 Welcome to our latest ethics village talk. We are very fortunate to have with us today. Jessica Wilkerson from the FDA. Jessica, welcome. Thanks for taking time to talk. Thank you so much for. Well, thank you so much for having me. So first question really kind of introductory. Tell us a bit about myself about yourself. You've had a super exciting and interesting career. You've done a bunch of different policy things, all of which have been really important. Tell us a bit about yourself and how you ended up at the FDA. Sure. So I don't know if I have an exciting career development. That's good news. It's good to hear. But I, so I'm currently at the FDA. I am a cyber policy advisor. So I generally work with across the FDA to do. To look at cyber security of medical devices, not necessarily in the review of them necessarily, I lead that to people who are much more qualified than I am. But looking at various concepts. So sorry, my cat is causing me a whole bunch of problems. There we go. That's a bonus round here. That's totally allowed. If the cat has opinions on your career trajectory, that's totally welcome too. I'll be sure to quiz him later. But essentially I look at things like soft material materials, coordinated disclosure, things like legacy devices and others that I think we're going to get into a little bit later that from a higher level more so than the review level will really influence what it means for medical device to be cyber secure. And I ended up at FDA through sort of a very winding process. And I guess I will work backwards to sort of explain how I ended up here and why a lot of the experience that I brought with me to the FDA is relevant. But prior to this, I was at the Linux Foundation. I was the Cyber Security Research Director. And this really stemmed from a recognition that I had a few years ago that I think many other people had had much earlier than I had it. But essentially around this reality that open source software is in everything. Everything is built out of open source software. It is the basis of modern technology today. And so if we want to have the cyber secure products and cyber safe products, we have to have secure and safe open source software. And even the characteristics of the open source ecosystem, that is a more challenging undertaking than it traditionally is in more proprietary or closed source software. And so I spent a year at the Linux Foundation really examining those issues. But the bulk of my experience really came from working with the United States Congress. I was a professional staff member and then had a few other titles throughout my time there. But I spent five and a half years with the Committee on Energy and Commerce doing cyber security issues. And so the things to really know about the Committee on Energy and Commerce is that when it comes to congressional committees who have jurisdiction, Energy and Commerce is one of the broader jurisdictions of any committee on the Hill. So they have jurisdiction over Energy, over healthcare, over telecommunications, over commercial issues, over I'm missing a very obvious moment I can't think of. But they have jurisdiction over so much. And as technology has continued to weave its way into the fabric of daily society, what that means is that the sectors and the issues that Energy and Commerce have jurisdiction over began to do the same. So everything that we were doing in a lot of cases ended up taking on a cyber security event. So I ended up looking at just this whole host of things when I was working for Energy and Commerce. Things all along the spectrum from the way that the federal government divides authority between different federal agencies like the Department of Health and Human Services or Homeland Security or the Department of Energy when it comes to cyber security emergency response. I looked at things like the 2017 Wanna Cry ransomware outbreak and what that meant and what kind of things that that had. And just sort of all across the board. And what ended up happening is the last couple of years that I was there was really starting to represent the shift in the healthcare sector's mentality to recognize that, you know, cyber security wasn't just this little tiny like part of their lives where, you know, you could have the IT people sort of off in their corner or their basement doing whatever it is, you know, mystical arts that IT people do. But like this was a thing that affected patients with a patient safety issue and that they needed to be paying attention to it. And so I was really privileged in a lot of ways to be there sort of at the cusp of this realization and sort of work with many parts of the healthcare sector to develop it as it began to go. So, you know, I worked with the Sweden Drug Administration where I now sit and others to really encourage the healthcare sector to adopt self-revealed materials. We were huge advocates when I was on the committee of coordinated disclosure and we were starting to look at things like old and outdated medical devices and things like that and what should be done. So sort of through that spectrum of experience starting with energy and commerce going through the Lawrence Foundation and then ending up at FDA, what I hope to bring, what I try to bring is just, you know, this very broad breadth of experience on these various cybersecurity issues that help inform the way that we approach as an agency cybersecurity. It's all about the wizards in the dark