 No, welcome to another exciting panel here at Biohacking Village. Can we just say, can we give a round of applause to Biohacking Village? This is amazing, isn't it? If you would have asked me three years ago, if I'd be moderating a panel here, three amazing clinical professionals, including doctors, technologists, etc. If you had told me that we'd be able to get clinicians away from their clinics and from surgery and interested in this topic and learning more about it, as well as teaching us so much more about what we don't know in this space, if you had told me that, I would have said you were under the influence of ecstasy. Because, quite frankly, this is something that is just so novel. And for Raise Your Hand, if you've been in this space for a while and one of the biggest complaints you've heard is we can't get doctors and nurses to come to the table, raise your hands. Like, that's a huge issue. We heard security researchers time and time again say, I think I found something really scary in a device or in some critical hospital infrastructure, but I have no idea if this hurts patients or not. I got to talk to the people who take care of patients. So, missing stakeholder from the conversation has been the clinical side. So, I'm excited to offer this perspective here where we have some hackers and doctors here to talk to you about a variety of really interesting issues that touch on everything from coordinated disclosure to patient safety, patient privacy, and a lot of the problems we're going to have which are yet to be unsolved. And again, if you are in the audience and you're interested in this space, learn more, come pick the brains of all the people here at the biohacking village, these clinicians and technologists here as well, and get yourself injected into this space because your work can be really, really valuable. All right, so we're going to go ahead and work on some introductions and introduce themselves. And when we're done, we're going to go into some just standard questions I have touching on a variety of topics, like I mentioned, and we'll offer about 10 minutes or so at the end for questions. We'll try our best to get everyone's questions answered, but I'm sure there'll be some really a lot of people wanting to ask some questions. So if we can go ahead, who has the mic? Great, you just want to start? Sure. Thanks for having us again. I agree. I think it's really hard to get our colleagues to come to things like this. I think the awareness is not there yet because it doesn't impact them directly and it is hard to get them away from the clinic schedules and operating rooms. But I think this is a topic. I've been involved with this for about two years, more on the Asia Pacific side for HRS and I'm beginning to see worldwide this is starting to become an issue as media is worldwide now. And so they understand what's going on in the U.S. It also impacts them because the companies are worldwide and global and patients are global. So, but I'm Dr. Yu, Dr. Dale Yu in Dallas, Texas. I'm a cardiac electrophysiologist. I plant a lot of those devices, pacemakers and plantable loop recorders, defibrillators, whatnot. And again, I've been interested in this space for several years. I'm a bioengineer by trade initially. I went to the dark side of medicine and maybe I'm coming back out. I don't know which side is the dark side. I'm confused, but thanks for having me and I appreciate it. Hi, everyone. My name is Dr. Harish Manium. I am the head of electrophysiology, so I'm plant pacemakers and defibrillators like Dr. Yu. Part of a very, very big public health system. And so I think it brings a different perspective, which is finances when we talk about these issues. Where's the money coming from? How do we pay for this? So I think people forget about that, that we do have limited resources. So I'm looking forward to the conversation. Thank you for having me. Good afternoon. My name is Hussain. I'm a security practitioner by practice. I'm a CISO for a health system in the United States. And my role is regulatory compliance, cybersecurity, medical security, application security, and you name it within the security paradigm. And I report to the CIO. Give it up for the panelists. This is awesome. All right, we're going to come out the gate swinging. Who here? Raise your hand if you have heard the following sentence. Yeah, this is not a big problem, medical, device, cybersecurity. Show me someone who has died. Raise your hand. Keep your hand up if that frustrates you. Great, we're going to ask our panelists the following question. We'll start off with the clinicians. The hospital is a chaotic environment. You're treating patients with anything from a runny nose to patients that are in the ICU with ventilators and all sorts of devices hooked up to them. And because of the nature of disease and things, people get harmed. People come in really sick. And we tried our best to treat them in the hospital. The question is this. If a patient was injured by a medical device that was compromised, do you think a majority of hospitals in the United States would even be able to detect it? So I think that's a great question. I think the reality is if there's a true injury, that's part of defining that is when we put in devices, we talk about risks, real risks that may happen that are quantified that we look at. And then we talk about things that are potential risks, which is I think what you all see as researchers maybe, ways that you think you can break a system and that may be an opening. And so when you have a true thing that has happened, a true event, then I think that everybody has to care about that. I think physicians would be exactly on the same page as researchers and device manufacturers about taking care of the problem. The question is who has the answer? And I think that's something that we all have to solve together. So hospitals are not ready for this kind of problem. This is not why people get health care, right? So the expertise that we have is to take care of patients, but it's a medical background. It's not a cybersecurity background. And so I don't think that hospitals have the resources or the capacity to take care of this as a problem. It's a complex question to answer. I agree with everything he said. The issue is how do you determine what the harm is? It's basically actuarial science when you're talking to the health system. And the patients don't understand it from this standpoint, but when I give talks on heart failure as well, I tell them what the risk is, why we put a defibrillator in. It's similar to what you guys are talking about, risks that don't exist yet, because the problem is in that arena, your risk is one. Like once you die, you die. So it's binary, zero or one, right? In this case, you may have harm, but you don't know where that harm came from. And technology is all around us. And so I bet vulnerabilities exist. I know there are a lot of vulnerabilities. I mean, OS systems are very archaic in our systems from computers in the laboratory. I mean, as electrophysiologists, we deal with some of the most advanced technologies in a hospital system can have. And at the same time, you go around the corner and they're still running XP and Windows 2000 and things that are 98, even scary things like that. You don't know why they're running these because the hospital system doesn't have the money to pay for the warranty or they don't want to because the profits are there. And as long as profits are part of the problem, which they always will be, we're asking you guys help us figure out a way to make this free, to make it cheaper, to make access easier so that they wanna do this as a collaboration between manufacturers, hospitals, whatnot, but to circle back to his initial question is it is very hard to determine the harm. But if you tell me someone died because their anesthesia machine, I've been using this lately, it broke. It bled the wrong anesthesia gases at the certain parts per million because it said something else and they died because of that. Well, there's gonna be a lawsuit because of that. And ultimately, maybe you can track that down, but that's a one-off you will see. And the manufacturer of that system will look at it. And that's why I think it's crucial that they are part of the loop because they're the ones that can patch, if you will, the word I've heard patch a lot or offer what they're gonna do going forward to lay some fears and whatnot. But hospital systems are almost cut in the middle. Patients are caught in the middle. We're caught in the middle. And at the same time, we're all needing to work together to do it. So I don't think it's easy to say the harm came from one thing or another, but we all have to have our eyes open to determine this because it's not like you hear this all the time. You had an organ transplant of the wrong organ or to the wrong patient. We hear that. That's simple to define. They die immediately. And you go back, ABO type them. But this is not so easy because it's not so transparent. I think that's why we gotta work together to figure that out. And maybe we can even speak to you about maybe defending the network. Maybe don't take your hospital, for example, and your controls that you have, but you feel like you could reflect broadly on the industry. Do a lot of hospitals that are rural, for example, that don't have a lot of resources, some of the ones that are cash strapped, like you say, do you think that they