#54 : Chaitanya Mattur Srinivasamurthy: Leading Cybersecurity at ICU Medical

We sat down with the Sr Director of Cyber Security & Medical Device Connectivity Engineering at ICU Medical to discuss medical device cybersecurity, FDA, and balancing innovation and security.

About Chaitanya Mattur Srinivasamurthy

Chaitanya is a Sr Director of Cyber Security & Medical Device Connectivity Engineering at ICU Medical.  ICU Medical is a global leader in IV therapy. ICU Medical develops various types of Infusion pumps along with enterprise based software solutions including cloud hosted software solutions. He brings over 20 years of experience in the entire product development lifecycle, from concept to launch, across various industries.  Throughout his career, Chaitanya has coordinated with global teams, managed multi-million dollar projects, and ensured customer satisfaction in highly regulated environments.  His deep knowledge spans medical device connectivity, cybersecurity, WiFi, and medical device manufacturing.  He also possesses extensive experience meeting the requirements of regulatory bodies like the FDA and the EU’s MDD.  

Summary of the Conversation with Chaitanya Mattur Srinivasamurthy

Chaitanya Mathur Srinivas Murthy, Senior Director of Cybersecurity and Medical Device Connectivity Engineering at ICU Medical, shared his extensive experience and insights into the intersection of medical devices and cybersecurity. His career spans over 20 years in product development across various industries, focusing on medical device connectivity, cybersecurity, and regulatory compliance.

Career Journey

  • Early Career: Started as a firmware engineer in India, working on remote access servers and embedded operating systems.
  • Telecommunication Industry: Worked in the U.S. on higher-level systems like universal gateways, cable modem termination systems, and network management.
  • Transition to Medical Devices: Moved into the medical space to bring connectivity solutions to medical devices, eventually focusing on cybersecurity.
  • Current Role: Senior Director at ICU Medical, working on cybersecurity and connectivity for medical devices.

Insights and Highlights

  • Adding Connectivity to Medical Devices: Discussed the challenge of adding connectivity to medical devices, originally designed solely for therapy, without compromising security.
  • Legacy Devices: Highlighted the difficulty of securing older medical devices that were not designed with connectivity or cybersecurity in mind.
  • Power Management: Emphasized the importance of balancing security measures with power consumption, especially for battery-powered devices.
  • Reducing Attack Surface: Recommended reducing the attack surface of medical devices and employing defense in depth strategies to enhance security.
  • Regulatory Requirements: Explained the critical role of regulations like the FDA’s cybersecurity guidelines and how they influence product design and development.
  • Shared Responsibility: Pointed out that cybersecurity is a shared responsibility between medical device manufacturers and healthcare providers.

Challenges in Medical Device Cybersecurity

  • Design Constraints: Discussed the constraints of designing secure medical devices that still meet their primary therapeutic functions.
  • Balancing Innovation and Security: Addressed the challenge of balancing rapid innovation with the need for robust cybersecurity measures.
  • Regulatory Compliance: Explained the importance of understanding and meeting various global regulatory requirements, such as those from the FDA and EU, and how they help drive internal cybersecurity efforts.

Advice for Professionals

  • Understanding the System: Encouraged cybersecurity professionals to thoroughly understand the medical device’s intended use and constraints.
  • Regulatory Knowledge: Stressed the importance of being well-versed in relevant cybersecurity regulations and guidelines.
  • Vulnerability vs. Exploitability: Highlighted the need to differentiate between vulnerabilities and exploitability, especially in terms of patient harm and data loss.
  • Security Use Cases: Recommended creating comprehensive security use cases and diagrams to guide the design and implementation of security measures.

Anecdotes and Experiences

  • Zero-Day Vulnerabilities: Shared experiences dealing with zero-day vulnerabilities and the challenges of ensuring medical device security.
  • Communication with Customers: Emphasized the importance of clear communication with customers about vulnerabilities and the steps taken to mitigate risks.

Closing Remarks

Chaitanya’s extensive experience in embedded devices and medical device cybersecurity provided valuable insights into the complexities of securing medical devices. The hosts expressed appreciation for his contributions to the field and the importance of safeguarding patient safety through robust cybersecurity measures.

  翻译: