 Alright, so thanks everyone for joining our next talk the economics of cyber security how marketing incentives fail to protect users from cyber security threats But regulation can so we're going to pivot a little bit a lot of the other talks were a little bit more technical here We're going to bring in some economic concepts to how we can hopefully solve some of our cyber security issues in healthcare But first we'll introduce ourselves. I am a serious business woman And not a cyber security professional, but I play one on TV My background is in data science and I have PhD training in econometrics economics and psychology So I'll be playing the boring economist then this talk that and my name is bat McBan I've worked for a couple different medical device manufacturers, and I'm a professor in healthcare and cyber security And we just want to make sure that everybody is aware of the views on this This talk or our own and not the views of our employers All right So we'll start off the talk with just some kind of high-level notes about cyber security in healthcare Obviously spy hacking village, so we assume kind of everyone's on the same page, but here's kind of three quick cartoons or slides just to To lead off. So the one on the left our usual colonoscopy equipment is down today So we're going to use a tape form with a GoPro go pro strap to his head Obviously, this is a joke, but you know in IOM T There's a lot of we're using medical devices in many cases for you know Sometimes for things that they're not necessarily intended for that that opens the door for some for some cyber security issues Also, the middle slide kind of talks to that as well as the bonus feature You can plug your iPhone into your new pace pacemaker to charge it again while this is a joke You know if you go into a lot of hospital rooms today You'll see devices and fusion pumps would have you that have USB ports that you can plug in an iPhone And it will actually charge and those do occasionally bring down medical devices And then the third point I see cyber risk everywhere You know, it is easy to kind of go off the deep end and just say, you know Cyber security risks and health care are everywhere. There's nothing that we can really do To bring them down, but I think most of us that are in this talk know that with some With some good thought and in mitigations you can lower that risk to hopefully a reasonable level So that's what we'll be talking about here today how we do that with economics. All right next slide All right, so a few key points again we're not going to get too deep into cyber security and health care because we assume that most of you are working in that space but You know, we're all aware there's millions of insecure devices out there in operation with significantly outdated Operating systems and we need to have a little bit more investment to protect patients as cyber security risk grow And the other point I'd like to introduce here is that it's on technology problem We know how to solve a lot of the medical device cyber security risks But we don't as an eating industry Or as an economy Because the incentives in the market are misaligned or they're insufficient Incentives for manufacturers to invest in the technological solutions that already exist And we'll set about to try to prove that and show the solutions and the rest of the talk All right, so most of us know the risk is increasing. It's not decreasing number of legacy devices continues to increase Unfortunately and risks are growing. Certainly. We've seen with COVID the number of cyber attacks against the health care sector is significantly increasing Not decreasing so the risk to broader health care networks Which has a negative or has a potential for a adverse effect for patient safety and fortunately is increasing So just to give a little bit of background and we're not going to go through all these Examples again, obviously most of us are probably familiar with this But you know want to cry obviously brought down a significant number of UK hospitals completely brought them down and Then the the Düsseldorf example, which many of us are familiar with was the first example where well couple wired articles have kind of walked this back it was believed to be the first attack that had that that Directly led to patient fatality, but again, there's been some articles that have kind of Called into question if that may be the case Matt you want to talk a little bit more about the impact of cyber risks specifically in health care Like what's that risk here? It's not just data privacy, right? yeah, so obviously certainly data privacy a Health record sells on the dark web for anywhere from 10 to 20 times You know what a credit card record sells for obviously can't turn off a health care record like you can a credit card record But also exactly patient safety, you know if results are changed doctors can make When doctors diagnose based on those results they could they could make an incorrect diagnosis Prescribe a patient in incorrect medication based on that those incorrect results Or if the device simply isn't available That could lead to patient injury or even death Like with the case of stroke There's there's a there's a quick time window or turnaround time That doctors need to be able to see the results of certain tests to be able to then make specific To to then go and treat the patient whether one way or the other based on the results of those tests And if they don't have those tests, then they're really without the information that they need to be able to proceed So that could really affect patient care So it seems like it's clear that the risks exist in health care and shouldn't consumers of health care And by consumers of health care, we mean hospitals like they're buying medical devices and Individuals I'm buying my you know medical device, which is in my Apple watch. I'm buying Probably my infusion pump or I'm buying it through my insurance my insulin pump rather So you think that as a buyer I would want