 It's a little too quiet out there. Can we please raise up the volume a little bit out there? This is DEF CON. Y'all acting like there's a pandemic out there or something. All right, we're going to kick off this early evening party panel talk here about the most happy topic on the planet, which is what the dumpster fire is going on with healthcare, right? But before we begin with that, I just wanted to say we really appreciate you coming out here. I'm going to introduce myself quickly, then Replicant at the end is going to talk a little bit. We'll get to introducing the rest of our panel, which is who you truly came here for. Please give it up in the middle here. And then we're going to get to some topics. We'll talk a little bit about the format. Cool. All right. My name's Kowati. Welcome to the Do No Harm panel. We're going to talk a little bit as an introduction about this because this is not the first time we've done this. And perhaps of all the other times we've had this panel, this year may be the most important. And so what the hell are we talking about up here? And that's the fact that we're all going to die. And somewhere between now and when you die, you're going to probably interact with a hospital. You're going to talk with doctors and nurses. You're going to have medicines and whatnot. And believe it or not, ends up that healthcare nowadays is pretty damn connected. And it's all running vulnerable shit. And for the most part, it's been a raging dumpster fire for us as long as I've been around pretty much. That is what this is about. If you're interested about learning other stuff, there's another really awesome talk going on. But we encourage you here. And then also we'll have some opportunity to answer questions. Jeff, go ahead and take it. Sure. So for those who may not have come to one of these before, this is actually the fifth year that we've been doing this. And I just want to give a quick shout out because this entire idea started as a conversation between inebriated people in the hotel room of a one Mr. Bo Woods who's sitting here in the middle with us. And those of us who are adjacent to or exploring this space were like, hey, it's all, we're all here at DEF CON. Let's actually sit down and see if we can figure some of the stuff out ourselves. So that has morphed into something that we have been honored and privileged to be able to do at DEF CON now for the last couple of years. And what we really wanted to try to do with each and every iteration, but especially now, is give you guys the chance to have conversations with people who are superstars in the fields that we're talking about here, ask your questions, figure out how you can get involved and really face to face with some pretty incredible people. So what we're going to do is we're going to have a little bit of a conversation between us, probably aim for about 45 to 60 minutes on that. And then we'd like to open it up for general questions from the audience. But then at some point, we're all just going to kind of split off and move to different parts of the room. And we'd love to pick your brains, hear from you, and sort of talk about some of these issues in a little bit more personal space. Before we introduce our panel, the last thing that I do want to say is that we had two folks that are affiliated with the federal government who were unable to make it here in person because of travel restrictions. Anybody really interested in hearing from two incredible people should check out our recorded talk, but it's basically Josh Corman from CISA and Jessica Wilkerson from the FDA. And so we wish they were here. I think we're going to hear it from Josh a little bit later, but that's the one caveat. Starting down with Quadi, give a little bit more information about who you are, what you're up to, and then we'll go through our panel and introduce ourselves. Hey, I'm Quadi. I am actually an ER doc, so if you meet me at work, you're having the worst day of your life. I hope not to meet you in the emergency department, but maybe somewhere else, like at a bar. And when I'm not working in the emergency department, I do cyber security research on medical devices, healthcare impacts of cyber attacks, basically ransomware. How does ransomware harm patients? And then again, sorry, right before we get to Beau, who's the next one, we wanted to also say a giant shout out to DEFCON. Fifth year this has been here. We really appreciate this. You guys being out here, got a hell of a thing to put together. Thank you, DEFCON, from all of us at Dino Harms. All right, go ahead and introduce yourself, Beau. All right. Hi, my name is Beau Woods. I do a lot of different things. I actually started my career in healthcare. I worked at a hospital for about three years in IT and in Infosec. And one of the, I don't know, interesting characteristics that I found is a lot of healthcare networks are a little bit like archaeology. You find all kinds of things that you thought were dead living in hospitals on the networks where they probably really shouldn't be. More recently, I've been a part of an initiative called I Am the Cavalry, which is a global grassroots initiative. A bunch of hackers got together and said, you know, our dependence on connected technology is growing faster than our ability to secure it in areas impacting human life, public safety. And no matter how high and deep we got into federal government and industry, we found that the cavalry wasn't coming. We realized we were the adults in the room, and that scared the hell out of you as it should scare anyone to have some dude with a random blue mohawk who is, you know, the adult in the room. But we have managed to turn that into some really good impact, including, you know, I worked at the FDA for a year on building a new pathway to market for software as a medical device. So like the app on your watch that tells you if you're having atrial fibrillation, also drafted up something called the Hippocratic Oath for Connected Medical Devices, which we may talk a little bit about in a bit. And this led me to do a lot more with health care and industry, including starting the device lab at the biohacking village, which if you haven't gone and checked that out yet this year, you really should. It's a ton of fun, and they're doing some really good things over there. So I could probably talk all night, but I won't. All right, my name is Gabrielle. I started kind of like Bo, my career in science and health care started out doing pharmaceutical and medical device regulation, moved into cybersecurity kind of through all of that. And now I currently work as a cloud security engineer in health care and also do medical device research and genetic science consulting on the side. Hi, everyone. I'm Stephanie, and I started out in the Office of Security Research Space focused predominantly on embedded systems. And then about seven years ago, I decided there was this really big need in the health care space for security savvy people to kind of come in and help right elevate the maturity. And so I spent the last seven years as a consultant in the security for medical device space. So I've worked with medical device manufacturers on just about every stage of securing medical devices, also with hospitals and health care delivery organizations on how do they manage the risk of the medical devices that they have, and then even regulators to help them understand what should they be looking at from a cybersecurity perspective before they clear a device for sale, both here in the United States and abroad. And my name is Replicant. I am an immature computer hacker and a professional central nervous system hacker. So as an anesthesiologist, I doze your brain while people poke you with sharp objects. And I work with Quadi on the academic side of things to take a look at medical device security, infrastructure security, and how that's a patient safety outcomes-based issue. So let's just give a big round of applause for everybody other than me. What a great panel. And this is usually a little bit more of an intimate affair in a much smaller room, so it's really cool to see everybody out here. At the risk of perhaps boring some people who are very familiar with this concept, I wanted us to take the liberty of asking some of our panelists to sort of give a very general 30,000-foot view sketch of some of the topics we're talking about just in case you wandered in here because there's nothing else to do and you are hearing about this type of security for the first time. So Stephanie, we're going to ask you to give a little bit of an overview of what's been going on with medical devices and then Bo to talk a little bit about the infrastructure and policy issues. Yeah, so I'll actually take just 10 seconds to explain everyone just what actually is a medical device. So it's a term that gets thrown around a lot, but it actually has a legal meaning, and so I'm not going to get too boring, but just understand that anything in a healthcare space that helps treat or diagnose a medical condition is considered a medical device. So something like a tongue depressor, that big popsicle stick that they put in your mouth, that is actually a medical device. And so it ranges from the non-digital all the way through the digital that you're probably thinking of with things like pacemakers and insulin pumps. And so understanding all of those are regulated as medical devices, but the potential for patient harm that that device can cause against a patient is what dictates basically what severity of a medical device it is or what class it is. So not all medical devices are treated equally. A class three medical device like a pacemaker is held to a much higher bar from a regulatory perspective. And so understand when we talk about cybersecurity for medical devices, that