have the security controls in place to even detect these types of attacks on hospital infrastructure, critical medical devices? It depends upon the type of the attack as well, right? If you're talking about a denial of service attack that could potentially disable a device, that's detectable. But if it's a individual device that's misconfigured, for example, a pacemaker, and if it's not properly configured or default config is not set up and somebody can hack into it or break into it or exploit it, that would not be easily detectable. I think it's a quality issue, what type of a quality process you have, implemented in implementing devices or any process within an organization and if that quality metrics are collected and monitored and then some sort of analysis is done, how by as a process you implement something, you could probably detect some of the defects or shortcomings, but in general, yes. I mean, rural community hospitals are not equipped to have that type of process in place to do because of shorted resources, shortage of money, like the doctors mentioned. And in some cases, it's not the money, it's the life cycle of a device that takes 10 to 15 years to build and get approved and then brought to market, whereas an operating system on Windows is three to four or five years. So within five years, if you haven't really recouped or the TCO on the device hasn't been recouped, how do you go out and spend more money or invest more money to buy a newer product because you've already not recouped the investment on your investment that you've done already. So there are a number of things that influence that decision-making where what to do next. So let's say, take us hypothetical for a minute. Oh, I've had coffee at people, I'm sorry. Well, you have a malfunctioning device that you implanted. Two weeks after you implanted it, it's not working. In fact, it's such a critical failure that you replace the device. What would you do with that device as a clinician? What would you do with that malfunctioning device? And my point to this is gonna be, has anyone ever said, well, let's take a look and see if this thing's been messed with, let's do some forensics. And then moving down to the biomed side, on the technical side, do hospitals even have resources in their own hospitals to do some of this very basic forensic work to see if a malfunctioning device has been impacted by something other than something caused by the cybers? So I think that's a great question, but I think it's good to look at maybe broader scopes of this. So if you do have a malfunctioning device and then you have a hospital trying to do forensics on it, it's like saying, let's have the local police do something that really only the FBI should be doing. I mean, the reality of that is they don't have the equipment, they don't have the personnel, they won't know what they're looking for. And so when we do have those issues, because those are real issues that we have seen and we've actually taken out devices as a result of that, they go back to the manufacturer. And so the manufacturer actually has the best experience with that device, they made the device, they have every idea of how it works, it's all proprietary and a lot of the contracts between manufacturers and hospitals have specific language in them that says that, yes, if we do have a malfunctioning device, it should go back to the manufacturer so they can actually interrogate the device and see what's going on. But they also have the most motivation to cover their ass. That's exactly true, but there is a database. So that's a great question. So originally when we had implantable cardiac pacemakers, defibrillators, these devices were meant for heart failure patients, defibrillators and heart failure patients didn't live more than five years. Now the medicine with heart failure and the devices with heart failure therapy have prolonged people's lives that they're living 20 plus years. The wires weren't meant to last that long in the beginning. So there were a lot of wires that broke, they failed. So there's a database called the MAW database that actually all these events actually are supposed to go into. Now technically when they go back to the manufacturer, they have a responsibility to report that to the MAW database so we can interrogate that database naturally and see how many events have actually happened. The times when it doesn't happen actually is when local hospitals or physicians, if they change out the device, that device doesn't go back to the manufacturer. If they keep the device or throw away the device or whatever it is, then we never really find out what happens. So how much of cyber security fades into the decision of bringing the device to the factory? So tell you what, we're gonna table the questions towards the end because that's a fantastic question. We're gonna keep that towards the end but on the same theme though, would it shock you that in an unofficial poll of medical device manufacturers, and I won't speak for all of them, but not a single one told me that they have forensics involved in their device failures, specifically looking for cyber. So they could have devices that fail, they don't do the, let me rephrase it, I can't speak for all of them again. It sounds like a majority of them don't actually even look if there was what the root cause of the software failure was and if it was caused by the cybers and then to report to that MAW database. Would that shock you? Have you ever heard of a rep say, oh we're gonna take this down to cyber HQ and take a look at this and find out where the hackers are? No, you ever heard of that? No, I think you're on to something that I've been hammering them with too. My reps probably don't like me because I'm always hammering them with something that they can't answer. But what I do get, I think what we're used to seeing, and he was alluding to it as well, about the leads, mechanical, mechanical engineering, that's easier to see. We can, they can MRI, CT, electron microscope, they can do things like that. From a programming standpoint, I don't know of a company as of yet and I have tried to look into this that has a department and or one person in the basement of their mom's house or anywhere they live to do this because there is no feedback. What I'm always waiting for is, and I have had a device, believe it or not, I implanted it and as I'm closing the skin, as we're doing remote monitoring, like just checking it live right there, it actually said ERI, elective replacement battery, went from full to nothing in the time it took for me to close the device. Something was going on and you know, cyber's not the first thing I'm thinking of. This happened three years ago, maybe it would be in the top three now and I think that's part of the awareness problem, lack of education problem and maybe that's why we do these forums so that, I mean because we're represented by a lot of the companies here as well, so that that exists. So forensics, from that standpoint, I don't know of any, I can let you know, refer this back to the manufacturers if they do, it's pretty quiet, but I think we are owed an answer too because I will get a report four to six weeks later, tells me what was broken in the components of the device, if there is anything broken, they broken it apart. In fact, things have changed over the last three, five years. We actually, no matter what the device is that we take out, even if it's for an elective battery change app, we send them back to manufacturers. I think A is a liability thing, the hospital doesn't want to hold onto these, they don't know what to do with them, they have to destroy them anyway and B, I think manufacturers can get them back and they can look for wear and tear and other things they weren't looking at because they're coming out and maybe they can see there's early failure of something that's imminent, they can change that part, change the manufacturer of that part, but again, everything I've mentioned is mechanical and nothing that we've really talked about is cyber or just software-driven and I think that's important. Yesterday I talked to someone about the cosmic radiation of a, I won't say the company, but it's the only company that has sub-utaneous ICDs of a device that probably had failure of their software because they don't have anything hard wired as of yet or now they do, they didn't at that time, cosmic radiation caused corruption in the binary codes that allowed for that to have a false shock that caused VT then they died later. So this exists, that wasn't a cyber attack for the best I know it, unless the sun god is the one who did the attack, but it does lead us to know that there are things, vulnerabilities that we never expected, that was one, I don't think until I heard that I never knew anything about that. So I think it is important that manufacturers start to develop a region, a group, and I think that's what we're doing, and this is how we're doing it because it starts, I think we've been doing it this past year, we've been very passionate about involving the companies to have that forensics, if you will, and push it, that's why we ask the question. Did you have anything coming on that, sir? Yeah, I just think that it's a detection issue. I mean, there has to be some determination made that this problem could have arisen from a cyber incident or a malfunction of a device or a programming error for that matter, and if that analysis is done and