to buy secure products However, the economic theories we're going to introduce are probably pretty familiar to me as pretty obvious But on a market level make huge impacts on how cyber security is or isn't incentivized so first Information asymmetry consumers don't know what a secure product is they can't necessarily assess that product's quality for and you know, it's cyber hygiene They're unaware of How it how much it could impact them though the risk isn't present and they don't know how to evaluate So they just don't buy cyber security There's a couple exceptions with hospitals like Mayo Clinic has been sort of a standout star in its cyber security acquisition program But in the end if there's a new device that improves patient care and it's better for health care overall If it's a little insecure, they're still going to buy it Unfortunately, it's kind of the way the market is right now They're not willing to pay a premium for security if they can't if a consumer can't assess whether or not that security really is embedded into the device Another bit of psychological bias, you know, we just think where everything's going to go. Well, like we're short-sighted That's what my opium that middle column And then a tragedy of the commons is well Somebody's going to make sure things are secure, right? We wouldn't put things on the market that aren't or that don't meet some Securable past-shell bowl baseline And we look to the FDA to do that but the FDA is doing this for newly to they need to innovate We'll talk a little bit that more about that later So I hope you pardon me for the theoretical aspects of the next bit of the talk But we're just kind of laying a foundation of why economics matters for cyber risk On the other side, why don't the manufacturers do this manufacturers should just know that they need to secure their products Healthcare after all however Any company is only going to invest to the level of risk that exists and if the risk is to the patients But the manufacturer doesn't feel the risk. They're not going to invest it So this is a left column the the those in charge of protecting a system or reducing risk are not the ones that suffer if it fails So manufacturers are not suffering if someone dies As a result of a hospital being down because we're not tracing that risk back to an original manufacturer It probably can't be done anyway, they're not suggesting that's the way it needs to go But the problem then is who bears the risk. It just becomes a public risk that that Unfortunately the patients bear and we can't permit Matt is there anything else on the slide that you'd really want to give to this audience? I think you've covered most of the salient points Cool, all right, so we'll move on So just this isn't necessarily in Healthcare, but we found a paper that showed that cheap information security officers Buy security products or buy security solutions for two reasons one perceived risk to the company We just talked about the perceived risk to the company not being high enough for medical device manufacturers and to compliance Regulatory compliance they do it because they have to and Just a quick question Matt you've got experience inside and outside of medical device manufacturers Have you ever heard of a company or an individual foregoing a security best practice like a risk assessment a robust risk assessment or Maybe multi-factor authentication something simple that you think everybody should do Versus instead investing in like something clinical outcomes more R&D Yeah, I think you know It's a there's a belief that as a company You know there's endless money to be able to invest in in cybersecurity and the truth is there really isn't a lot of companies Drive their business lines is kind of independent Businesses so that there's really limited overhead And yeah, certainly if there's only a certain amount of money to be able to invest in the product and you're looking at you know Potential threat for a cybersecurity risk Versus a feature that you know through customer Interactions a number of our number of the customers have said hey, we really want this feature You know, sometimes it's hard to quantify a cybersecurity risk If we don't have like an FDA regulation saying alright, you need this or a known customer requirements saying yes We will not buy a device like you said Mayo, you know, we will not buy the device if it doesn't have these say 19 cybersecurity features So yeah, it's certainly We definitely have seen Companies across the board. I'm sure that they're that they're not implementing certain security features due to this So we've established that consumers not good enough consumers to be able to pick out more secure products medical devices manufacturers don't have enough incentive to get ROI on Security features how to have other industries solved similar problems. I Think we have about 10 minutes left that get check me on on that timing. Yep, looks about right Sounds good. So we'll go through these relatively quickly The banking industry had a similar problem with ATMs specifically securing ATMs and The market solution in Europe and America was different Some European countries put the burden of assessing compliance on the banks while the US gave that power to consumers through Litigation so if a consumer was defrauded in some way, they would litigate and they would get their money back and banks Quickly reacted to that litigation however with the with the banks are self-regulating and Assuming with the assumption that they would reduce their own risk for fraud They didn't solve the problem quickly enough. So it's an example of giving litigation or regulatory power to the consumers that bear the risk Kind of felt solved the problem in and of itself in the mortgage industry Matt you want to go through this slide? Yeah, so unfortunately many of us are familiar with the the subprime mortgage crisis, but Basically, it was the inability to anticipate the bubble short of a few individuals which was like like a Lewis was the