bar, it's all risk management based game, right? There's no compliance. There's no certification in medical device cybersecurity. It's all risk management based. It is you putting together the story as a manufacturer of here's what I did for cybersecurity. Here's how I perceived the risk in my medical device and then taking that to a regulator and saying, here, I think I've controlled enough of the risks in this device that you should let me sell it here in this country. And so this journey really started back in 2014. So the first regulatory guidance around cybersecurity for medical devices came out from the FDA in 2014. And it was around what we call pre-market cybersecurity. So all the things you needed to do for cybersecurity as a medical device manufacturer to get your device ready to sell. The post-market cybersecurity guidance came out a few years after that and then that over viewed everything you needed to do after that medical device was approved for sale here in the United States than what you needed to do for that. The FDA has gone back and they're working on a revision for that pre-market guidance. But it's currently out in draft form. So if you want to see sort of where is the FDA going with the requirements that they're now putting in medical devices, you can read the current draft version of the pre-market guidance that's out. And the FDA has been a really, they've been awesome in this space. They have absolutely been partnering with the security research community, the medical device manufacturers, and they're trying to really grow cybersecurity and medical devices without stifling innovation. It's a really, really tough balancing act to make sure that we continue to raise that bar in cybersecurity, but you can't stop innovation in medical devices. And so that delicate balance, I'm sorry, I won't pontificate forever. No, that was awesome. And then of course, we've just had a smattering in the last like 15 years of vulnerable medical devices that caught some attention, right? So we had the pacemaker, AICD's devices implanted inside your body that can shock your heart when your heart rhythm starts getting strange, right? Those have been vulnerable and demonstrated to be potentially deadly if attacked. Infusion pumps that control the rate of medication going into patients, those are also been shown to be vulnerable like in 2015. And insulin pumps, I mean, there's a whole host of devices. And it seems like the common thread was a researcher wanted to learn more about it. They bought a device off of eBay or got it somewhere else. And in a short time, they found that something really potentially concerning about patient safety. Awesome. So we're going to go now. It's not just about medical devices. We're going to talk today also about like hospital infrastructure. One of the concepts we're going to talk about is, you know, how can vulnerability if exploited impact a person's life, right? Their ability to be diagnosed with a particular disease or get the treatment that they need. And all that stuff that supports that care is all that infrastructure. And so Bo's going to talk a little bit about just an introduction to health care infrastructure and its vulnerabilities as well. I'm curious. I know every time we do this, after we step down from the podium and go out into the crowd, always there's like five or six people who come up to me like, man, I work in a hospital. That was so cool. You're talking about the things that I live and breathe every day. So just by show of hands, if you want to raise your hand, who works in or has worked in a hospital dealing with tech stuff? Okay, that's a good number. How many have had loved ones in the hospital or have been in a context in a setting where you were impacted by ransomware or some other type of security incident at a hospital? Raise your hand. Okay, a few people. One of my first days working security at a hospital, we had a network worm that went around and it hit a bunch of servers. Didn't think too much of it. You know, we were able to pop in with remote desktop or whatever, push some policies out to get rid of it. It wasn't too big of a deal for too long. Probably took us, you know, half a day to clean up, which is not terrible. The next day I went in and I got a call from a physician in the natal intensive care unit. And the natal intensive care unit, if you don't know, it's where some of the most vulnerable patients in a hospital are. It's premature babies and the patients who they struggle just to take their first breath. And they're a little bit behind the curve to start with. And the physician who called me up was like, hey, you know, our fetal heart monitors are going up and down and every time they go offline and come back on, they have this window screen. And it's happening about every 15 minutes or so. I wonder, you know, I know you're not the medical device person, but can you help us out with this? I said, hey, sure, I'll give it a shot. So I knew that we had the network worm the day before, window screen. So I started going through a quick diagnostic. And it turns out that these fetal heart monitors, which are systems that basically track the premature babies, biorethms, so that the nurses can sit and watch it so that it can feed into the medical care that the doctors give. They were infected with this banking trojan that was meant to steal grandma's, you know, bank password. But instead it was causing in these devices a reboot every 15 minutes. And so it lose patient state. And what happens in that case is you have to have a lot more patient care delivered manually by doctors and nurses who are really competent. But it takes a toll. So you need extra doctors and nurses coming in. The consistency will dip if it's not automated, because humans are more fallible than computer programs. And so basically these these vulnerable patients were at a loss. So called up the manufacturer, the manufacturer said, Oh, you know, sorry, that sounds like a malicious software issue. We don't cover that. Said, Okay, well, give me the password. I can get into it. I know how to get rid of this. It's not a problem. They're like, Oh, we can't give you the password. It's a medical device. You can change something. Like, wait a minute. So there's a virus. There's unwanted known malicious code on this. And I want to put known productive code, you know, the patch that the manufacturer issued and the software manufacturer for the operating system. And you won't let me do that because that's a change. But malicious software is not a big enough change for you to, you know, have a problem with it. Like, well, you know, that's whatever. They used a line, which is a lie, that it's a medical device. And therefore we can't change it without getting reauthorized by the FDA. Totally not true. And we can talk about that more probably in in some of the after chat. So I reasoned that if this device got hit by a piece of malware, a network worm, the vulnerability exists, I can exploit that vulnerability to. So I drafted a justification, went up to hospital leadership, got all the necessary approvals, they thought it through, and started just using Metasploit to pop the boxes, drop the patch, kill the malware and get the doctors back to saving lives. Yay, Metasploit. Hacking for good, right? I mean, we want to use our hacking skills for something good. And this was a really productive use. I was able to put the doctors back in charge of patient care, rather than being dominated by malicious actors who ended up being in, I think, Morocco and Turkey at the time. So that was like my first introduction to security and my first introduction to healthcare security. And it's gotten a lot better since then, fortunately. But that's the type of consequences that you have in healthcare, that you don't have in a lot of other industries, right? So worked a lot in banking and retail and other places. A bank system gets hacked and probably not too many people are going to die from that. Hospital systems go down and the consequences are much different. They're materially different. Not just in degree but in kind. In addition to that, you know, you have medical record systems, which, you know, we've probably have all been to a hospital or at least a doctor's office and had our patient records go into this computing system, which allows doctors to track us. It allows us to do a lot more positive things with population health, so that we can find causes of diseases so that we can track people through their medical records and be able to treat them if they go from, you know, Dr. A in Sacramento to Dr. B in New York City. So there's a lot of benefits, but yet these electronic health systems in some cases were prematurely connected. We incentivized putting these health records in a computerized system, but we didn't necessarily incentivize to the same degree securing those systems. In hindsight, a lot of us in this room look back at it as a mistake. And yet there's also scientifically rigorous data that shows that that has helped population health improve. In my more recent life in doing cyber policy, and I feel like I can say cyber in this crowd, because I live inside the Beltway, I live in DC, and I work in talking to policy makers. So I promise I will drink later for saying that. But in thinking about some of these issues, man, I lost my thread. Talking about the cybers and drinking too much drinking already too much drinking already possibly. Well, you know, I am compliant with the three to one rule. I got four hours of sleep each of the last five or six nights. So I am ready to go. Although I missed my second meal yesterday, and I need to get a second meal today. Otherwise, I'm going to be all out of compliance. But in my my role as cyber policy person, I've talked to a lot of people in in high