 Welcome everyone. I'm really excited to be presenting at our virtual DEF CON this year in the biohacking village. I'll be talking today about cybersecurity informed consent. A few disclosures before I begin my talk. I previously worked at the Cleveland Clinic and I have a little bit of equity there. I received salary support from the NIH for which I am eternally grateful. And I do a lot of volunteer work for the Global Alliance for Genomics and Health, the National Society of Genetic Counselors, and I'm a founding member of the Digital Medicine Society and I will shamelessly plug them now. You should join too. And also, really importantly, the work that I'm presenting, I have not done by myself. Specifically, I had three close collaborators. So last year at DEF CON, Andy Corvost, who's pictured on the left there introduced me to Jeff and Christian, who are pictured on the right, to merge the minds together, bringing my ethics experience, Andy's engineering experience and Jeff and Christian's experience as doctors and security researchers all into one pool to create this idea of cybersecurity informed consent. So today I'm going to talk a little bit about the cybersecurity of medical devices, which is background for the ethics folks that might be watching this talk. Then I'm going to be talking a little bit about informed consent, which will be perhaps some background that's good for the engineering folks, and then we'll bring it all together in the concept of cybersecurity informed consent. So let's talk about the cybersecurity of medical devices and for many of you in the biohacking village, this will seem very basic, but for people who are new to this space, hopefully this will help you catch on to what's going on here. So it's important to note that medical devices are extremely common in the United States. More than 2% of Americans have some sort of implantable medical device within them, which is truly amazing. The US is the largest medical device market in the world, and it's a lot a lot of money that's involved in this. Another interesting point though is that most medical device companies are very small. And I think that that's a really important point as we think about the concept of cybersecurity informed consent that many of these groups are really small shops. Medical devices are regulated. So the FDA is responsible for the regulation of medical devices they have oversight on oodles and oodles of devices device manufacturers and device facilities. And it's important to note that the FDA is not the only agency that's involved in cybersecurity. So the FTC and the Department of Homeland Security, among other agencies, each have a piece of the cybersecurity infrastructure pie when it comes to regulation. Oodles of medical devices are also connected devices so these figures are from this paper on cybersecurity features of medical devices, which was a tremendous paper that was published in 2019. So in 2016, 18% of new devices had software. And that has increased really dramatically over time and certainly as we think about 2018, 2019, 2020, the percentage of devices which are connected has not decreased over that time. However, the amount of cybersecurity content that's included in those devices that's disclosed in those devices is relatively small. So the graph on the top has a different y-axis scale than the graph on the bottom. So you can see increasing number of devices that have software and then slowly increasing the number that includes cybersecurity content. Connected devices have vulnerability. So anything that's connected to the internet, whether it's your phone or your watch or your computer or your implanted medical device. Any connected device has cybersecurity vulnerability. There is no device that does not have cybersecurity vulnerability that is connected to the internet. This was first highlighted in 2008 and actually influenced Dick Cheney's choice of pacemaker because he was worried about cybersecurity vulnerability. On the right hand side of the screen, you can see some examples of cybersecurity concerns within the implantable medical device domain. So IMD is implantable medical device. So you can see there are challenges with it, authentication, integrity, confidentiality, authorization. All of these domains each has very specific concerns when applied to implantable medical devices. So there are lots of devices out there on the market. More and more of them are connected. Any connected device has a vulnerability. Now let's talk about informed consent. So it's really important to remember that informed consent is a process, not a thing. So you can't just say I've signed a paper or I've said yes or no to a question informed consent is really a process, a process of conversation between two parties. Planned Parenthood has this fabulous way of remembering the elements of informed consent fries. So consent needs to be freely given. It needs to be reversible. It needs to be informed, meaning you know what you're getting yourself into. In the case of consent in the context of Planned Parenthood they require enthusiastic within the medical context. Sometimes the enthusiasm is a little bit muted. That's fine. It needs to be specific. So when you're consenting to something, you really need to be informed what it is you're deciding on, and you need to know the specifics of what you're deciding on. And this seems like pretty obvious, but it sometimes gets lost in translation when you get into a medical context and certainly when you start to think about connected medical devices. So informed consent in medical care and research has those same properties specific informed voluntary and reversible. It's been described by a lot of very famous statements in the ethics community, for example the Nuremberg Code and the Declaration of Helsinki, the Belmont Report, all of which were seminal pieces of ethics literature that pointed out the requirements for informed consent within medical care and within research. So informed consent is also mandated by law. So within the United States here are some of the specific codes and specific agencies that require informed consent within the medical care and medical research setting. The quote on the right is actually from one of the first decisions in the United States around informed consent. In this case, in New York State, there was a case of medical negligence because a surgeon had not properly informed the person that they were operating on about the potential outcomes of what might happen to them when they received treatment. So we have a long precedent, more than 100 years of precedent in the United States legally for informed consent in the medical setting. So this is a really busy slide. What's important to know about it is that we're not good at informed consent. So although we know informed consent is really important in the medical context, we're not really good at it. So if you look at the green box, what the green box is pointing out is the number of studies that have looked at informed consent that have