Discover more on IoT Security and it´s importance
How do we go back and uplift our security environments that are already operational and with products that are already out in the market. There is an opportunity to use existing integration with PTC´s ThingWorx as an example, but that can be expanded to taking into account the initial product design all the way through to servicing products in the field. The digital and physical world is a closed loop and that's pretty powerful! Today, we welcome Harald Fiedler, Director, Integrated Product Quality and Cybersecurity at FujiFilm Sonosite to tell us about their journey and how they raised the security bar.
Discover more on IoT Security and it´s importance
How do we go back and uplift our security environments that are already operational and with products that are already out in the market. There is an opportunity to use existing integration with PTC´s ThingWorx as an example, but that can be expanded to taking into account the initial product design all the way through to servicing products in the field. The digital and physical world is a closed loop and that's pretty powerful! Today, we welcome Harald Fiedler, Director, Integrated Product Quality and Cybersecurity at FujiFilm Sonosite to tell us about their journey and how they raised the security bar.
Welcome to Speaking of Service, the podcast that uncovers practical ways to grow service revenue, control costs and improve customer satisfaction. If you're looking to innovate, gain a competitive edge, or just learn about the latest service trends, you've come to the right place. Today, Anthony mOthA has the pleasure of speaking with Harold Fiedler, director of Integrated Product Quality and Cybersecurity at Fujifilm's Soho site, to tell us about their journey and how they raised the security bar. Well, good morning. Good afternoon. Good evening and thank you for joining us again. On speaking of service, my name is Anthony Mafa and this is the third in a series of Iot security based discussions that we're having. The first was with Tyler Gannon and from Device Authority, we were talking about zero trust and security trends that we're seeing in the Iot space. Then we had James Penny, who was also from Device Authority, and we were discussing the role that AI is starting to play in Iot security. And now today we wanted to take more of a practical look at this. I'm going to bring Harold Fiedler in from Fujifilm's, Sony's site and talk about what they're doing in their world and how they're deploying security and the way they've envisaged security and the kind of back line that's a little bit probably the number one question that we get as an iota platform vendor is security, security related at the edge and security of obviously the servers and customers ask us, well, we have a lot of equipment in the field, so how do we actually implement an acceptable security model in our world? Basically back fitting that in and that's that is something that we do offer an option to people. We can help you get things connected, but when you get into the idea of a digital thread and you start to look forward to things, you say, well, what about designing for the future? What about getting into newer versions of security or making sure that my devices are secure from the start? Because most of the devices that we talk about today are what we'd call Brownfield. They've been designed ten or 20 years ago, so they may not have been designed to really connect to the Internet. Now, this is the advantage that we have working with a customer like Fujifilm, Sony's site. They're taking on a brand new piece of equipment. And that piece of equipment has been designed to be connected. It's designed with the intent to be remotely monitored. And that's why we have Harold joining us today. Harold, thank you very much for joining us. We appreciate your time here. No problem. My pleasure. You really took a brand new look at security and said our product, we want to do secure connectivity. We want to leverage a product like thing works to talk to our devices. But that was the number one question you had to answer for your customers. Correct? Security. Security. Privacy, yes. And for our customers. For external customers and internal customers, how do we leverage the data we have in our systems in a meaningful way? And, you know, having talked with different customers over the years, even though it's one of the first questions they ask, it's typically not one of the first things that they design into your product. So this tells me that this isn't your first Iot program that you've worked on. Is that true? That is affirmative, yes. I used to work for one of the largest medical device manufacturers based out of the Netherlands, where we built the entire infrastructure connected infrastructure for all modalities. Yes, but the funny thing is, when you mentioned it, it's not the security is not in the fore on the forefront, the frontal lobe of our customers. It is absolutely correct when it comes defense of which customer type you're talking about. But so if you talk to the clinicians, to clinicians, of course, security and privacy is probably not the first thought. But I hear penetration and I.T. security, that is the first thing to ask about. So you've started that when you started down this path. What concerns did you have any for example, you're in a heavily regulated environment. So security is one issue that you're concerned about. Right. But you're also in a medical device. Manufacturers world where the FDA and EU, MDR and other items apply, HIPA and a whole host of different regulatory concerns. So how did this kind of factor into your to your discussions about security? So we all heard about one WannaCry Conficker and exploit that have impacted worldwide computer systems and while hacking is probably fun for the if you have hacked high school principal of computer and maybe the decrypting societies website, it takes on a complete different meaning. When you talk about health care. In health care, we use computer systems to triage patients, diagnose and treat patients. If attackers render a healthcare system unusable, or worse yet, modify the data on the health care system. The misleading results, it can lead to serious death, serious injury and death. So whenever you evaluate these potential concerns, security becomes really, really important for any organization. And we talk about what are the concerns, the biggest concerns of really, you have the customer side, you have the impact on the patient. The next thing you need to think about is the protection of the asset need to be the level of protection need to be couldn't commence do it with the assets need for protection. So it's different if you have a nuclear missile silo or do you have very different security measures than what you have a game with on account? That's the first part you need to identify what's the S if you want to protect it. So you need to understand your data. You need to understand the computer systems you're dealing with. But you also need to understand your own organization's limitations and limitations in terms of being able to adapt to changes, introducing security privacy