positions of power. And one of those was former president of European nation. And after having some of these conversations where before the conversation was all about data confidentiality, we started talking about health records. And so the the very shorthand version that he came up with was, I don't care as much if somebody can read my blood type, I care if they can change it in the system, that would cause a much bigger impact. And while we've spent over the past five years, about $1 trillion globally on people product services, most of that has been focused on data confidentiality. And the capabilities that use for data confidentiality are very different than the ones that you would use to protect the integrity and availability of human life. So I think hospitals and other other places where you deliver health care are really interesting places where we may not have the hands on experience to deal with those types of infrastructure in the same way that they need to be handled. So less of a data focused aspect and more of an impact of physical conditions. And so the the infrastructure in hospitals is very different than what we may think of. And so when we apply some of our general rules, we might have to think differently a little bit to make sure that we don't inadvertently cause harm to to human life. Christian, you've got a great line, I may butcher it. But it's something like as we seek to treat existing pathologies, we shouldn't be careful not to inadvertently create new ones. That sounds much smarter than I actually am. Yeah, he read that on a fortune. Yeah, so I'll take that one. Alright, so so yeah, so I want to I want to ask the panel a question. And I want to start with gab first. But basically, like we have these types of conversations every year. And one of the most interesting things is, what is the change in our thinking from your tier? And obviously, we are 18 months now into a global pandemic, which is a sentence I would say in med school. But gab, like you've had a very unique and interesting role as part of our response. So what what have you learned in the past 12 to 18 months that has really sort of changed your preconceived notions about what we need to be thinking about when we talk about the security in in in healthcare? I think we've seen a really big stress on our health system. And we've seen a lot of hospitals at or beyond their capacity. And it's made people realize that, yes, we need to figure out what's going on, what we can do to kind of keep this from happening again. And I think we've also seen situations where that max capacity that the hospitals did reach was exploited in some ways. If a hospital is at max capacity, and suddenly they are hit by ransomware malware taken down. That's that's a huge problem. That's so many patients that have issues. And I know there's been quite a few breaches in the last year. It seems like healthcare breaches have been in the news a lot more than maybe previous years because of the fact that COVID has everything in the spotlight. But I mean, there have been times that, you know, the cardiac cath lab went down, they couldn't use any of the materials machines that they needed to in those labs or, you know, use the ICU as intended. And it's just become a lot more of a visible issue, I think. Yeah. And so add on to that, you know, one of the things in working with hospitals at the beginning of the pandemic or before it happened, you know, there was this really growing maturity. And how are we handling medical device cybersecurity? There was these really amazing ornate plans about we're going to do micro segmentation. It's going to be amazing. We're going to put all these medical devices. And it's just as soon as the pandemic started, all just crumpled out of the throat in the garbage, like we're pulling old medical devices out of closets, we're pulling them out of old academic institutes, we're setting up clinics in parking lots. And for good reasons, right? But, but I mean, that just all those network rules, all the segmentation just just gone, right? So you ended up with this really big spaghetti monster of networking of medical devices now inside of hospitals because they just had to get stuff to work quickly. And on the regulatory side, there was actually a relaxing of regulatory requirements for medical device manufacturers to put out updates to medical devices that enabled remote patient care. So a medical device that previously a clinician had to walk into the room and do something to if a manufacturer was able to put out a software update that removed the need for the clinician to walk into that room and instead maybe task it from a nurse's station, there was actually a relaxing of the regulatory rigor needed for the manufacturer to put out that update because they wanted those things to come out quickly. So I support that they did that, but understanding that that also happened as a result. So some of the software updates that were coming out at the time to enable remote care to some of these medical devices did not go through the normal rigor process. And in some cases they did, right? Some manufacturers still did their normal business as usual, but some would have taken that route that was relaxed rigor on what was actually needed from a testing and verification perspective of those patches. So you're just now starting to in the healthcare space, I feel like you're just now starting to see these IT clinicians come out and up and able to breathe and actually say, OK, I need to clean out the spaghetti monster that I made. And so you're now starting to see that bandwidth come back where they're looking back at, OK, how do I re-segment these networks? How do I get these legacy medical devices in a secure network versus just the like let's just put it all together and make it work. So we're I think we're starting to see now that wave of let's kind of clean up that technical debt that we acquired early on in the pandemic. And so we're starting to clean that up. I just want to get anyone in the audience to raise your hand. If you saw a doctor or a nurse practitioner or some other provider on your phone or on your laptop during this pandemic, raise your hand or keep your hand up if you thought that was rad. All right, keep your hand up if you think that that person was behind, like them connecting to the network and viewing your medical record or using the telehealth platform that they did could, you know, hold itself up to like the lowest of skid. Oh, there's like no one up there. Exactly. To continue what Stephanie said was that like I'm an ER doc. When the pandemic hit, I put my hacker brain to the side and I thought like we're going to be I remember my I remember my boss saying pack a bag. You may that has to be you have to live with two weeks of stuff. You may not see your family might to live at the hospital. We don't know how bad this pandemic is going to get. And so my hacker brain was like all this work that we had done to try to secure these devices and all the fear that I had about this had to go on the side and COVID took the front. And we were that exactly was a paradigm we had, which was, you know, how can I treat patients at home when they have only thing I have is a phone for them to call me with. And so it was an explosion of access, almost no regard for commensurate security. And I don't think that I think that was the right call, right? We're worried about bodies in the streets at that point. I mean, luckily, we, you know, not at least here in the United States, we saw that very often. But I think what it showed to us also was that it is so fragile. It is amazing what actually supports health care and how fragile a technology that we are so dependent on is in use all the way around the world. And if it took this awful pandemic for the people paying attention to realize that, you know, it's a virus now, but our dependence and the potential for consequence to human life could very easily be replicated with a pretty large attack, a pretty large ransomware attack, for example. Bo, I want to ask you as somebody more on the policy side, I definitely echo what Quadi was saying. Like when we were in the thick of it, we were intubating patients in the ICU and running low on ventilators. You know, we were looking for a machine that could deliver positive pressure to a patient with disease lungs, and that's the bare minimum. There were so many inventive solutions, partly from the makers in the hacker space who were able to jerry rig things. Has your thinking at all changed with respect to the threat model? Because we had all this exposure to medical devices and the security wasn't really as much of an issue as we are now seeing with more infrastructure-based attacks. I mean, for the last five years we've been worried about a discrete individualized medical device and now we're starting to appreciate the problem differently. Can you talk about your thoughts on that? Yeah, that's a complex question. I'll give a slightly off-topic answer because something that Christian said really triggered me to think about the positive outcomes that we could see, and especially in public policy some of the positive outcomes. So for those people who raised your hands because you could see a doctor on your phone or on your laptop, that only happened because of a policy change where telehealth, telemedicine is now reimbursable by insurance. I think that's absolutely amazing. Like, why have we not had the ability for home health care? Why have we had to go into a doctor's office? Yeah, thank you. Why have we had to go into a doctor's office, take time out of a day or whatever? Why can't we just get on these phones? The technology in the vaccines that most of us have now taken, everybody in this room has been vaccinated, not everybody has been vaccinated with the