then it could be categorized as a fault that could have been taken place because of a malfunctioning of a device or an intrusion of a device by a hacker or some process, and then forensic analysis can be done further to that to see if it's a programming issue, if the code was faulty or the manufacturing was faulty, because everything starts with programming, then the program, the code is burnt onto a chip and chips installed in a medical device and that's how the process control takes place. But I think the means are there. I think it's just an issue of creating a process around it to make sure that FDA or whoever requires a medical device manufacturer to do some sort of reporting around that. We received back 50 units out of 50, maybe five were defective because of X problem and that could be a cyber incident. Let's switch gears a little bit. Let's talk about, we're gonna take questions at the end sir, is that all right? Let's switch gears a little bit to talk about, have any of you guys had patients coming in and asking you about this question? I saw something on the news. I have a pacemaker, I saw on the news that some hackers are gonna kill me. I also saw it on CSS cyber, so this must be real. Have you had that interaction? If you haven't had that interaction, what if a patient did come up and talk to you about that and try to take yourself out of your position here being at DEF CON or being aware of this, but put yourself in the shoes of a cardiologist, electrophysiologist, there's nothing about this and a patient comes up and asks them, am I gonna die? So the reality is that has happened, so there was a couple of quote unquote recalls and I hate that word, I think from an FDA perspective when people say recall, it really, really scares people. Not just patients, so I had a Jeep Cherokee when they showed the hack of the Jeep Cherokee, they said there's a Jeep Cherokee recall, right? So I had to go get my Jeep Cherokee patched. Now is that a real potential thing that's gonna happen where I live? Probably not, but I mean yes, I probably should get it done because I don't want someone taking over my Jeep Cherokee when I'm traveling down the highway. Now when patients saw there was a recall on pacemakers, okay, not only are they unaware of the brand of pacemaker they have, they're unaware if they have a pacemaker, defibrillator, a BIV pacemaker, they have no idea. So what it generated was a ton of noise and that's what really worried me is that so we had to influte of calls, we had to influte of patients showing up to the office, can you tell me what this is? And these are office appointments. The reality of our life is that we cannot deal with volume that is not real. And so it's just like a hospital, right? When you have a triage center and there's a mass catastrophe, right? Hospitals can't deal with that volume of people coming in to one place. And so as a cardiac electrophysiologist, you can't deal with my whole patient population coming into the office for two weeks and trying for me to sit down, they don't even have a brand that's affected or they want me to patch it and there's not a patch available today and then you have to have them come back for the actual patch which is in a month. And so there has to be better communication I think. And so when researchers I think have done a good job especially white hackers and trying to figure out that yes, there is a problem trying to communicate it. So kind of a communicated disclosure to manufacturers and work together to try to make these events more seamless rather than when the news gets ahold of it. The news gets ahold of it and becomes really, really interesting and something that they wanna spin and there's this big hack of pacemaker and so people just get really anxious about that. And I think that's not a helpful solution for all of us. And so communicating it from my standpoint is a little bit easier but as Christian was saying really having people who have no knowledge of this, right? And so the patients know already more than the doctor, right? So patients will come in and say I heard about this hack and the physician have no idea what they're talking about. I mean no idea because data and information so readily available now, right? That people will get that information before the physician even gets the information. And so the reality is having some kind of maybe source that people can refer to about how to handle things would be great but we all realize that patches and figuring out the process and fixing that doesn't take 24 hours, takes weeks, right? If we're lucky. So this does happen and completely agree that we don't have the bandwidth. We don't have the bandwidth to see our normal patients that get sick. We have, like we barely are surviving now because a lot of changes in healthcare aside from this issue and majority of physicians are gonna say, we hope they say, I don't know. And I don't think so. And I've never heard of this before. You are probably safe because I would think that I would have heard of this if you're gonna die. That's probably the common answer. However, what they'll next say is I will reach out or you can call the device company or I will call the device company in my spare time and figure this out and we'll have the rep contact you which then as you can see will expand the bandwidth but not much, not enough to cover all the needs of our patients. Which is why I was talking to Suzanne from the FDA yesterday about and also one of my projects on the side is trying to create a form or website where patients can look their own, like they pull the card out, look up their model and at least quickly, this is what people are doing for their blood pressure meds. You guys have probably heard about valosarn, low sarn, half of you probably on it and that's the thing, right? Even though the risk of this small, it got news. I did the news for NBC because of this. But that got news. Cyber will get news as well if something like this could threaten people, right? But then we got in flux of calls about blood pressure medications as well. But they could call CVS, they could call Walgreens. They're banned when it's huge, but we don't have that. So I think what we really need to do, and we don't have that yet, first of all, maybe one or many websites made from the manufacturer from the FDA, patient-centric ones, and that's why I was creating one myself right now where just for my patients, but later maybe it'll be something larger where they can just plug in their card. I mean, they do carry their cards. They don't know anything about their device until they look at it again. Then they forget it again, but they look at it, type in the model number, maybe they can find out what's available and if there's nothing, if it says, I don't know if you can say yes, your device is safe forever. I mean, that's what they want to hear. But that's what the clinician's job is, right? To take data that doesn't give you an absolute and then interpret it and what the best option is for the patient. That's where our expertise is, right? We can't give an absolute either, but I can say, I don't believe if I were you, I would do this at this time because there's no data on your device model that this needs to be done. But we have to have the resources in order to do that in a very efficient, clean way. I think, again, involving all the companies and whatnot and FDA as well and regulatory bodies because if we don't, we're doing it one by one each of us and that's not gonna be a solution ever. So I think that's the challenge we have. All right, we're going to, I'm gonna tell you guys a secret, okay? So if the Dr. Guild finds out that I told you this, they'll murder me, so don't tell them that. So when you graduate medical school, they give you your white coat, actually they give that to you or they give you new white coats a little bit longer, you go to residency, which are basically just handcuffs. But then they also give you this pager and this pager's only for doctors and if there's ever an emergency, all the doctors have this pager and we can talk to them, all the doctors across the world get a page at the same exact time. It's like a bat signal for doctors, right? I bet many of you out there are thinking that's kind of a funny thing. Nothing like that is even close to reality. Many of you are probably thinking that this just sounds like a problem of communication. Why can't we just email all the doctors? Can we get a doctor to the listserv open please and just send out this communication saying, hey, pay attention to this, this is an issue. Raise your hand if you think it's just an issue of communication, let's talk to docs, get some emails out there and it's an easy thing to do and we'll be over with this problem. Anything? No, it's exceptionally complex and the next kind of stage of the questions we're gonna go through as well, we've identified a lot of problems, we don't have bandwidth, doctors don't know things. The question is how do we fix that? Because I'm gonna tell you all another kind of a dirty secret. We don't get pagers by the way, there's no unifying. We have decoder rings, but that's about it. The, this kind of scary part about this is that we can't do a good job even teaching doctors about the latest and greatest medicines to use. About the things they were taught wrong in medical school 30 years ago that the new literature shows is different and they should change their practice. We don't have good