controls definitely is a change to the organization, especially a significant change if your organization has not yet instituted any of those policies. So in some cases you will have to select technical controls as well as policies that need to be implemented in your organization. And you might have to do a phased implementation. That is the these are the biggest challenges, I think, when we talk about trying to bring an organization up to snuff in security and privacy. So it's almost a think big and act small, a proposal think big how you want to get to the end result, but you may have to implement smaller phases as you go through that process. Exactly. So there are a number of factors to play a role here. So you have it. So when you think about security privacy, you have basically three items to deal with the customer, the location of the customer, the data and your organization's, your own organization's policies, and of course, the regulatory landscape in the world. So cybersecurity and privacy two should be really linked together. They're tied to a hip, right? You cannot have one without the other. I can't have privacy forever will take the controls and policies. But you also have to worry about the regulatory landscape in the United States. We don't have a statutory right to privacy, which is absolutely opposite in the EU. In the EU, every EU citizen has the right to privacy. In the US, we have sectorial laws that allow or make it legal to share information. Personal information between companies is not really for the protection of of your patient or your to people. It's more to make it legal to share this information. But you're talking about information outside of outside of protected health information. You're just talking about generic information about an individual. So are both generic information as well as HIPA. Okay. So whenever you find your HIPA consent, when you go to a doctor in the United States, if you actually read the fine print, it's about them being allowed to share their information with the providers and to insurance companies. So they they're actually sharing information more often than not, corporate interest and interest of three little letter agencies or political groups is off of the Trump of no, no pun intended, the privacy of privacy rights of American citizens License realization important because depending on who your customers, you might actually have to you might be obligated to oath to do that in the United States. So if your customer, the VA, the D.O.D. or the Department of Health and Human Services, they have those little clauses to feel, by the way, to date and must be hosted on U.S. soil. And this is primarily for governmental tax purposes, whereas in the EU it's very different from the EU. We actually have GDPR that protects the export of or the grant exports of personal information to other countries, including the US, because they're not deemed secure in the cheaper sense. Does that make sense? So now that we understand the whole thing, location of customer, the type of the type of data that really does matter. So if you have it, yes, you do fall under the GDPR, EU, in the EU and in the US. So yes, this big the data matters, the location matters, the customer matters. And we are even seeing that in other in other markets, not even related to a hippo requirement or even a privacy requirement. But there are data sovereignty basically, I won't say rules, but regulations that have gone into effect, for example, in China, where China has stay within China. Right. In order to do business there and there are some other things. So that's that's becoming an expanding piece of this co related, I guess to security. But another topic all on its own. So I want to circle back, though, to to what we've done on this project with you. And, you know, you started off you had an idea what you were going to do. You had some expectations. Would you say that you've met those expectations? Did you achieve them? Yes, I would say absolutely yes. To cut to the chase, yes. We have metrics that the expectations, but I actually thought it was a lot easier. So my initial thought was we have all the relevant security privacy controls implemented at the initial release of our in your product. And I have to admit this was a little bit of wishful thinking on my part as creating policies and or reorder needs and do certain parts of the organization. It doesn't come. It takes time, but it doesn't come for free. And ultimately, I have to say, I was very pleased with the results. We addressed the most important controls first and then we built the associated policies and processes within the organization. For instance, we had to creating to the management process and we had to establish a featured team, so an incident response team to strength. And we decided to strengthen the systems defenses with every patch release. Ultimately we have released, we have achieved our primary goal on the second patch release of this new product. Yet you bring up a very important kind of overarching discussion about implementing any kind of change in organization. And you chose a technology which is good. You had a business case that helped you do that, but that's not the end of the process. There's other things that have to happen, meaning you have to implement that new technology into your day to day operations. And the bigger one that you brought up was you really need to have a an acceptance within your organization. You want to make sure that you're there's an adoption of that technology within the organization. And the last piece of that typically is we need a rollout process. We need a process that rolls this out and reduces the risk within the organization because just buying technology doesn't solve a problem. It's a tool. It's not the it's not the solution itself. Well, I completely agree. I think for many, the implementation itself. So whenever you walk down the path of integrating 80 an i.t services in your organization, the first question the organization has to ask themselves, this is just part of our core business and it's a really, really important question. If your if you want to compete with the pieces of the world and the device authorities of the world, we've done this for many, many years. Then, yes, yes, you can build your own Iot infrastructure, your own data centers and your own cloud services. Sure. But you are going to be staffed for this just just as a warning to your listeners. Do not ask your engineers whether they can build you that the answer, of course, would be engineers can build this for you. The question you have to ask you, though, is, can you afford just that? Your engineer spent the next ten years on developing something that you could buy today from an API company such as PTC, a device authority, right. So it fujifilm's. I don't think we have you. We have we have made a first thought. Of course, we can build it ourselves. And we quickly realized that this was not such a good idea. So we partnered with PTC and Device Authority, and in my humble opinion, it was the right decision. It was really great progress. I think the biggest hurdle for us was to align our own orkin's organization internally. To