same technology, but like mRNA vaccines are absolutely astounding in what the capabilities are, and it kind of took a pandemic for us to unleash some of these things that we've been hypothesizing about for a while and trying to do. I remember I had a conversation with a physiotherapist who, you know, physiotherapy is like very hands-on. You have to touch people, move their arms down and manipulate their body so that their body can recover in a way that helps them get by. And they were doing remote physiotherapy sessions and the person's partner was actually the one who was doing the physical touch. Like think about what that means in terms of in terms of a patient, instead of having a stranger touch you or be there with you, it's your loved one, whether it's a family member, a friend or whatever. I would like to, well I want to focus on the happy side of it and the fortunate side of it for a minute because a lot of times we just look at the downsides, but I think there's a lot of amazing capabilities that can come out of it. And Jeff to your question, you know, what is my, how does my threat model change? I'm seeing and trying to see, it takes conscious effort because we're wired differently than a lot of other people. I want to see the benefits, the silver linings, and look at what can come out of this that we could then use to create the next generation of patient care and the next generation of more convenient, more effective medicine and health that we can deliver to people around the world. Okay, we're going to ride that amazing uplifting sentiment to the top of the roller coaster and we're going to go right back down, okay? And I think that is, we'll start off by saying, you know, the vaccine was amazing and we have an expert on this panel to discuss that, but I mean, Gab, how close were we to like one ransomware attack to having six months delaying the vaccine? Like that is terrifying shit. Think about how many people would die and I'm kind of curious because you have some insight. Yeah, definitely. It was bad. There were a lot of attempted attacks to either glean some vaccine information from what we had or just to kind of see what we were up to and that would have upended everything. I mean, we were working really hard to kind of get everything out as fast as we could. The trials, some of them are running concurrently, phase 2, 3, 4. A lot of the sites performing the trials, I mean, I can tell you that the review of those was really scary and kind of quick. It was run through really quick and yeah, just anything that would have toppled that house of cards that was barely being held together would have been horrifying and it would have pretty much stopped everything completely in its tracks and taken down whatever work we had already had and it doesn't sound, I guess, that bad since we're past that point, but there is no reason it couldn't happen again. So at the risk of asking you to tutor on Hornbow, I mean, you and Josh, she's not here with this tonight, but you were hired at CISA specifically for the purpose of protecting this type of research infrastructure and vaccine delivery. What did the feds do right in this situation for once? He's gonna have to pass on that, sorry. Hard pass. But we just want to reiterate, you know, Gav is talking about so much of the research infrastructure, the collection of data, the clinical trials, the technology to develop the vaccine, to then manufacture the vaccine. If you really take a 40,000-foot view of that, you can know as a hacker how many very vulnerable links in that chain there were. And if only one broke, if one data center containing the critical stage, sorry, phase two clinical data was inoperable and accessible, that they'd have to redo all of that, and it could put us months behind. And it's not just the citizens of the United States that have suffered, but that vaccine coming to market even days or weeks later would have resulted in thousands of deaths. It's amazing that we didn't think about this stuff ahead of time, or maybe we did, and I just wanted to give a shout out to the hacker community and say this, you know, I grew up a hacker and I really think we are the ones that are screaming, this stuff is on fire, it's not just smoke, it's on fire, we need to fix it, and we've been saying this for a long time, and I think, I hope, after this they're going to take us a little bit more seriously, and really being able to fix this to some more appreciable amount, so next time something like this happens, it's not nearly as bad. So that's really like give yourself a pat on the back, okay? All right, I'm gonna play a clip of Josh Corman given about a four minute, so he was supposed to be on this panel, he couldn't be on this panel, I'm gonna go over this podium, I'm gonna play a four minute clip, I want you guys to pay attention, and just to give you a tiny bit of a primer, this is a discussion about patients' lives, so I often get asked, show me the body count, right? I'm so, like, you talked to me in the, until you're blue in the face Quati, about how bad this is in healthcare, but show me someone who's died, and you know this is kind of a primer, you know, can someone be injured by this? So, by the way, Bo, my question was a test, and you passed it. NCRs, these are the things that affect national security, national economic security, and national health and public safety. The one that's been in the red zone and the purple zone for the most of the pandemic is called provide medical care, and this is what two of you do professionally every day. We looked at severe strains throughout the pandemic, initially noticing a new problem because the pandemic, which was cascading failures, so it used to be that if you had a ransom or an outage or some power problem, you would merely divert ambulances to the next nearby facility, and that's kind of predicated on the next nearby facility being able to receive anybody, so when everyone's at a saturated level or in the red zone themselves, a failure in any single hospitals tended to have cascading stressors or failovers in nearby facilities, so Chris and I heard in your amazing testimony to House Energy and Commerce similar sentiments, so we started studying that as well, then we started looking at something very poorly covered in the media, but the CDC tracks something really important every year, every month called excess deaths, and this is the difference between expected deaths and actual deaths by condition, by month, by state, and at the national level, and when the U.S. hit that February milestone of 500,000 lost Americans to COVID, we also hit a different milestone of 150,000 lost Americans to non-COVID conditions that are otherwise treatable, very treatable. The number one aid demographic of that was 25 to 44 year olds, so young folks that could have been saved, but for excessive loads on our health care delivery across the country, so these are things like time sensitive things like heart attacks, strokes, cancer, where time matters, minutes matter, hours matter, days or weeks, so Christian and others on this panel in the past, we often cite the New England Journal of Medicine article that says 4.4 minutes during a marathon can be the difference between life and death and increase mortality rates for heart attacks, we know with strokes the difference between life and death could be one, three, or four hours, so what did four weeks of interruption in the state of Vermont do with the UVM Medical Center and 118 facilities in upstate New York, Vermont and New Hampshire, so again where minutes matter, we know that delayed and graded patient care affects outcomes including mortality rates, you know we were deeply concerned about this and almost done some of these truth bombs, but when we looked with data scientists for the first time, this fusion center, we started to say is there a relationship between capacity levels and mortality rates and for access deaths, and we're starting to share this with the public data, but without getting into the inflection points, we did see a strong and positive correlation between something like ICU bed count and excess mortality, excess deaths 2, 4, and 6 weeks later, so we got kind of a leading indicator that we could tell if a hospital or region, a state was going to incur excess deaths if they were starting to reach too high of a capacity level and then ask the really tough question I think do no harm cares about which is can cyber disruption precipitate or accelerate or cause that harm to worsen and of course we know fire is hot and water is wet, so of course any degraded and delayed patient care from any source can do this, but we did start asking uncomfortable questions and look at the state's hardest hit by that concerted effort to disrupt health care during the month of October and November and adjusting for all other variables in a state like Vermont, it was very clear that electronically disrupted hospitals achieved that excess death red zone much faster than their peer group, so again if minutes and hours of the difference in life and death and you're in a geography that can't get to the next nearby facility, we should stop asking can cyber attacks lead to loss of life? We've answered the question there's enough statistical evidence now to show this Wow, that was makes you feel happy inside doesn't it? This is what we're talking about is it's really important to protect patient health information, it's really really important to realize that in medical conditions where minutes matter the hospital infrastructure if under attack and you could get worse care I wanted to play that clip at the request of Josh's panel just to discuss briefly kind of your reflections of that because for the longest time we've gotten so much criticism and some of you out there in the crowd may