author that that chronicled those few individuals, but Yeah, basically with the risk we're undertaken with the incorrect assumption that the conditions would remain favorable without that You know mortgages were secure and it would you know, you could keep banking on that package it with other other financial services That was obviously a large-scale fallout millions of foreclosures short sales Did you have anything on the Shannon too that you want to touch on? No, just like that. How can huge risk exist in a whole economy without somebody recognizing it and reducing the burden? We see that in health care right now and it's we have a very recent recent pretty huge crisis example in our past I'm going to skip the sterile injectable, but show it on the slide for a minute Just it's another example of how we think that the market should sufficiently Incentivize, you know supply of drugs But sometimes if the company can't get enough ROI it does the supply can fall The analogy there being you think a company would secure a product But if they can't get the ROI on the marketplace, they might leave it Leave it sort of poor cyber hygiene or work poor security in that product So here's a list of how economists solve these market incentive problems Anti-regulation is when a regulator has certain requirements compliance requirements before something goes on the marketplace And what's the analogy here for the medical device industry Matt? So, yeah, this would be the essentially the FDA having basic requirements Would you see a number of requirements from you know again the mayos and some of the customers out there that will specifically say we will not buy Or we will not purchase medical devices unless they have these requirements, but yeah an example of ex-ante anti-regulation Would be like say the FDA had a list of these requirements Yep, and that's just for medical devices That doesn't count the things that FDA doesn't regulate like electronic metal or medical records telehealth solutions data storage formats, etc Exposed liability is when you get in trouble when you bear a risk. So, you know, it could be FDA enforcement, but Unfortunately, the problem there is somebody has to die before or or major problems have to occur before that Liability can be traced back to to medical device Manufacture or a healthcare product manufacturer and it has to be a very clear cause and effect And unfortunately, that's pretty tough with cyber Information disclosure is another regulatory trick So arm consumers with more information than the manufacturer will be naturally willing to provide by requiring Specific disclosures and we'll give it get into an example of that in a minute Actually just right now so The ex-ante regulation that Matt was talking about is FDA post-market surveillance or pre-market surveillance at the a does product benefit risk reviews and cybersecurity risks would be inside of that existing regulation But you'd expect our regulator to have just as many cybersecurity engineers as they have biomedical engineers But then they're not quite that ready yet FDA is doing an incredible job moving quickly and it has been a innovative regulator but more Resources would probably be valuable an ingredient list is a is a Required information disclosure for food producers So is the software bill of materials for medical devices right now? It's actually voluntary but as soon enough it will likely become a mandated information disclosure And that doesn't solve cybersecurity problems in itself, but it solves the market incentive problems suddenly there will be sort of transparency on For example, whether or not medical device components are reliably patchable Matt you want to speak to some of it. What's going on in the healthy hair sector with respect to? market incentives Sure. So, you know, there's a lot of us that are involved with a number of the working groups whether it's health care sector coordinating council H Isaac, you know, there's a number of initiatives to try to you know, bring to the market, you know, more of you know more got these guidance or requirements You know, whether it's FDA health as I said, health care sector coordinating council HGISAC CISA all of these organizations through various working groups are doing work in these sectors Then I'm going quickly, but I know we're tight on time as well Yeah, it's just not enough So the the overall takeaway from this talk is economics has a role in reducing cyber risk specific for the health care industry And there's there's not enough going on right now the market incentives With the current regulatory approach is not and it's not sufficient to reduce risk And the industry is not going to fall a bit on its own Matt you want to close this out? Sure. Yeah, so, you know, I think Working in the industry we keep kind of looking at the same way. We've always done it In discussing this talk and some of the other economic approaches to other industries I think it's it's nice to be able to kind of take a step back and look at other industries see what's worked for them And see what's been, you know, proven to work in those industries You know, health care is a little bit different in that we in in China talked about we have the different players So it's not like say an Apple watch or I buy the Apple watch and I assess it based on my requirements But you know, we have medical device manufacturers selling to Health delivery organizations that are then present providing services to patients So there's there's a couple different players and then regulators as well. So, you know, we don't have the clear incentives Everyone does isn't incentivized in the same way all of those different players To make secure medical devices. So, yeah, we just kind of wanted to open up the discussion, which will have a question and answer soon We can kind of talk a little bit in greater depth about that. But yeah, we just kind of wanted to present the some other economic Possibilities for managing cybersecurity risk in health care. Thanks