shown that the people in those studies had adequate understanding of key components of informed consent. So six out of 21 studies showed adequate understanding of the information being given in the informed consent process, which is about 29% of the time. And then you can go over to the yellow box. That's the moderate understanding and moderate in this study meant that you 50% of people to 79% of people got questions right around understanding the information. So most people fall into that bucket. And then you can see a really large percentage of people fall into the inadequate bucket, meaning that they understood less than half of the information that was given to them. So although we know that consent is important, the practice of informed consent in medicine isn't very strong. That's a problem, obviously. One of the reasons is literacy. So informed consent documentation in medicine tends to be written by lawyers. And lawyers, although well-meaning, don't necessarily write in language that everyday people can understand. One in five Americans read at or below the fifth grade reading level. One in three Americans has basic or below basic health literacy. And as we all know, stress, anxiety, pain, depression, all of these things can lower our reading comprehension and our reading ability. And that's what we find in the medical context. So if you're going into see a doctor to get an implanted medical device, highly likely that you're either stressed, anxious, in pain or depressed about this medical need. And so that will really impact people's ability to understand what it is that they're getting themselves into. So it's important for us to know about the limitations of informed consent as we think about telling people about the cybersecurity vulnerabilities of medical devices. Fortunately, innovation in informed consent is happening right now in research, which is tremendous. My group at Sage bio networks, which is a nonprofit open science organization has been working on creating electronic informed consent processes, which are visually engaging, which distill the information that's being given, and allow people to navigate through at their own pace. The all of us research program, which is a massive research initiative has done some incredible work innovative work with informed consent. They wanted to enroll a really diverse patient population into their into their study and so they really put a lot of the time and attention into their informed consent process. And at the fifth grade reading level, it includes little videos to help people understand, and there are get help buttons along the way. So, although the state of informed consent hasn't been so good up until now, there's a lot of work that's being done right now to improve informed consent and what we're finding. There's some more information about the all of us research programs informed consent, but what we're finding is that this effort is paying off. So, in that study that I showed you with the green, yellow and red boxes. The one out of 15 studies showed it adequate understanding that participating in research is not the same as receiving medical care. So one of the questions, a quiz question that's posted people after they complete the all of us informed consent processes. What's the purpose of all of us and one of the question answers is to give medical advice and treatment. You can see from this graph more than 90% of people, regardless of their educational attainment, we're able to correctly answer the question that the purpose of all of us is to help scientists make discoveries about health. So our innovation is working, which is great. So the state of informed consent hasn't been so good. We're working on ways to improve it. It looks like those efforts are really starting to pay dividends. So how does this all come together when we start to think about cybersecurity informed consent. Alright, so cybersecurity informed consent is a combination of ethics and engineering in medicine. So you need to take all the ethics folks knowledge and all the engineering folks knowledge and put it together. So the cybersecurity of medical devices and informed consent together is this concept of cybersecurity informed consent. It's an informing interaction for patients who are getting a connected implantable medical device. The purpose of cybersecurity informed consent is to tell the patient about the cybersecurity about cybersecurity and its implications for their soon to be implanted device so we're trying to inform people about the device that they're getting so when we think back to the cybersecurity informed consent, one of the things is that it has to be specific and it has to be informed so people need to know what it is that's happening to them, and they need to understand some of the specifics of what's going on. Cyber security informed consent is not yet federally mandated so there's no guidelines for how it should fit into workflows or what topics should be covered or how they should be addressed. And for now, we're just focusing cybersecurity informed consent on implantable devices because that seems to be, let's say, one of the areas of most urgent need so if you're getting something put inside of your body, understanding its limitations and risks is really really critical. We created a strong man or strong person diagram of how cybersecurity could work within a current clinical workflow. The idea would be that a person comes in for their pre surgical visit so when you have a surgery usually you come in a few days before to have a medical checkup to make sure everything's good before your surgical date. At that visit patients could be told about cybersecurity informed consent and then they could take the time to navigate themselves through a cybersecurity informed consent process. So, on the left hand side you can see here, a person comes into the clinic, some number of days before they're getting their implantable device they have all of their pre op activities. And then in the third step, they make sure that they have this cybersecurity informed consent completed. After the pre op appointment, the idea on the right side here is that the patient would self navigate through this cybersecurity informed consent so walk themselves through a digital informed consent, like the ones that we have been using in the all of us research program and other innovative research efforts, telling people about cybersecurity and how we keep you safe. And then the patient can ask questions and then they sign off on it and then they're ready to go for their implantable device. So, Jeff, Andy and Christian and I put together this straw band document to sort of prompt people to think about what this actually work in clinic. We thought about this workflow specifically, because we wanted to capitalize on each group's strengths. So, the people who know the most about the cybersecurity of the devices that are getting implanted into people are actually the manufacturers themselves. And so if we could create an informed consent process