have this and show me the body count you know is this a turning point? Are we seeing more and more data? Can we now more reliably conclude that patient harm is real when a hospital gets ransomed and what the what the hell do we do about it? I'm gonna just that I'm gonna lay that out there I mean I think if you can listen to what Josh said and still think that there isn't a correlation immediately and that there isn't a body count then you're not listening What can we do about it? That's really hard if you work at a hospital or you have worked at a hospital then you already know that in some cases the choice between you know buying another blanky box or hiring a CISO the trade-off for that is maybe you then can't buy an MRI machine or you can't hire another physician or nurse or other type of clinician those are really hard trade-offs to make so when we sometimes you know sit back and for those of you who haven't worked in healthcare and think well you know just patch stuff or just get somebody who knows what they're doing if you're a clinical access or a critical access facility that there's you know no other hospital for 100 miles let's say you got eight beds you got five or six doctors a handful of nurses which nurse is going to be your IT person probably none of them but they're in the position where you can't really hire somebody in that local area because if you have IT talent a lot of times you go to the bigger city because there's a salary there that you can't match locally and a lot of these places are really struggling if you look at the 20 think you came out in 2017 the HHS healthcare cybersecurity task force report they looked at a lot of really important profound truths and and surfaced those and put them into a nice you know page one graphic that are here are the problems in healthcare but they would be on that and they said here are some of the things we can do about it everything from public policy steps to some things individuals could do to things hospitals could do you know carrots and sticks incentives and punishments but I think there's there's some good blueprints in there including you know for instance can we have managed service providers that cater to the needs of these hospital workflows so that you know if you if you have a anti-spam filter and you get a bunch of emails from labs that might that might trip a threshold you don't block the emails that are coming in from labs where it's critical treatment information coming in right how can we create some of the incentives that would allow for those managed service providers to do that so that you can scale up security protections or scale them down to the size that fits some of these small organizations that are really cash strapped how can you do several other things so I'd encourage you to go take a look at that it's government reports are a little bit dry but but go check it out and has anybody ever like called your hospital to like volunteer hey do you guys need some help I'd like I have a certain skill set and expertise I'd like to see if I can help you that might also be a step you could take or trade in temporarily trade in a high price job for one that's maybe a little bit lower lower salary but in one of these healthcare areas where you can make a huge difference to somebody I'm getting a thumbs up there I take it that at least one or two people in the audience have done something like that so it is doable yeah and so one of the things I also wanted to kind of shed light on the scale of the problem and so giving people an idea of in just a what we think of as a pretty medium normal size hospital you may have around 6000 unique makes and models of medical devices digital medical devices on that hospitals network so when you start to talk about the maintaining of cyber security of those medical devices that is 6000 unique makes and models that update patches in different ways that you have to keep track of if they're patched I can tell you from working with hospitals the number that have a grasp on what medical devices are even on their network is just so tiny that is such a huge struggle in the space right now is hospitals they they don't know what medical devices they have they don't know they don't know what's on their network from a medical device perspective the ones that are more mature that I've worked with that have gone through that exercise what they've found was the medical devices actually represented about 15 to 20 percent of the endpoints on that hospitals network and so that's a really big percentage of endpoints that you think of all those other hospitals that don't have those maps that don't know what those 15 to 20 percent of those endpoints are on their hospital networks that's pretty scary and so the scale of the problem is huge we don't know what's on the networks there's such a unique amount of just makes and models that even if you do have a grasp on it keeping those things up to date with the patches just full-time job for dozens of people and to Bo's point they don't have full-time dozens of people just to run around and patch medical device cybersecurity and the other piece of it is just the legacy issue medical devices are actually designed really well so for a medical device to perform its clinical function for 15, 20 years is not uncommon right but we all know there's just there's literally no digital components we could have put in that that 15 or 20 years later is still secure and you can't keep patching it right at some point it can't run the latest and greatest of anything so you have a lot of these hospitals really struggling with this problem of they have these legacy medical devices that still perform their clinical function but they represent a really high cybersecurity risk to their network so how do they decide to let go of something that's still working right medical devices are not cheap and when you think of again a medium-sized hospital right one of the ones I worked with had about 1200 infusion pumps right that's not even that big of a hospital 1200 infusion pumps you go to replace that that is millions of dollars to replace devices that are actually performing their clinical function just fine so where do you find the budget to do that when those devices are working right what is that bar of cybersecurity risk where you have to make that decision to end of life that medical device and a lot of hospitals are really struggling with that right now yeah and I just want to I just want to take that problem combine it with the problem that Josh mentioned on the video where we may have actual degradations of patient care here and and turn the thinking a little bit from going from admiring the problem to understanding how this might be an opportunity to actually do something about it and I think one of the things that is very exciting for me bad jokes on my part aside or having people who are knowledgeable about these issues from the hacker community in a position to where they can actually influence and direct policy at a number of really awesome agencies that are doing some some incredible work and Christian's not going to say this so I will but he's doing an operational role he's a medical director of security at a hospital so there are hospitals who don't look at this as something that they don't want to address but actively invite and engage people to help them solve it I mean there may be a situation in the future and we can talk about the potential policy aspects here where you know there's a recovery and a stimulus and maybe this is something that we should address and put resources towards to help these hospitals that don't have them I mean I I commonly think about this as a problem analogous to clinical medical disease right it's much easier to prevent a problem or to manage it chronically before it becomes an acute issue spiraling out of control and so I think figuring out ways for us to turn towards those types of solutions is really interesting in this particular moment all right we're going to play a little game all right raise your hand if you think that if a hospital loses your medical records they should be find a lot of money that's okay all right keep all right keep your hands up if you think that that's going to make healthcare cheaper for you all right keep your hand up if you think healthcare is cheap tell me if you think it's going to get cheaper in the next 20 years we have a oh I hope so I really hope so I and maybe so you should I need to talk to you because you you have the solution and I I don't know what to do so we get these hospitals we've talked about how hard the problem is how they don't have the people to help them how they're up to their necks in vulnerable legacy medical devices and infrastructure that's very fragile they get owned and they have a big breach and they have to pay millions of dollars in fines and then it's going to probably increase healthcare costs across and you know Bo talked about the trade-offs that hospitals have to make if they pay a big fine how much money are they going to have left over to to fix the freaking volms that got owned to start right it's a really hard problem but we have to hold people accountable and organizations accountable for this we're in a real hard spot you know there are cyber I'm sorry I'll drink a whole case of Red Bull later I'm freaking sorry about this all right but there are cyber haves and have-nots in healthcare there are hospitals that have marble floors and palm trees in the waiting room right those exist and they're doing a lot better and then there are rural hospitals and critical access hospitals that bleed millions of dollars every year are the only ones taking care of patients for 500 miles and if that hospital didn't exist people would die they're the ones with shared credentials still running Windows 