kind of put this in context for for the people that are listening in here. Overall, this was done well under six months, right from the time that. Yes. So the idea. Is what we're going to do. We went through figuring out exactly how you wanted to implement it, what your scope was, and then built it, tested it and deployed it. So it was a if you're if you're trying to build your own program in under that amount of time, that's pretty amazing feat. DION Having done this a couple of times in my life, I don't think it's possible without the help of people like PTC and the device authority, you will not be able to stand up an entire infrastructure like this in six months. And that's for maintaining the Iot space devices. They're already maintaining the security space. So again, it's all part of that process. Are there any early results that you're starting to get back with your your program? Yeah, absolutely. So we had, as you said, within six months we were able to set the pilot up. And by the way, we have done it in 33 separate environments in production. We brought up a production environment to test and the secure environment we have built all the services outs we have tested within the final stages of acceptance testing. So I think in six months you cannot yeah, which we have done, we have achieved quite a lot of the this, but the team was working really well together. There were challenges, of course, you always have challenges, especially when you have two different engineering teams. You have a cloud team and you have an embedded software team. You have to speak different languages, so to speak. And I think this adjustment and the standardization fundamentally, she was probably one of the biggest hurdles. So we understand what we're talking about, who we talk to each other. And I think the second challenge was a little bit the project management side of things where you had to deal with PTC, with device authority and with transition technologies, with the configurator for PTC, I think. But this is just a standard project management challenge, I believe. But then with three different engineering teams working together, this actually went pretty smooth as far as implementation programs of this size. Absolutely. Yes. So what do you see next in the Iot space for this project? I'm sure that there's a bit of a roadmap that's laid out some some features that may be coming down the line. So we have, of course, like any good company would do, we have tackled the most difficult part first, right? This all over the update. So the next step is the next challenges actually are I see for our organization are predictive analytics. And predictive analytics, in my humble opinion is more an infrastructure challenge rather than a technical challenge. You actually have to build up infrastructure. You have to have servers, systems and proper database design to to get all this information. That's simply just a applying of I i.t practices. The big challenge will be the integration of commercial systems such as oracle, such as salesforce into the ecosystem, into the connected ecosystem. And I do believe this is going to be that's where some feathers will be ruffled within the or within our organization because any organization will have will have certain boundaries. Okay, I own this part. You own this part connected infrastructure floors in between. So at the classical i.t site, it's really not applicable for such an ecosystem. Neither is the engineering side. R&D side. So it really sits between between a rock and a hard place between the business as well as on the entity side. So it sits in between those two big boulders and this is very difficult and somebody has to own this. This is a very and I do foresee this is going to be the some of the larger challenges. Plus, we, of course, have the security the potential of security issues, depending which data you're you and your customers are dealing with SoCs to come to mind what comes to mind where you have to certify your infrastructure? I think that these are the real future challenges for us at Fujifilm's alongside. Now earlier you you mentioned that you would advise people not to build their own systems when they can commercially buy it, which of course we would wholeheartedly agree with. So that was a great piece of advice to offer to our listeners today. But is there anything else that you'd like to offer as advice to them? Yeah, start small. Don't do what we do. Don't pick off the most complex thing right away. Yes, we were lucky. We had good partners and we we got it done. But start small through the low hanging fruit, then set reasonable expectations was good leadership team and ensure that you have the backing to make changes in your organization processes and structural changes to your organization. And I think the most important part is to find a long term owner for that ecosystem. That is a very, very important thing. If you don't identify a long term owner, nobody wants to owned it. It doesn't fit into R&D. I people walk away from it. It does not. You need to have some organization owning this, make it part of your budget. Make sure you have an annual budget for your infrastructure. And the last part is, I would say pick a reliable partner that you can live with for corporate eternity. So it's just like marriage, right? That's what I would suggest. One of the things I think a lot of we we kind of talked about this very quickly. You're talking about changing your company. And the point is that you're not just applying technology to the process or to the problem, but you're really fundamentally changing the way the company has to operate from a service perspective. And that requires ownership. That requires people to take that and be the passionate advocate for that change. That requires a budget and a whole host of things. So really important for people to understand that. And if you decide to choose to go with a partner and be part of that process, that's something obviously that needs to be managed into the equation. Yeah, those are really good. I've had a number of customers who talk about change and struggle with that process of change, and I think the reality is it needs to be somebody full time job, right? Because part time jobs get part time results. Exactly. I'd like to thank Harold Fielder for joining us today. I'm glad that we were able to have this third discussion about security. It's great to talk about what is possible. It's really important to talk to people about what has been achieved. So thank you all for joining us and telling us how Fujifilm, Sony's site, has rolled out their latest Iot program. For speaking of service, I'm Anthony Moff. I have a great day. Thanks for listening to the Speaking of Service podcast brought to you by PTC. If you enjoyed this episode, please subscribe wherever you get your podcasts and leave a rating or review and be sure to check out other episodes to hear new perspectives on improving life for aftermarket professionals, service teams and the customers they support. If you have a topic of interest or want to provide feedback, email us at speaking of service at PTC dot com or visit us at FT.com slash. Speaking of service.