INTERVIEW WITH

NASTASSIA TAMARI

DIRECTOR OF INFORMATION SECURITY— REGIONS; BECTON, DICKINSON, AND COMPANY (BD)

Original Interview, January 14, 2022

This interview was conducted by Deborah Feyerick, an award-winning National Correspondent specializing in security, crime, terrorism and breaking news. Deborah was part of CNN’s team of anchors & reporters for 20 years.

Nastassia Tamari set out to be a journalist and make a difference in people’s lives. That’s exactly what she is doing now, but not in the way she originally planned. As Director of Information Security—Regions for BD, Tamari’s days are spent communicating about regional cybersecurity impacts so BD customers can focus on what matters most—taking care of patients.

Tell us what drew you to cybersecurity.

What a wild ride. I actually started at a local TV station in San Diego as a writer. I liked to tell stories, making sure people were informed about things happening in their communities. During grad school, I had a few jobs at small stations in upstate New York, then went to ABC World News in DC where I interviewed politicians on local issues for network affiliates. The traditional local news path is to go to a smaller station and work your way up. I got a job in Texas where I met my husband and we moved back to San Diego. I happened to find a position working in communications for a small medical device company called CareFusion.

Was that a natural transition?

Never in a million years did I ever think I would end up in cybersecurity. Once I started learning about it, I realized that there is a huge need for the skills I have, like being able to ask the kinds of questions that someone who has been in the field for so long may take for granted; and then explain complex aspects of IT in a way that makes sense to people who may have zero tech experience. 

When CareFusion was acquired by BD (Becton, Dickinson and Company), my role expanded to include cybersecurity awareness, product security communication and managing incidents from a communications perspective. My current role, Director of Information Security Operations— Regions for BD, includes monitoring and detection, insider threat, vulnerability management and incident response. We don’t just look at BD products; we look at the entire BD enterprise and our manufacturing environments, as well.

When did you know that this was the right career for you?

The real impact for me was when my daughter was born. She was a week premature and ended up in the NICU, the newborn intensive care unit. Right next to her on the little bed was a BD infusion therapy system. She was actually connected to a medical device that my company manufactured. Same thing when my son was born. He spent almost seven weeks in NICU. Everywhere I looked, I saw BD medical devices: infusion pumps, sharps collectors, and more.

It took my breath away, the impact our devices have on people. Being a new mom and seeing those devices and knowing everything that goes into them from a cyber perspective. It gave me so much relief to know we have a team of folks handling cybersecurity to protect these devices. 

Former Vice President Dick Cheney had his pacemaker’s wireless capabilities disabled for fear that a bad actor could install malware or manipulate the device. You look at the software, the hardware, the internet connectivity—talk about the vulnerabilities.

Several years ago, I was at a cybersecurity conference and a security researcher was talking about vulnerabilities in a certain type of medical device connected to patients. A mother stood up and said, “My daughter uses that kind of device. Should I be worried?” The security researcher reiterated that talking about risks is normal and doesn’t have to be terrifying. The key is helping people understand what the risks are and what to do to lower those risks. Like when you’re driving a car and you put on a seatbelt or stop at a traffic light. Taking steps to mitigate potential vulnerabilities will always be part of using software-enabled devices.

How would you describe BD’s overall mission vis-a-vis securing devices even before they get to market?

Our product development teams are focused on security by design. They’re not just developing medical devices that can address a specific problem or challenge, they’re also asking, “How do we make this device more secure?” Throughout the planning and development stage, we’re making sure we take into account risk assessments, penetration testing, vulnerability scanning, and regional market requirements. We also publish Product Security White Papers that detail how BD security and privacy practices have been applied and what customers need to know about maintaining security throughout the intended product life cycle. This includes third-party software components, the hardware, how it communicates, potential risks and the best way to mitigate those risks, and, of course, patch management.

The Solar Winds attack was triggered by a software update pushed out by a verified third-party vendor. How do you plan for a software update over which you have no control, but which could potentially impact all your devices?

Solar Winds was really interesting because you’re talking about nation-state threat actors compromising a validated software update. In that case, cybercriminals inserted malicious code into an update for SolarWinds Orion software. As a result, code-signing procedures are being scrutinized more carefully.  At BD, when a vulnerability is discovered in a third-party component used within a BD device, we share that information with our customers and take the time to validate the patch to ensure the patch itself does not generate unintended outcomes. 

Part of my focus is looking at what BD can do as a company regarding vulnerability disclosures to make sure hospitals are aware of these vulnerabilities and understand how they can lower their risk by patching or segmenting the network and also looking at who has access into their systems and questioning whether they should have access to sensitive data.