7 they're the ones that can't afford new infusion pumps and we want to find them a lot and so I'm not saying let's pity these hospitals but we got to figure out well how do we fix this problem and I want to just have a handle would you as a taxpayer be willing to pay to have healthcare more secure raise your hand would you be willing to spend taxpayer oh my don't take a picture because it's against the rules but this is this is the sentiment right it's a shared thing the pandemic has reminded us that we all share this ecosystem of healthcare it's really fragile and it's unacceptable that it maintains in this state and what we really need to do is raise the entire ecosystems security resilience I'm going to just quickly say I worked in the ER on a Monday and if you work in the ER you know that Monday is the worst day to work they're always the busiest I was on a Monday and the waiting room was blowing up wait times were skyrocketing patients were staying in the hospital for two or three days in the emergency department sometimes two or three days waiting for beds upstairs what happened it wasn't even us that got hit with ransomware it was a hospital system in the same town as us right it's an ecosystem of care and that if we don't build up the resilience of the entire ecosystem guess what's going to happen to the ambulance transport time if you have a stroke or a heart attack and you have to go and bypass those five of our hospitals that are on diversion because they got hit with ransomware guess what your time's going to be longer and that's not going to do well for your heart or for your brain maybe the difference between whether or not you walk or talk or eat or live or need to have a pacemaker implanted in your body sorry for the rant I wanted to oh anyway reflections of that before I move on to a less depressing topic no no raise your hand if you're familiar with software build materials anyone alright rad I'm going to quit talking because there's this thought about software build materials as a potential mechanism to reduce vulnerabilities or at least identify vulnerabilities and patch them sooner I'm going to open it up to the panel here briefly talk about SBOM and then as well as whether or not it's going to fix all these problems right is this the magic secret sauce yeah so I'll start this so for those who you know said you're familiar with the SBOM one of the things everyone in the room might not realize is that I actually credit sort of the healthcare and medical device space with being one of the first industries to actually really rally around this concept so the NTIA working group that was really building the foundation of what is now becoming a NIST standard based on the NTIA working group work that was actually very heavily run by the healthcare industry and so the healthcare industries had several years of working on SBOMs if you look at that draft pre-market guidance that I mentioned that the FDA put out about two years ago you'll actually see that that was one of the requirements inside it they called it a C-bomb at the time they're updating it to be called NESTbomb to align with industry terminology but this whole concept of NESTbomb is really polarizing it's very interesting to talk to people who are just immediately against this thinking like oh my god we're just giving a roadmap to all the attackers and I'm one of the people on the side of the fence that actually says this is actually a really good thing right the attackers are gonna figure out the roadmap they're gonna figure out what's in your device anyway instead lets enable the good guys to actually have that list of ingredients that's inside of our devices and so for anyone following on the policy side earlier in May there was an executive order that came out here in the United States around sort of this supply chain transparency and one of the things hidden inside of that was around NESTbomb and so that's why you start to see that initial NTIA working group around the NESTbomb is actually now getting translated into a NEST standard and so so much more of a spotlight has been brought onto this topic of an NESTbomb and since that May executive order but the healthcare space has actually been really working on this for a number of years and some of the initial like formats around cycle MDX I'm trying to think of the other two I'm totally blanking on the other two formats but a lot of the work around getting NESTbomb to actually be operationalized is getting around consistent formatting and consistent nomenclature and so the healthcare space has been working on that for several years trying to actually figure out you know how do we one generate NESTbombs in a consistent manner and then how do you get use out of them right so we've had a lot of hospitals who are actually trying to use NESTbombs in their struggle on both sides of it and so I would encourage anyone who's interested the NTIA working group actually put out a report around how we tried to use Sbombs in the medical device space how hospitals tried to leverage them in a lot of the struggles basically that are still in the works of trying to tackle like how do we make this really impactful in the healthcare space and to Bo's point earlier anyone in this in this audience who is interested in that topic absolutely get involved those working groups are open you can reach out and join any of them we absolutely need as many security people as we can working on these topics any of the guidance around cyber security for medical devices I would encourage anyone in this audience to join them we need those guidances I will say I have sat on a number of those working groups around any kind of regulation guidance document technical frameworks that come out for the medical device security space and they're so influential in the space but I can tell you a lot of the working groups really lack subject matter expertise there's a lot of people who write standards as their day job and I love them gotta have people who love writing standards but what we're lacking in a lot of those working groups is the security expertise and it's not sexy work you will sit on phone calls where you listen to people argue about where commas should be for literal hours not joking and it is incredibly painful but at the end of the day when those regulations come out they need cyber security expertise to make sure that those are actually impactful so same things with those working groups that NTIA we need more security people so anyone in this audience if you want to make an impact one of the biggest ways you can do it if you're not willing to sort of change jobs and change your salary join those working groups be a subject matter expertise on any med device security working group if you're not sure which ones to join absolutely reach out to me I can send you a list of stuff but please be on those working groups and lend your security voice for those who aren't familiar with with S-bombs off the bill of materials the idea is gross oversimplification but it's like an ingredients list on your food right what's in the thing that you're using and Dr. Marie Moe who is herself a pacemaker patient sometimes says that she can know the ingredients that go into the candy bar she's eating but she can't know the ingredients that go into the pacemaker that keep her alive and in another very oversimplified example if you look at two extremes and you know software bill of materials is not either of these extremes but two extremes one where manufacturers have no idea what goes into the products that they may can sell you and one where they have full visibility into what goes into the products that they may can sell you which one would you rather be at anybody anybody want manufacturers to not have no idea is your hand Christian does he's in that camp that's cool but in some of the last few years when hospitals have started asking medical device makers to provide a software bill of materials it caused those medical device makers to have to figure out what's actually in their software what's in their hardware and they said when they looked into it it scared the hell out of them and they issued updates not because there was a new vulnerability announced but because they found out that they were very old vulnerabilities that were causing undue risk so the act of asking to reveal what's in your software what's in your hardware can has the catalytic reaction even if to your point even if the hospitals themselves don't know how to use it the act of asking can create that and in financial services organizations they've been doing this for a while one of the people who participated in some of the NTIA conversations said that they were at a large bank and they asked for a software bill of materials and if the manufacturer of that software couldn't tell them what's in their software then they asked them for a 20% discount because they knew that they were going to have to layer on extra security on top of whatever they bought because they couldn't account for what was actually there so there's many many uses for a software bill of materials whether you keep that internal to the organization that's developing the software or whether that's something that's requested and passed on through the supply chain just to add on to that a little bit I mean as someone who's sat on a pharmacological review board as well as a recombinant DNA review board we analyze every single ingredient that goes into every single pharmaceutical that is out there it's tested over and over again we know exactly where it came from you know what modifications it has things like that why wouldn't we want to know what configurable pieces go into medical devices all right so if you've ever been to do no harm before you kind of know that we do this for a little bit we're going to