that the manufacturers themselves contributed to, then we might have one that has the most accurate information. The time, time is most limited on the day of surgery and people are also the most worried on the day of their surgery when they're getting an implanted medical device and so making sure that that consent happens in advance so that people can ask questions and take the time and not feel the stress was one of the thoughts that we had in designing that straw man document. We also noted that most people get their information online these days, although there is a digital divide people who are older and in more rural areas tend to be less connected. And so it, an online process might not work for everyone. And also then doing things from home gives people time to think and talk to loved ones and come up with questions. So these are the this was our rationale for designing this original straw man document. We have received a lot of critique on it, which is tremendous actually. So we've shared this at the cyber med summit in the fall last year, and with a number of different groups of people including folks from the FDA and a working group that we've convened of doctors manufacturers hackers and ethicists like myself. And so here are some of the critiques so doctors are used to being the sole source of informed consent for medical devices. Well, for all medical care. And so many of the doctors that we've talked to have felt a little bit nervous about having patients navigating a device manufacturers information around cybersecurity patients are also used to getting or doing informed consent with their doctors. So this would be a different step for them. There's also been the critique of if there's no federal mandate why rock the boat. To which I would say there's an ethical mandate for people to be informed so we're rocking the boat. And because that cybersecurity is moving so fast how can we make a cybersecurity informed consent process that's still relevant after three months or after a year. Any informed consent process for medical care needs to go through an ethics review process and a legal review process at the hospital where it's being used. And that process takes time so we can't be constantly changing a cybersecurity informed consent process, even though the field of cybersecurity is always evolving. There's concern about cybersecurity informed consent disincentivizing people from getting connected devices so although we know connected devices connected medical devices can really truly improve care. People may be nervous about the vulnerabilities and may want not to get connected devices which physicians doctors think that would be really bad. People have asked do patients really want all of this information. There's some empirical evidence that suggests that yes absolutely they do and certainly when we look at the informed consent literature patients want to know what's happening with their bodies. Sometimes implanted medical devices going emergently and so consent after the fact so that plays with our, our proposed workflow a little bit. And then there's the question of who's the responsible party so is the doctor responsible for making sure the cybersecurity informed consent happens. Would it be the manufacturer. Would it be the hospital system. Who's responsible for what. So these are all really really good critiques and we are so happy to have received them and to be working with them to improve our model to to come up with a second version. One last point that's been raised as a critique is the probability of risk and the probability of risk I think is is really an important point for us to address here. So, usually we think about risk in two dimensions, it's probability and its magnitude so the probability of harm occurring as a result from participation in a research study or participation in medical care. And federally defined minimal risk is when the magnitude of anticipated harm is not greater than ordinarily encountered in everyday life right so it's all about probability of harm and magnitude of harm. But probability and magnitude aren't such good measures when it comes to cybersecurity right so if you lived in South Africa, this sign might not prevent you from swimming because sharks are cited there every day. But if you lived like me on the shores of the Great Lakes of the United States you might see a sign like this and say, oh my gosh, the apocalypse is not we're not supposed to have sharks here. So, Suzanne Schwartz put together this slide and she presented it at the CyberMed Summit last fall and I thought it was just a spectacular spectacular slide, looking at the exploitability of devices and the severity of patient harm, if exploited. And so, this was her reframing of risk, and I think that this is something that's really salient to cybersecurity informed consent so we're not really looking at the probability of patient harm just is the device exploitable, and how bad is it if it is exploited. And so, when it comes to a implantable medical device, like, like a pacemaker, you can imagine that if the device was exploited, it could have catastrophic impact for the person who had it because their heart wouldn't be receiving the signal to keep it on rhythm. So, even if the device is not very exploitable, if it's, it still has catastrophic, it could have catastrophic implications for patients. And so for this reason, we're really thinking that cybersecurity informed consent is important because people should know what cybersecurity is, understand what device manufacturers are doing to control for that risk. And also be reassured that their devices are at the highest standard of security, and that they're constantly being looked at by groups like those at the biohacking village so really this sort of brings it all back to the mission of the biohacking village. And this little ethics side project that we have going. So our next steps are to make a mockup of cybersecurity informed consent so what would it look like if a patient was navigating this cybersecurity informed consent, what kinds of information are we going to tell them, how are we going to tell it to them. We want to try it out with one or more devices and one or more clinics and so we've convened a group of people to help us work on this and I want to thank all of them we have a huge group of working group members. We also were graced with the free and excellent labor of Duke University capstone students who helped us out. Folks from the FDA have given us comment on our proposals as we've been going along and we would love for you to join us as well. If you're interested in joining, please email me, there's my email address or send me a direct message on Twitter. And I would be happy to include you in our group as we move forward. And with that, I want to thank the biohacking village and the device lab at the biohacking village and hopefully next summer we'll all be together in Las Vegas again, so that we can see beautiful things like the flowers and the truly glass. Thanks everyone.