corners, right? Yes. So what types of issues do you work on today at FDA? You've mentioned coordinated vulnerability disclosure and probably policy stuff. What can you tell us about the issues that you encounter on a regular basis? Yeah, so I think they generally tend to split into two buckets. There are the sort of the internal agency machination issues where speaking of coordinated disclosure and software bill of materials and these things, medical device vulnerabilities or cybersecurity vulnerabilities that are relevant to medical devices come in on a very regular basis and the agency has to look at those vulnerabilities and decide what do we need to do with them? And what do we need our stakeholders to be doing with them? And so I spend a significant part of my day working with dedicated experts within the agency looking at cybersecurity vulnerabilities that might impact medical devices and ensuring that not only FDA but the sector as a whole is doing what it needs to do. This often involves third party security researchers who either bring vulnerability information directly to us or on an increasing basis, which we like, they go directly to the manufacturer. And the manufacturers, medical device manufacturers have certainly matured over the last couple of years to the point where when a security researcher knocks at their door, they're not sort of running around like chickens with their heads cut off, you freaking out, they're actually like, oh yes, great, please come in, like tell us everything you know about this vulnerability, let us work together to address it, which has been a very, very positive development overall. We are also very much hard at work on just continuously updating FDA cybersecurity processes, policies, all of that when it comes to looking at the cybersecurity of medical devices. Technology evolves on a constant basis, which means that FDA's procedures can't be static. So on a day-to-day basis, we have to continuously reevaluate the way that we approach cybersecurity. And if we need to make adjustments to our own process or encourage adjustments in the sector as a whole, that's another thing that I spend quite a bit of my time doing. The last thing that I would just touch on relatively quickly is there are all of these group-private partnerships that exist out in the sector. And some of the ones that we end up working with the most are the Health Care Sector Coordinating Council, which is just a very valuable body to us where government and private sector just come together. Really, I think almost anybody can join. The executive director might have some words with me about that, but I think it's pretty open. And we talk about the issues of the day. I'm actually co-leading two task groups underneath that group, one to look at legacy devices and try and figure out what we do with old stuff. How do we get old stuff out of hospitals? How do we make sure that new stuff doesn't become old stuff too soon? And then another one on vulnerability communications, because I think what we've seen on an increasing basis is where your typical cybersecurity advisory being like, hey, there's a problem. They're hard to understand. I mean, you really kind of have to have a lot of background and a lot of technical expertise to be able to read a cybersecurity advisory and understand what it's telling you and know what you're supposed to do. Well, if you're a patient just trying to be like, hey, I heard there was a vulnerability in my pacemaker. What do I do? And you're not a computer science expert. You're going to have very little idea what you're actually being told. And so that's a huge problem. That's something that we're trying to address. So that's another thing that I work on on a day-to-day basis. So you mentioned the FDA guidance. Can you give us just a really quick thumbnail sketch of the pre-market, post-market guidance, kind of the overall regime of the way that FDA approaches security, vulnerability, disclosure? Yeah. So if you think of a device, if you think of the lifetime of a device that sort of has probably four stages, you've got the pre-market stage where it's being developed, it's being designed, and then it's being presented to FDA by a company to essentially say, we want to put this device on the market. And that's the pre-market stage. And so during the pre-market stage, what FDA does is that device is essentially reviewed, and the standard there is does this device provide a reasonable assurance of safety and effectiveness? Now that goes beyond cybersecurity. That is literally, even from like a physical machinations perspective, does this thing do in a safe and effective way? Obviously that accounts for cybersecurity too. So from the cybersecurity perspective in pre-market, our reviewers look at these devices, they look at the security controls that are built into it, and they essentially evaluate, are these good enough? Are these sufficient? Do these do what they need to do to protect the device from cybersecurity threats and therefore protect the patients? If medical device manufacturers manage to pass the pre-market stage, then they obviously get to put the device onto the market, and then that is known as the post-market stage. And so once the device is there, once it's in the marketplace, there's also guidance that FDA has put out around what do you need to do? Because as we all know, there is no such thing as a 100% secure product, and something that is secure today is