take a couple audience questions for the full panel and then what we're going to do is we're going to break up and each one of the panelists is going to go into a corner or so you can congregate around them we'll get to that in just a moment I have one last question for the panel before we take open Q and A and that's going to be first day who here is invigorated or sorry who here's depressed after watching this talk yeah raise your hand it's okay who here you guys are already depressed so you couldn't get any more depressed okay well if you need anti-depressants Jeffrey at the end can write you a prescription for some they take a while to kick in so we encourage you to start now how many of you are not depressed but maybe like invigorated to like try to go and try to help this problem or try to contribute to make things better oh that's amazing that's my last question for the panel each of us could take an opportunity to say is the hackers in the audience what can they do individually besides what we've very talked about you know take a pay cut and go work for a hospital anything else that you and the audience could do to make this better set you know set on a standards etc but anything else to take away before you open up the q and a I'll say talk to your own doctors and nurses and people you interact with as a patient and make sure that they're up to speed on some of these issues they don't have to be experts but make sure that they are aware of the fact that this is becoming something yeah and so I already mentioned the working groups so absolutely the working groups but beyond that if you work as a vendor that is in the software security solution space right so maybe you guys make some widget that is close to help with cyber security think about how that widget may help the healthcare space there's a lot of general purpose sort of security widgets out there that they just don't work in the healthcare space either the medical devices or to resource limited they have interesting operating systems they caused too for things that have real-time signal processing there's a lot of general purpose security widgets out there that literally just do not work in the medical device security space so they're also very limited in some of the solutions that they can just generally adopt so if you worked at one of these tool vendors maybe bring up the fact that like hey what do we do about the medical device space is there something we could pivot our software product to do and then of course obviously just go work for a medical device manufacturer or a healthcare organization I don't know a single one that does not have open job breaks right now for security people it's kind of a conglomeration of the previous ones but ask a lot of questions um you know question everything doing your research visit the villages that are you know messing around with your medical devices in your infrastructure and just um be that kind of force that can continue to be an advocate for this kind of thing yeah um there's a lot of good things that have already been said I'll say something that's slightly different which is states actually hold a lot of power over healthcare states in a lot of cases is a regulator of hospitals and others so a lot of time there's a big focus on federal legislature on federal public policy but states also do a lot of public policy and a lot of times they don't get the help and support from the the organizations that tend to frequent DC so wherever you live you have a state government unless you live outside of the United States in which case you have another type of local government and oftentimes you know you can just call up whoever your local representative is and say hey I have a certain skill set I'd like to offer it to you do you have anything that's going on or you know ask them for a briefing you'll get 15 minutes so you can go talk about healthcare security and some of the consequences and some of the other things and just having those conversations sometimes will lead to them taking some action maybe it's writing a letter something as simple as writing a letter even from a state legislator can make a big difference in nudging hospital administrators or medical device makers or doctor boards or others into a situation where they actually consider security as a part of whatever they're working on whatever they're doing awesome I just got one thing to say I think one of the most important things that happened in this space in the last you know 10 11 years was that hackers out there went out and got medical devices and started poking at them and started finding what was wrong with them and brought that to our attention whether or not it be Kevin foos group talking about pacemaker AICDs or Barnaby Jack before he died talking about that or Jay Radcliffe's infusion pumper Dr. Marie Moe you know reverse engineering some crypto on her own pacemaker these are the types of things that hackers do really well and we need more of that we need more of you out there doing some device research it's believe it or not pretty easy to get a medical device depending on the medical device you'd be kind of shocked somehow about how easy it is poke prod bring your research to a place like DEF CON teach others around you because that action those hackers that went and did that research and brought to everyone's attention they really freaking moved mountains I'll tell you right the FDA did great things in response to the research had their backs as security researchers and as long as you do it in a safe and responsible way using things like coordinate vulnerability disclosure you know being responsible about that knowing that these vulnerabilities can really impact human life doing that type of research when hacking on things like we do can really make a big difference and so I would encourage you out there to do it and to do it right and to be responsible with it but that can help us really change a lot of minds oh yeah so to add one thing to that I mentioned I used to work at the FDA I worked there for a year on a one-year program they really want to hear from you in 2012, 2013, 2010 when some of the initial hackers were doing their research on medical devices security wasn't as prominent on their radar today they're all bought in I mean come on they hired me to come in and help them they actively recruit they're not here this year of course but in the past several years they've been out at the biohacking village going to talk to to hackers going to talk to medical device makers making sure that medical device makers know that they expect a certain level and in fact one of the things that we pioneered was a website called We Hard Hackers wehardhackers.org where the FDA the director of the FDA came out and said we want more medical device makers to put their devices in the hands of hackers so that they can find the bugs before they become harmful and so if you're researching medical devices if you have done your diligence to report to a medical device maker the next step should not be public disclosure it should be coordination if not with the medical device maker with the FDA they want to hear from you and they can pull levers that you can't they have an amazing suite of capabilities that they can use to figure out what the right thing is not for the medical device maker not for your ability to you know drop o day at black hat but for patients and that's what this is really about it's about patients it's about healthcare it's about those vulnerable people who really need us so I just wanted to add that awesome all right well we're gonna take some questions for the full panel I'm gonna ask you the following if you could come up a little bit closer to the stage please do not spew COVID on anybody ask a question I'll repeat it there might be some questions that are off limits but I don't really think that's probably going to be a problem here and then if you want to save your question to an individual panel member after we take a few questions we're going to break up and then again I'm going to remind everybody respect people's COVID precautions don't get too close wear your mask especially with our panelists as they're around and the people around you because we're a community of hackers we're a family last thing we want to do is hurt each other okay any questions yeah so the question was how do you get software and I'm assuming hardware vendors who come sell a product and leave and never give support or how do you how do you address that issue because it's a really huge one does that that make sense that I encapsulate that well I think it was acquisition yeah medical device makers that get sold to other medical device makers too right so how to deal with shitty vendors yeah so I guess I'll rephrase it now from shitty but vendors who are not very clear about communicating end of support so one of the things that several manufacturers are trying to do is make it very clear kind of like Windows right when when when Microsoft releases Windows they tell you the second that comes out when you're going to stop getting support for that operating system so you can make a decision on what you're going to do with that operating system because you know when support is going to end manufacturers are still very early in that maturity of announcing how long are you going to support this medical device that I'm selling to you so you do have instances of manufacturers continuing to sell medical devices and you just you literally have no idea when they're going to end support or end of life that from a security update perspective so there are some manufacturers who are working on this concept of this end of support end of cybersecurity support that when you buy that device you know but I would say right now that's still in its kind of infancy of its