mechanisms to teach these doctors. So I'd like to just pose a really hard question to this panel, how do we start fixing this? Because if we don't include clinicians, nurses, other people actually take care of patients in this conversation, we could do this conference and security researchers could keep doing stuff forever. And the patches and the fixes and the mitigations will not get to the patients. So we've identified clinicians as a key stakeholder here. We've identified that they cannot really handle this, but how do we fix that? Do we teach, you know, the outcome of DEF CON? Do we, what do we do? Well, it's multi-stage and a very difficult question, but I think a few things. I think one, I think we talked about peer review journals that have articles coming out. That's what we try to pride ourselves on in whatever field you're in. You're reading as many things that are apropos to your practice to keep up to date, if you will. I think one of the mechanisms is being able to enhance or to start disseminating information or whether it's a section of a magazine, whether it's a section of a group, i.e. HRS has one, Heart Rhythm Society, which is what we're a part of as electrophysiologists. There's American College of Cardiology, American Heart Association, and slowly they are all having these sections, if you will, and because they then have a body of physicians that belong to that organization and they'll start to see that they're forums and webinars. But even with that, it's hard. And going back to the email question, that's kind of funny because I think I have like 82,000 emails unread right now and it's just gonna keep getting bigger because I'll tell you what I wait for is when my nurse or nurse practitioner tell me open your email because they called us because you didn't open this and respond by tomorrow. That's when I'll open it. But prior to that, it is very hard to even get on there because you're inundated with so much data. And that's one of the problems here. You have a lot of different data points and you have a lot of different conferences. And this conference is a very important one for this question and this answer, but it's not the one that physicians are gonna go to. I can guarantee you that, at least not now. So I think you have to go to the places where they go, which FDA is a part of that because we're all kind of involved directly with that. And then each of the organizations they're a part of whether it's AMA, AHA, ACC, HRS, and then peer reviewed journals where we start to have editorials, maybe even studies, I'm trying to put something out there where we're looking at patient education and just seeing like we were talking, they don't know what device they have. We don't have anything actually in a peer reviewed journal that really talks about this in a disseminated form. I think we have to go, us all of us, have to do our job in finding a way to reach out to the different avenues that will then reach out back to the physicians. And then going back to the education piece, I think we're starting to now also talk to med schools, residency programs, fellowship programs. We know other EP directors slowly disseminate that way, so education's going from the bottom up as well from physicians and then from the top bottom. We have to hit it from all cylinders, but it's a big challenge, but I think we need to keep doing it. So I think that's a very difficult question and I would actually propose that most physicians should not necessarily know all of this stuff. I think maybe there's a basic primer or something people can get on what we're actually talking about, but I do agree there has to be probably FDA involvement in this and a group of stakeholders, patients, physicians, researchers, manufacturers, all involved that can actually supplement the information when we do have a potential threat and then the messaging that comes out from that. And so the best way I look at it, there's doctors that are on sports teams, right? They're there to take care of the football players. They're not there to actually score the touchdown. I mean, my goal is to make sure my patients live longer. If I have to worry about this in addition to that, I'm probably not really doing my job that well. And so we have to be realistic of what people actually have to do with their time. And so what I would like are you guys involved with what we do, and I think that takes this kind of thing and a group of people who really understand what's happening to then message each of these events in an appropriate timeframe, right? So when we do have this potential hack or threat or whatever there is, that there's a group of people that can sit and say, this is what we think we should message, we're gonna now, because there's not gonna be a solution on day one, right? But the news is out on day one. So you have to somehow send that message out quickly because, you know, or say that we are working towards fixing this problem. So you don't inundate people with a bunch of patients that don't need anything done, right? And so there has to be some kind of response. No response is bad, because then you get a local response where people don't know what they're talking about. And that won't change. And so I don't think you can change people's profession, but you can change your response from a national standpoint in a different way. I would look at it from a different perspective. I think the vulnerability should be risk-rated. And there should be some level of expertise required to look at what the vulnerability is, how could it be exploited based on that risk-rated. And there should be some national registry or whatever the process is to advise the patients that this is a vulnerability, it's not easily exploitable, it's not life-threatening, it may not cause much harm. And at your next visit to the physician, you could have it fixed. And if it's a critical vulnerability and it could by itself malfunction and cause a harm, then they need to immediately contact the physician or wherever they got the device from and get it replaced. I think misinformation of a lot of things create a lot more chaos. I think it should be a little bit more organized and just like we have CVs for software defects, critical vulnerabilities versus moderate, low, and just informational. Maybe there should be some level of thought applied here to kind of make it in a form that people can easily understand it and not get paranoid about because in this case, naturally, a base maker malfunctioning could cause a fatality whereas a software defect and just shut the computer down. There's a little difference there but I think there should be some process applied to it. And just to kind of expand on that a little bit, there's a unique difficulty in medical devices about this risk. We have a tradition in Infostack, we are able to rate vulnerabilities and assess how severe they are and use that as an ability to triage, right? What are we gonna spend our resources on today? Of course, it's gonna be trying to mitigate the really scary vulnerabilities that have a lot of high severity impact, right? In healthcare, there are some nuances that make that difficult. One, if you identify, for instance, a really nasty vulnerability in a infusion pump and the infusion pump is deployed in 15 different places in your hospital and there's gonna be a gargantuan effort to try to fix this, right? You can't use a single severity score to help triage that effort. And so there's an extra little piece in it, it's like how is a device used in clinical practice? I'm gonna patch the ones that are in the ICU first before I do the ones that are in the outpatient infusion clinics or whatever, right? Or maybe the infusion clinics are infusing chemotherapy where the doses really matter and we really wanna pay attention to those as opposed to the ones that are on the floor or the ones that are in a closet somewhere. It's not that all medical devices that have the same vulnerability should be treated the same when it comes to severity. And that's the nuance to this type of stuff we're talking about. We don't have a standard for that and that's something that could be a really good project for the community rally around is like how do we then take this gargantuan effort and come up with a system that can help us triage these things and protect patients in a more intelligent way with the limited resources we have. So Christian, we call that risk management or risk assessment, right? We have the same process applied to software defects or hardware defects. We look at how the product's used. Is it public facing? Is it an application that's critical in the ERP system or what not? Or is it an application that's used on a smaller system which can be shut down or be not used for the period of time that the vulnerability isn't reactified? And based on that, we apply our efforts to patch or implement the workaround. I think maybe a similar process can be developed of how the product is being utilized and based on its utilization, what the severity score would be or the risk rating score would be and based on the risk rating score, how do you remediate it? I know I'm trying to make it simple but there has to be some madness to the madness, right? And it sounds like a required part of that would be clinical input, right? So you can't do that without the clinical expertise of knowing which patients are vulnerable, which ones are of the highest priority. So it sounds like in