It’s making sure that hospitals are aware and have visibility into those software components so they can focus on taking care of patients. The biggest fear for me stems from a lack of communication. We use third-party components in many of our devices, and we have to be in constant contact with those third-party vendors to make sure that we really understand the entire threat landscape and that we are prepared. We also practice our incident response and frequently train for the potential of a cybersecurity infrastructure event.

Hospitals are a big part of the threat landscape and prime targets for cyber-criminals.

Threats against healthcare organizations have increased with ransomware as a service, which makes it easier for novice threat actors to launch ransomware attacks. In some instances, hospitals have had to move patients to different locations to provide care because their data was encrypted, and they couldn’t access it. It’s not science fiction anymore. We work with our FBI partners as part of threat intelligence information sharing. We hear the chatter in the threat landscape, including information about nation state threat actors and criminal enterprises. It makes me want to do everything possible to make sure medical device manufacturers and healthcare organizations work together and are well prepared. Hospitals and organizations can’t protect what they don’t know, so communication is key, which is why we also continually update our Trust Center website with new information.

The healthcare industry was targeted during COVID by bad actors who attempted to spread malware. What have been some of the biggest challenges?

There are challenges that come with working remotely. Think about Telehealth and making appointments with online doctors. Those same security challenges apply to employees working remotely. When the pandemic hit, the entire industry had to work hard to quickly make sure we have the security and connectivity workers need to be able to do their jobs properly.

Again, it comes down to communication and collaboration. I’m on the FDA’s Patient Engagement Advisory Committee. Part of our goal is to make sure we’re transparent and there’s a lot more collaboration between medical device manufacturers, healthcare providers, government agencies, and the security industry. It seems counterintuitive to have competing vendors working together but I believe this is how we advance in the world of health.

Describe an average day.

My days are split into two parts: One is preparing. The other is responding. Preparing is making sure we have our policies in place and have ongoing communication within our cross-functional departments. We are connecting with legal, research and development, our product teams, our privacy folks. 

The second is responding. For example, when Microsoft notifies us of a vulnerability, we need to know how we are going to handle it and how to make sure our teams know what they need to be doing so it fits the timeline for communicating that. 

My best day is in the moments. Like, when the Log4J vulnerability happened for example. We had hospitals, which use our products, reach out to us and we were able to point to the BD Cybersecurity Trust Center, where we had all the information ready for them. On the Trust Center, we also provide cybersecurity policy, procedure and white paper templates to help other medical device manufacturers utilize these tools to more effectively update their process and communicate to customers and patients regarding vulnerabilities.

You mentioned the 90-10 ratio: Ninety percent of things you can prepare for. Ten percent you can’t. What are the unknown threats which you obsess over?

Preparation is key and so is personality. Not getting worked up or nervous about some of the things that happen. I’m a very fact-based person. I need to see the facts first before we make a decision. Here are the things we know. Here are the things we don’t know. We break it down and follow the plan. 

I also have to credit my team. They are some of the most calm and courageous people I’ve ever met. Even when they’re gathering intelligence from malicious threats impacting the healthcare industry, they are calm and matter-of fact. 

In terms of addressing the 90% of things you can prepare for, that’s why we participate in training exercises across the industry, like the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) Cyber Storm exercises. We also work closely with our research and development departments, and other teams across the company—from legal to marketing—to make sure we are prepared. Knowing we have plans in a place and a well-prepared team helps me sleep at night.

Cyber is developing faster than our ability to keep up with it. How do you see your kids having a different experience in terms of how they engage and the products they will have access to?

I really hope that cybersecurity is ingrained in them from an early age. There are already cybersecurity or coding boot camps for five-year-olds. Looking to the future, cyberattacks will continue to rise across all industries. It’s going to become a little bit more mainstream. The question is, what cybersecurity practices are in place? Things like using multi-factor authentication to reduce credential theft. For my kids’ generation, there will be solutions that we haven’t thought of yet, but I know cyber will be part of that conversation. 

At the end of the day, when your head hits the pillow, what is the feeling you have?

It’s knowing that I am making a difference in how we either talk about it today, or how we will be talking about cybersecurity in medical devices in the future. And that’s key for me, making sure that we are simply doing the right thing.

You really did not consider a career in cyber until you got that first job in the field. Would you encourage young women or men to change their thinking?

I bring a different perspective and have a different approach. It’s diversity of thought.  Anyone who wonders if they can do it, I say, “Just go for it.” There are so many opportunities.  People have unique strengths. For me, my journalism background influences my ability to communicate about cybersecurity. Being able to create a vulnerability disclosure process and have resources that are made available through partnerships so that other medical technology companies can bolster their security. 

Final Thoughts?

Someone took a chance on me. If you’re in a position to do that, pay it forward. Look for opportunities to invest in others with that same conviction and bring in a diversity of backgrounds, experience and thought. In the end, everyone benefits.