maturity cycle so it is the big ones are aware that that is an issue they have not solved it yet you mentioned it earlier the FDA's postmarket guidance the FDA actually set up something new with medical devices so that security issues can trigger recalls at the same time they gave a carrot to manufacturers they said if you if you meet certain thresholds you don't have to do a recall a recall in healthcare is a big deal bad news so if you know about security vulnerabilities in a product you can report that to the medical device maker again if they don't do anything about it you can talk to the FDA as long as those devices are out there that manufacturer has a responsibility to monitor safety potential safety issues and that's what cybersecurity issues are according to the FDA so there's a hook there that you can use to get at least awareness and attention and when one of the researchers Billy Rios looked into security of some infusion pumps even though the manufacturer no longer sold the pumps they were required to issue an update or try and pull them off the market and so that's what they ended up doing and that manufacturer actually changed a lot of what they did and they became I think it was them that they became the first manufacturer that went through the UL certification for security they've been at the DEF CON biohacking village device lab every year that we've had it so the act of causing them to have to pay attention to security changed a lot of the way that they did business so I would say use those mechanisms that already exist to go through those types of channels that they pay attention to already thank you for the excellent question if I could kind of distill the question down at the heart of it is do we have data to be able to measure or do we have data to compare certain interventions right potentially between countries for example have different types of healthcare systems do we have very basic measurements of whether or not things work and whether outcomes are better if they're a more secure health environment for example okay I'm going to take the stab at this because this is a little bit of a passion of mine it is amazing to me how little data we have right when you drive a car or when you use when you go and do something of importance when they make a product they collect a lot of data and they make decisions off that data because it matters in in healthcare cyber security again I swear I'll drink a whole case of red bull for you guys I'll give myself heart palpitations we have no data I would love to be able to do a study that compares you know take country A that has a nationalized health system and is quite secure for example comparatively to a lot of hospitals that are in the United States and let's take a measurement of their heart attack victims and say who has better outcomes or who's more resilient to ransomware or what type of interventions in a hospital or mitigation security control mitigations in a hospital actually result in less ransomware attacks we don't have any of that data we don't have the sophistication to even begin to ask those questions we have to build the whole infrastructure we have to get people to believe this is an actual issue we have to put in place the sensors and epidemiology to collect that data then analyze that data we got trained researchers to do this and what I'm trying to say is unfortunately it's a dismal thing to even think about all we have right now are anecdotes we don't even have evidence we have stories and Jeff mentioned or not Jeff Josh mentioned on the video that we are now starting to collect that data in some cases and publish it I do think in a silver line to this right now we don't have the data I think 2021 2022 is going to be a banner year for this I think we're going to finally get some published peer reviewed data out there that says that ransomware attacks hurt people not just their protected health information but their actual lives and that I hope is a catalyst for positive change moving forward I hope it encourages a lot of other people to want to study this more regularly because that's what we're going to need if we're really going to move the needle on this sorry anyone else I'll build a little bit on that while we don't have data we do have some empirical evidence one of the things that several of us do is we run an event called the cyber med summit and the cyber med summit one of the really cool parts of it and one of the things that I think has been eye-opening for a lot of people is these clinical simulations so just like pilots go into a flight simulator so the first time they land in 30 knot crosswinds and fog is not the first time they've ever experienced that they experience it in a controlled setting doctors do the same thing and what these two geniuses on the end did is they created clinical simulations that replicate what would happen if there's a security issue with a medical device whether it's you know ransomware of a lab system whether it's a pacemaker that's been hacked whether it's an insulin pump that's been hacked and based on the evidence that you can gather from how doctors actually go through in this simulated environment in this controlled environment we actually know a lot about what would happen and not just what would happen with the patient but what happens next do the doctors say I think that device got hacked or do they just send it down to Biomed to see if it can be updated or you know reset do they blame the clinicians who are in the room with them for you know setting the wrong drip rate on the IV or do they say I want this investigated and we need to do a root cause analysis on what caused this and I think what we found is that the awareness among physicians is not necessarily there the awareness among health centers is not necessarily there even when it is there you may not have the data on the device you may not have logs so you may not be able to tell what happened even if you have the data the Biomed people might not be able to read it because it might be in a format they don't understand or in a way that they can't get it off if they want to send it to the manufacturer the first thing the manufacturer does is says wipe all the data we don't want any patient data on it so you know it's hard to get the evidence but I think Christian's right I think that 2021 is going to be a year where we see a drive towards acquiring reviewing analyzing publishing data statistical information and the types of things that we need to change doctor's minds because they are scientifically driven and if it's not in a peer-reviewed journal it's for them just anecdotes that's great because they build off education they build off knowledge over years to do something that is statistically relevant but it also slows down our ability to change health care yeah cannot like I'll chime in on this one so one I will actually say can you repeat the question oh yeah sorry so his he actually works at a hospital and so they had an incident where a machine actually did get like configure which is you know we should be resilient to that at this point and yeah of course their solution was we'll take it offline turn it off like well you can't the PAC system serves a very critical role inside of a hospital system it has to literally be on the network or it serves no purpose and so his question was like how do we fix this right so one of the most powerful things I've seen is the hospitals actually literally using cybersecurity in a purchase decision and literally saying no when it doesn't meet their cybersecurity bar and so you know the FDA and the regulatory bodies you know they're raising the bar but at the end of the day if a manufacturer can't sell to you as a hospital that keeps them up at night and but I also will say a lot of manufacturers are doing better but the biggest lever you can pull as a hospital is at purchase time make sure cybersecurity is part of that purchase decision and if it doesn't meet your cybersecurity bar then you have to be willing to not buy that device yeah well and it's hard like what I'm saying like it sounds easy in principle it's not right and at the end of the day if the device provides a clinical function that is better than all of the competitors and its security is worse at the end of the day you know what patients come first and you have to still buy that device but there's a lot of competitive devices out there so if there's another device that serves the same clinical function with like similar efficacy by the one with better security I take it you guys don't guys and gals don't really like vendors is that is that a common thing but see this is how you have to help vendors go work like go work with them right so I've consulted with them for years like they actually want to do the right thing they do not have the resources to do the right thing all right we're going to go ahead and say I'm sorry please hang out here we're going to get you the right questions the right people but I think it's important for us to break up it wouldn't be a do no harm if you couldn't come face to face with a panelist going to ask like hard questions so all right again to reiterate find whatever speaker on the panelist you want in a corner ask them a question mass and distance and move around if you see someone that's particularly swamped maybe go to the other and then come back it's going to be a little bit of a give and take all right thank you again Defcon for this please give yourself a round of applause all right come talk to us yeah and I was just going to apologize I actually have to run but if you have questions I love talking about this topic find me on LinkedIn Stephanie Domas so you can find my name in the program but if you have questions for me I would love to answer them but reach out to me online sorry