your risk management of this, you need to have clinicians, nurses, doctors at the table. Absolutely, because any business process is flawed if you don't have the subject matter expert assessing or have an input into it. The business impact analysis of disaster recovery requires the business owner to score how the business will be impacted if there was a disaster, whether it involved software or humans or whatnot. And based on that score, we make a decision how critical that product or that service is to the business, right? A similar man, in a similar manner, you would include the physician, the nurse, whoever the experts are, the medical device manufacturers to give you input on how to risk rate that vulnerability in given scenarios. Awesome, so we're gonna go through one more question before we take some questions from the general audience and it was inspired by what ended up being, I don't wanna say contentious, but at least a loud portion of a meeting we had two days ago that was table-topping these types of things. And believe it or not, the thing that drew the most volume in the room was not about talking about a really scary vulnerability that was found in a medical device or how the medical device manufacturer can respond to it, how security researchers can disclose it. Instead, it was really around this issue of cyber-informed consent, all right? So I'm gonna pull the people in the audience. And I did this last night at Do No Harm, so please bear with me if you already know about this, but raise your hand if you've ever had a medical procedure. All right, keep your hand raised. If you had a person come up to you with a sack of papers that had a bunch of small wording that says this procedure could kill you, you could get an infection, you could get hit by a meteor, you may speak a different language after the procedure, you may not remember your own name, all these things, right? Raise your hand if you sign that, okay. And then lastly, keep your hand raised if you feel like the person who was talking to you about this did a good job describing all the risks that might be important to you. Okay, so that's the state of informed consent and we haven't even thrown cyber into it, right? So what we're gonna talk about now is this concept of more and more devices are becoming connected. We already talked about how doctors don't know a lot about this. Nurses probably don't know a lot about this, although they probably know more than doctors to tell you the truth. How do we get, should we have something like when you go to surgery or you get a pacemaker put in you that also has some connectivity to a base station at your home for monitoring, should we have something like cyber informed consent? You are now part of the internet of medical technology, you are now an internet of bodies, if you will. And the risks that could happen with that and how do we deal with communicating those complex, unrealized risks knowing that we have no prior data to work on and this issue of trying to help patients make the best decisions with their doctors about this new frontier. So I'll take it to the panel. So that was an interesting discussion we had two days ago about informed consent and trying to add that in. And I think some of the feedback that I was a little bit shocked about was that people felt that we should add that in as clinicians talk to patients about cybersecurity. So let's put that in the timeframe of real life now. So we have truly 15 minute office visits, okay? That's not dictated by us, that's dictated by the government, Medicare, okay? And so you have 15 minutes to describe a process with the patient, which is implanting a device, telling them about the risks and benefits of that device. Now, if cybersecurity is an actual threat, I think yes, it should be in the conversation. If it's a potential exploitability, is that something we then add in? Is it device manufacturer specific? I mean, if you go see, if I go see someone who base cakes, you know, I don't tell them what kind of putting to put in the middle or what kind of flavoring or something, make me a chocolate cake, you know, that's what I tell them. I don't know what kind of flour they use, I don't know what kind of stuff. So the question is, how much information is information that really needs to be there for a patient? Now, we have two different ways that we consent people. Number one is there's a general consent form. So general consent form is when you come to the office, okay, you actually sign a consent form that says you accept care in so much. And I think that would be a reasonable way if we were gonna put cybersecurity into the conversation, that would be a reasonable thing to put in there that there are potential cybersecurity threats that we don't know what all those are today. And because we live in this connected environment, that could be a potential threat to you in the future. That could be part of a general consent. And that's the same thing that you sign when you go to the hospital. For any kind of care, before you even get care, you sign a form that says, I will be taking care of it. And I'm sure no one has ever read that whole form. But the question is, when we put this stuff into a form, are we doing it because we want to actually inform patients or are we trying to protect the institutions or whatever? I mean, that's the reality of that, right? I mean, we can't have all of those potential threat conversations and realistically take care of people that are really sick. I mean, there's a timeframe to that. And so I don't think it's something that is truly part of an informed consent for a procedure. It may be part of a general consent. So I completely agree. I think the reason why there's so much contentious debate about this, I think, especially on the researchers here around the world that have implantable devices themselves are much more educated than the most of the patients that we see. The point of views are varied because of this. And I think when you think about the point of informed consent, at the end of the day, the patient is basically putting their life in your hands. You want to give them the best judgment that you have based on your education, what will happen, what can happen, what may happen, and what would you do if you're in their shoes? And ultimately, we are doing the 35-page consent for the hospital protection because the lawyer's dictated. Because if you go to other countries, which I go to extensively, they do not have this. It's not even written sometimes. It's like a verbal conversation that may or may not even be witnessed by a nurse, and that is where it ends. That's it. And yet, health care goes on all over the world, actually, much more voluminously everywhere else but in the US, because there are a lot more people, a lot more issues going on, a lot more indigent patients, which means more sickness, right? I think we're past where we can repair that because we have lawyers, we call it CYA medicine. So I do think that we will have to put this into the consent form. Now, what do you define as informed consent? And what's in the form are two different things. Form consent is our best judgment of the top five lists, if you will, top three lists, of what things are most common. 1% chance of bleed from the leg, 0.1% chance of perforation in the heart. Like, these are things we'll give them based on anecdotal data and also retrospective data, right? But not based on theoretical risk going forward. However, I'm not mitigating that existence. We need to talk about it. But again, that may not be the form. Let me give you an example. Yesterday, I got a call. I mean, being here does not exempt me from being a physician. I got many calls and one of them was from a patient. I'm putting a pacemaker in on Thursday. He doesn't remember why he's getting the pacemaker, but he said, I'll see you there. And he goes, thanks for calling. I go, but didn't you call my nurse to say what are you getting done? He said, yeah, I forgot, but I trust you, doc. I'll see you Thursday. I go, well, let's go over the question. He's like, what am I getting put in? Is it a defibrillator's pain? We went over all this, okay? The thing is, and you've probably done this, you go to the doctor and depending on what state of mind you're in and how hard you are, because you have to go to work and whatnot, you may not remember 99% of what went on, yet you just need to know the next appointment you need to go to, maybe a surgery, how much you owe, how much money you owe and is insurance going to cover it, right? That's the number one question we get. So I'm not trying to belittle this conversation at all. It's a very important one, but I think we have to put it in the context of what we have to deal with because we are already hindered and hampered in so many different ways that if you put this at the top of the list and I have one researcher say that I was talking to you, not because he was being passive aggressive, but I think just this is the nature of the beast. He said, well, if you guys don't address it, we're just going to go to the media. Well, okay, go to the media and I'm going to tell you because I work for the media too. I did a news for NBC. I'll tell you what's going to happen. It will make the news. Then patients are going to call us and it's going to be a heyday of now we can't take care of those calls. So the patients we're trying to take care of, we can't even take care of now because of the