemaker hack by Kevin Fu, who led the University of Massachusetts project on the discovery of radio device vulnerabilities. Fu showed how to deliver an electrical charge to a patient’s pacemaker that could be legal. He also discovered patient information simply by sniffing the traffic. Ferrill describe several other medical device hacks throughout the years.
The big issue the health industry has to keep up with is asset management and keeping up with updates from vendors on vulnerabilities. Another issue is with vendors who develop applications. These applications are designed to run without admin privileges. Vendors are getting better, but we have a long way to go to ensure software developer and manufactures understand that the device can meet FDA certifications requirements but what about the corporate network that developed and may manage these devices. “Different firmware version running on the same model device can cause software issues.”
There are a number of agencies that are trying to the healthcare industry with cybersecurity. They are the (NCSOE) National Cybersecurity Center of Excellence, Center for Global Health Science and Security (GHSS), FDA Guidance, National Health Information Sharing and Analysis Center (NH ISAC), Medical Device Innovation, and Safety and Security Consortium (MDISS).
Rob Ferrill, Chief Information Security Officer, UAB Health System. Rob is a Graduate of Auburn University with a Bachelor of Science in Management Information Systems. He holds CISSP, and Encase EnCE certifications and has had prior certifications from Microsoft, SANS (GCIH, GCFA) and Checkpoint (CCSA, CCSE). Rob has 23+ years of experience in IT with the last 16 being focused on Information Security. Rob leads a team of security professionals at UAB Health System responsible for developing, maintaining, overseeing, and operating security tools, processes, and policies. Rob oversees the protection of information assets via security event management, risk assessments, technology reviews and incident response / digital forensics. Rob also serves as the HIPAA Security Officer for the Health System and the University.