calls we're getting because of media frenzy because of everything else. So we've lost focus of what we're trying to do in the first place. We just keep everyone safe. So to go kind of circle back. Yes, it's an issue. Yes, we have to get lawyers involved. Yes, we've got manufacturers involved. And since cyber security is now becoming a large part of medical healthcare because I mean, let me give you an example. We put a pacemaker in it, but I'm not going to tell them things that I do tell them because they may ask me, but how many things we have IoT? What if I have hearing aid? What if I have a back stimulator, spine stimulator? What if I have an eye watch? What if I have this crazy thing on me? Well, I have a pacemaker in. Did you think about all the interactions that are going on on your body at that time? No, you went to the Apple store. You got the newest and greatest gadgets, but you never thought about asking your physician or ever thought that they were liable because you have a device and that may have interfered. Now you have noise on it. You passed out because it inhibited your device. Do you? No, we don't. But that then should be an informed consent if we're going to do this, right? It is a snowballing effect. So we have to be careful if we're going to phrase this and saying that this all needs to be in there because then everything needs to be in there. Do you ever have a conversation about your anesthesiologist using a particular type of machine with a particular computer system that bleeds the gases together? No. Do you know what the telemetry machine you're going to have? Which wing of the hospital? How old is that OS on that system? You don't know any of these things. That's not an informed consent. So we have to be careful. We have to be very careful and when we do this, because it's going to set a precedence, because this is early in the process. So I think it's contentious because we all have a big opinion on this. And if you've been medically hurt in any way or impacted because of it, you're obviously going to have a larger voice and it is not diminished by any means. We just have to be smart in how we're going to roll this out. I think that's the most important part here. Awesome. And I lied. We're going to do one more thing before it. So I've been informed that you guys have had hacker counterparts. You had an exercise where you were able to learn from some real hackers. We'd like to bring them up and talk about that interaction a little bit. Can I please have Amanda and Andrea come on up? Because they have something to share. I mean, they had an experience and I'll let them please briefly introduce themselves. Do we have Andrea here? Hello. Oh, sorry, Amanda. Where's Amanda? Awesome. If you could introduce yourself real quick and please talk to us about your interaction you had with them. Good. We did not realize this was going to happen. So hello, everyone. Hi. I'm Andy and I guess a little bit about my background. I'm a software engineer and I run Electrolabs which is a digital medicine company and then previously I served at the FDA as an entrepreneur residence doing, working on software as a medical device, the machine learning and other groups. And we have another FDA person back here calling out everyone now. Hi, my name is Amanda Plumton. I'm the COO of a company called Livestock Labs. We came from the biohacking sphere and went into startup world. I come from a biohacking background obviously and we had a really good experience interacting with the panel. Is there a specific thing you're meant for us to be talking about? No, there was nothing in the text message that was sent to me. No, right? Well, I would say that the interactions that we had were good. We got to have some actual dialogue with some of the doctors and the people in the different fields. And I think that there's a lot of discussion that should be had. Like I disagree with several things that got set up here and I think we should all be able to talk about that and see if there's interesting ways forward. Well, I guess one thing I would just say is this is a new field for everyone. We're all trying to navigate it and trying to figure it out. And there's a lot of words that seem different on both sides. So like API is very different at the FDA than what an engineering API looks like. And so, and I think there really aren't individual experts, like we're all navigating it. So one of the things that our team has tried to do is just write up as many primers as we can. And so like what do the ontologies mean? What do the frameworks mean? What is digital medicine? And like how do we think about these different questions? So we wrote, we hired a graphic artist to create a cartoon guide novel thing about digital medicine. So it's just not super painful. And... Could you do that for the informed consent? There it so, for informed consent, there's this great group called SageBow Networks. They are a non-profit, a very big monster non-profit that did a lot of work with Research Kit and Apple and others. And they have done really cool work with informed consent, particularly digitally. So for example, like when you read something on a format, everyone reads like an F where you like read the top a lot and then you start sneaking down and like really don't read that much more. And so they've thought a lot about the pictures that you have in informed consent and how to kind of subtly test you while you're doing electronic consent. And they've published everything publicly. So they have a GitHub, they've put all their informed consent work out. So if you're working with a developer who's developing some of this, you should definitely check out the SageBow Networks informed consent guide. Since we're buddies, do you want to talk? Yeah, I'd like to. So I think what was great with the initiation of the partnerships here is it's kind of, I guess in allegory, what we need to do going forward is to sense that we're in different spheres, but we need to meld those spheres and we have different opinions on things because we're coming from opposite sides, if you will, to come to the middle. And that's, it's happening now, right? This is all new for all of us. And I think this needs to happen more often throughout the year, not just at these conferences, because we do them here and I'll be honest, I get on the plane and it's like I forget and half of what I talked about with people and I try to write them down because I think some of the ideas were great. And then I'll get home and see the 82,000 messages in my email, get scared, look at my antiquated pager, put that in the corner, and then start doing charts. That's what's gonna happen and we lose this. So to have an opportunity to kind of do this quarterly or whatnot, I think a forum and start pairing up people from industry and clinicians that are, I guess, on the forefront, if you will, and I guess we are right now and this will change as we go forward. But I think that would be very important because then we can continue to bounce ideas off each other so that we're not guessing on some of them and creating primers that may not be needed and from our standpoint, talking about things that we don't know and maybe theoretical or maybe real, we don't know everything in that realm, right? So I think that's the best thing I think came out of this is an opportunity to really think that we can do this from both sides, I think that's important. Two more resources. So everyone here is pretty active on Twitter and some have open direct messages, some don't. So you can interact, there's a whole Twitter community where you have questions, you can interact there. Biohacking Village, you can follow and they have a great Twitter and interaction account that will publicize events like this and others. And then there's another group called the Digital Medicine Society, which is a professional society and the idea around this is, if doctors take Hippocratic Oath to do no harm, should the software engineers and device manufacturers take also an oath to do no harm and what does that look like? The Biohacking Village and I am the Calvary created one of these and then more generally, doctors have professional societies to join. What is the professional society for those who practice in the Digital Era of Medicine beyond clinicians and that is a group that will be giving a talk at I think seven tonight. So you'll be able to learn more about that and you can join. All right, Rad, we have nine minutes for questions. We're gonna go ahead and take, is your hand up in the back, sir? Yes. Okay, if you could just be really loud. I just wanna make one point about the conversation so far is a little disingenuous that the people who are advocating for don't necessarily believe that you need to have a five minute talk with grandma every time about the firmware or vulnerabilities of her embedded pacemaker. That's not what we're advocating for. What we're trying to say is that if you do have a patient who comes in, like Remo, who is a security researcher and who does have concerns about the device she's going to get, if you are gonna be implanted in these devices, you need to be able to have that level of informed consent discussion with her. Maybe not with every patient, but that's the entire nature of informed consent that is unique and specialized to that particular interaction. So you, as this is a element of the device that you are implanting, just like any other physical, just like any other pharmacologic or machine-issued, me as an anesthesiologist, I can do answer all those questions that you raised earlier. So when you guys up there, you can do that. But at 90 to 95, it wasn't your colleagues' hands. And that's not acceptable today when we know about these things as existing in the same way that I have any medication. I don't know about a rare side effect that was in an animal model. If somebody comes in and says, hey, my family has a history of NAH, I need to be able to say, okay, here's a minute, too, to prevent you from having a blatant effect of thermo-reaction plans. Can you go to one end of the issue? Oh, I agree with that. I think the issue here is what is acceptable, right? I don't think it can be all or nothing. I would love it to get to that point where everyone can have that high-level discussion. Everyone can be an expert. I think we were talking about levels of expertise can't be at every level for every physician. What you have to realize in our realm as well is not all implantables are put in by electrophysiologists and even electrophysiology, maybe only 1% understand the cyber side of this. Maybe us, maybe not even us. So it's very difficult because it's a small piece of the pie. You have interventional cardiologists, invasive cardiologists, some places internal medicine and planning loop recorders doing things, dealing with technologies that they don't even have to handle on themselves. The easiest thing to do is what I always tell people is to put it in. It's the follow-up that's the hardest. That is also why defibrillators aren't put in as many people that can put in pacemakers because the issue isn't putting them in. They're as easy as a pacemaker to put in if you've done enough of them. But it's the follow-up and then understanding what a rhythm is. Are you gonna detect? Are you gonna even detect them if you set it in properly? And then what do you do with those? That's our field, right? So I think it's a complex question. I get more clarity on understanding where this is coming from. And like I said, I'm not belittling any of the issues at all. I think it's a very difficult topic to handle directly. I think what makes more sense and it probably will be what happens in most of these situations. We have to find a common ground that encompasses the majority of the physicians and or implantors that are part of it with the patients, right? When we see patients every single day, even if it's simple about medications or whatnot, I use analogies left and right of whatever. I use pharmy analogies. I don't even understand. If I think they are into cars, I start using car analogies. You know, if they play chess, I'll use chess. I try to adapt. And this is maybe unique to me because my students laugh at me the time I do this. I try to connect with them in a way that they may understand, which helps them understand this. And that's part of informed consent of that visit. I mean, there are shared decision-making every time we do it. And that's another part of informed consent. And I think that's why it responsibly goes both ways. So if my patient is somebody with a device and they happen to be in this community, I would expect them to keep an open mind and help me help them as well and explain what they need from me so then I can help them to the best of my knowledge and the best of my resources that I can help them with, maybe even connect the dots for them so that they can feel good with what they have. Because at the end of the day, we're not dealing with cosmetic surgery here. We're dealing with devices that are put it in because they're trying to either improve quality of life or prevent death. And when we're talking about that as an endpoint and cyber is a part of that and maybe cyber issues will lead to them dying early, majority of them will not, then you have to put that in the context of this, right? I don't want a patient to come to me and because they're so terrified because they're a researcher about a vulnerability in an OS or in the programmer on their device that that company had and be mad that that's what we put in them. I need them to understand what's the reason you have that in? If you never had that in, you may not be here having a conversation with us. So to temper that conversation so that we can have good discourse so we can come to the middle somewhere where again, it applies to most clinicians. Because remember, most clinicians aren't even part of the circle because they don't understand. They're so disconnected with what we're even talking about right now that informed consent is the last thing they're really understanding. So I think that's why we need to do this but we have to do it in a way that doesn't seem all or nothing, white or black. I think that's important. Question in the back. Maybe this is the question I came to Las Vegas to ask and that is, when we talked earlier about what we really don't know if there's been any harm from cyber security in the last few devices. It made me think back 20 years ago when the Institute of Medicine came out and said, you know, we have 98,000 people died from medical errors. There's been controversy ever since. Trying to understand what that means and what the numbers really are. I want to challenge maybe the people here to think, can we turn around on its head and say, instead of trying to figure out whether there's cyber security or are we happening, can we look and say, can we use some of our technical expertise to try and help solve this question of, how do you detect and report properly on medical errors so that you can work on patient safety? And maybe what will fall out of there is some small amount will be detected to be related to devices or related to data. Yeah, I think that's a great comment. I think the reality of this is working together to figure out how we report this stuff is probably the most important step we could take now. And so that would be a great, almost conclusion point. I think if we take away anything from this, is that we're not gonna be able to figure out every potential way that you can hack something, right? We all know that. That's possible for everything that you may do that too. But we do need to have some kind of clear reporting process where people actually get the information. And so getting the information is key, having information be clear, and I would say at least as appropriate as possible is important and that's why having a lot of different people in the room is key. As I think, I don't think we're on different sides as far as medical informed consent and what you guys are talking about. I think the reality is, I agree with you, 80 year old lady or something who's coming in for a routine pacemaker check is no knowledge of this. And she doesn't wanna know about it and that's okay. But if clearly you have knowledge about this, I think it's important for physicians to continue to dialogue with you. But last year when I was here and Billy Rios was on stage and he showed that you could hack a pacemaker programmer, no one else as an electrophysiologist knew that at that moment. But either did any of the researchers in the room. And so the reality is if someone was in the room, which there was, there was actually a patient that stood up and actually was almost in tears and said my son has this device and it modulates insulin and was worried that their device could be hacked. Well the reality is we don't know what that means. And so not all of these things can be clearly and concisely told to patients that yes, we know what that means, we know what that risk means. And so informed consent is about being realistic and saying yes, this just happened, we don't know what that means. And a lot of the doctors didn't know, I mean even today didn't know that that was possible. And so even though that happened a year ago now. And so we have to have some true dialogue that makes sense about this happened. It's important for us to know as medical professionals and then how do we then fix the problem? Because the problem hasn't been fixed actually, right? Another plug, so FDA on September 10th is running a big workshop around patient engagement and clinician engagement. And so if you're in DC you can come to the workshop. You can come to me or Seth if you can raise your hand and talk a little bit more about what that looks like. There's also a webinar so that you can be involved in this. And so I think the agency is really trying to figure out what are the best ways to engage in how to design these sorts of processes. Last question. I asked earlier, how much of as users of the devices when you're selecting the device that you're going to put into a patient or use it in practice, right? Are you guys asking the questions to your providers? Has this been security tested? Is there some sort of a baseline either approved by FDA or mandated by FDA? Or their own general security practice that they are adopting to at least put an effort to secure those devices? And how much of that really play into the decision of you selecting the device? Because in some cases you might be going after functionality more than is it really a cyber secure device? It's a good question. I probably sliply slipped there too. And also a lot of other things that you probably not taking into account of. One of the issues is the selection device sometimes has to do with training and what the patient or what the physician has been used to using and their ability to have a trusted colleague from the manufacturer around and they'd be able to report. It's like an agent if you will in some ways because you know that they're going to get you reliable data quickly to carry the patients to what you need, goes both ways. So to answer your question, no, probably not. Not much, at least in terms of technology side. Features some, but even with features that have now been tested and true that help heart failure, hospitalization and mortality, we not all practitioners still even do that when there's an ability to select that. But that comes from multiple places. One, there's bias, like I said, maybe they have alignments in different ways but the other side, and by the way it's not usually a financial alignment, it's usually training or where did you go and what did your mentors use? Why did they use it right? And then you just keep doing that. But then the hospitals bid out to sell you what contracts they have. In fact, you may not be able to use the one with the best whatever it is at that month or flavor because they're 95% metronic, they're 95% bioboston scientific that month, that year, that quarter. So you have to use it, otherwise they yell at you and then we feel bad and it goes back and forth and the patients are not part of this by the way. And that's another problem, have a problem with that but they don't have a say because they're not part of the board that makes money for the hospital system, yada, right? It's a major problem, honestly. That's a problem that existed before all this. And that's why I think the changes in terms of how reimbursement is for hospitals and whatnot because that's gonna continue to be a problem. So the answer to the question is that's probably not gonna ever come to light until these other issues are addressed with how these patients or get their devices, which brands and whatnot because even with the MRI devices that patient, we would have to sign forms that the hospital had because they cost more money. So sometimes they would choose ones that weren't MRI compatible if you will but we know that they probably will be based on other studies because they're cost saving and I don't think that's malpractice per se but this is a business that are running and sometimes the devices don't last long. You have to make a decision. You're gonna put a battery that lasts six years or one that lasts eight years. You think the no brainer picked the one that's eight years all the time that they're equivalent otherwise but it's not done. So that costs more money to the system and they didn't make any more money because they put me, you know, the bulk payment they get is not anymore, right? Is there an anti-inflammatory in your procurement process or the devices that have that technology? No, not technology, but for certain features, yes. For cyber security? Not for cyber, not in my system and my system is HCA, probably the largest one in the US. I don't know of any other systems that do it for that feature. Now, that doesn't mean it's not gonna change because MRI was one of those types of things, right? And heart failure functions as well. It takes a discussion and it has to go through procurement which is a long lengthy process and the bigger you are. So I think we need to push the envelope but right now it doesn't exist in status quo. So to answer your question is we don't use that as a selection process. So don't you take that, I'll show you a close-up. So hold on, hold on. We'll take the sidebar on that. So I love that you pushed the envelope. So for you two, the biohackery and the citizen science, what does medical physicians, medical systems, clinics, hospitals need to start understanding or be more aware of so that there can be a better connection? That one's a little tough. There's a lot of things. I think encouraging a certain amount of openness. Patients don't always feel comfortable coming in and saying, I wanna have a chip put in. Instead they're very hesitant because they know there can be pushback and it's leading to in, physicians not having all of the information around their patients at times, which is not good, of course. So finding ways to make that a more reassuring relationship. I don't know how physicians do that. So that's kind of a piece I would love for you all to help us think about how do we approach physicians and say, this is a thing I wanna do, can you help me do it? And not have them immediately go, ooh, that sounds scary, leave. That would be a really good first step. And then from there it's a little harder. It just depends on what's going on. I know as someone who helped try and deal with my mother's medical situation, I did have to talk to a doctor about a loop recorder being put in. And the person that I spoke with had no idea what they were talking about, it turned out. But they assured me that it was gonna go in for a month and it would record all of the heart data and send it all to the doctor's office. And then it turned out it was something that gets put in for two years, I believe. And it was only gonna be exceptions and it wouldn't actually involve all that. I went to the point of talking to a Medtronic technician. They sent me there because I was asking so many questions. And so I did appreciate that they funneled me through to someone who could answer the questions that I had. He was very confused about them until he realized what I did for a living. But how do we get the physician side to be more informed? If you're a physician or in that area and you're gonna be putting a medical device into a person, shouldn't you have full knowledge of what you're doing to that person? How do you, you know, being staying informed of that I know is difficult, but it's a critical piece. So how would you make sure your colleagues and yourselves are more aware and informed? Wait, I want Andrea to answer before, hold on. I guess I think we're now heading to a level of specialization that everyone should know the basics but not everyone's gonna know all of the details for it. And one of the analogies that I think about is like when a lot of the genetic testing came out, not everyone necessarily knows how all that works but we've developed new specialty roles. So like with genetic, we have now genetic counselors who can kind of help you think through what do these sorts of tests mean? And we'll probably not, I think there's this basic level of burden that needs to be on physicians for sure, but I think we are gonna have to also have other roles and other types of expertise that come through. One thing that Christian mentioned yesterday I really liked was thinking about how do we incorporate this into, just into like the, why am I, my brain's tired. What school did you go to to get an MP? Doctor, what's- Oh, so it's just- Okay, well, I mean, so like we're at medical school. We should probably have like basic types of, like one, cyber classes and then two, security classes so that people have an understanding of what these tools are gonna be especially if they're gonna be participating in this digital era of medicine. And then welcome new roles. And I was not speaking close enough to the microphone for all of that. So I think these are great conversations. I wanna be sure that we're all kind of talking about the same thing, you know? I'm sure most everyone here probably went to high school and college, right? And so how much of the information from college or high school do you remember today? Can anyone do calculus for me here? The reality is if I had a cyber course in medical school, okay, that would already be irrelevant today. So my residency, my training was nine years. So after medical school, I spent nine years in training to do what I do today, okay? And then now I've been practicing for over five years. And so what I learned even five years ago would be irrelevant today. And so we have to be cognizant of the fact that time will change everything. So I do think that there is maybe a primer, but that primer needs to be updated. There's something that needs to get pushed out. I think that's why the FDA is important in this conversation because there can be a national organization associated with giving us information. The other comment I would make is that, you know, when you go to a restaurant and if you guys are vegans or someone's a vegan, I have a close friend, she's a vegan, so she always like, I'm starting a new steak. She's like, oh my God, she's gonna have a stroke or something, so. But the reality is you can go to restaurants and they're gonna serve you a vegan meal and they're gonna have non-vegan options, okay? If you go see a doctor, there's some doctors you're gonna have really good relationships with. Some that are great talkers, some that are horrible talkers, some that are really smart, some that aren't really smart. But the reality is some of that is dialogue, right? You don't stick with a doctor if you're having horrible dialogue with them, at least you shouldn't. Like you should be able to understand what they're talking to you about. And maybe that should be that there are gonna be some people who are maybe better at having a cyber-awareness dialogue that you would say, hey, these are the cyber-aware doctors because there's vegan doctors out there, okay? So you can find them online, vegan doctors, right? And so maybe there are cyber-aware doctors because the reality is there's gonna be some people better at that process than others. So I think that may be something to think about.