not necessarily going to be secure tomorrow. So you have to have a process for monitoring devices that are on the market. You have to have a process for in taking information on potential issues to include cybersecurity and cybersecurity issues. And you have to have a process for figuring out what you're going to do with it. And so FDA has post-market guidance on all of that that essentially says to manufacturers, here are some suggestions that you really should follow around what you should do for medical device cybersecurity vulnerability that happens once your device is on the market. There's a lot of things there. You know, there's specific regulations on when you have to have a recall. But I think the biggest one for cybersecurity is it is in that guidance that you should have a coordinated disclosure program. So you should have a way to intake information from third parties, typically cybersecurity researchers, but it can be anybody, on cybersecurity vulnerabilities. And then once you have it, and this is the really key part that some people sometimes forget, like you can't just take the information and be like, yeah, great, thanks, bye. You actually have to then take the information and do something with it. And so that's sort of that last part of that post-market phase is that there is a vulnerability. How are you going to evaluate it within your company? How are you going to communicate that you've had a vulnerability and what you're doing about it to the agency? Because you have to tell us. And then how are you going to tell the public? Where it's appropriate to tell the public that there's been some kind of issue. What is that going to look like? How are you going to talk about it? What are you going to do for patients, all of that? So that's that post-market phase. So this involves a lot of cooperation with the private sector. What have been your experiences cooperating with the private sector? And you mentioned that companies are improving in the way that they're engaging with security researchers. Can you tell us a little bit about some of those dynamics and maybe share a few success stories coordinated? Yeah, absolutely. Yeah, so I think what I would start out with is way back in the day when I was still in Congress, when medical device vulnerabilities were still sort of... I mean, they're still sexy today because, you know, who doesn't love your medical device can kill you headline. But when they were a little bit more new, they were a little bit more novel, what we would typically see happen is medical device manufacturers would get contacted by security researchers and they would just be so confused. Who is this person? How did they figure this out? What is going on? And usually, and Andrea, you probably don't spend anybody, they're like, sue them. Sue them right now. Make it so they can't talk about it. Make it so that they clearly broke the law when they did this research and so somebody make them stop. And that was really how it was handled. You had security researchers who were like, hey, I found this problem. Do you want to know about it? And they were very good faith, but it was such a new thing for these manufacturers. And there was so much... To give them a little bit of credit or to have a little bit of sympathy for the manufacturers, there's a lot that rides on them not having issues. Obviously, they're a heavily regulated industry. If there is a problem with their medical device, there's consequences. Whether those are regulatory consequences or they are getting sued or whatever it is, patient harm consequences, it's a big deal. And so it took them a significant amount of time and a significant amount of work by a lot of discrete parties within the security research community, I'm sure. Andrea, you played a role in this. Josh Corman, Bo Woods, Katie Miseras, Nina Ali. A lot of these folks put in a lot of time and effort to actually sit down with the medical device manufacturers and others. This was also going on in auto and energy in other sectors and essentially be like, look, we come in peace. We're really just trying to help you here. And over time, as we had also some visionaries on the medical device side, and certainly my boss, I can't take credit for this. I wasn't at SEA at this time, but Dr. Suzanne Schwartz, Dr. Seth Comedy, Dr. Afton Ross, they actually also went out on a limb and began to embrace the security research community. There were some of these visionaries of these medical device manufacturers. Colin Morgan, Rob Suarez, Michael McNeil, others who really took the lead on recognizing that coordinated disclosure and just the ability to be given information in a friendly way rather than a blackmail way helped everyone. And so from about, I don't know, 2015-ish to now, what we see much, much, much more frequently is like the security researchers go directly to the medical device manufacturers who receive them with open arms. They have this continuous dialogue that we don't even know about for weeks, months, however long it takes place. And then at some point prior to the public disclosure, they come to us as a united front and essentially say, hey, this awesome guy over here, Gal, whoever found a cybersecurity vulnerability, they told us about it, here's all the things that we've done. They agree. They've checked our math. They think that it's correct. And we're going to disclose on this day we're going to do this. This is our plan for post-market as we had discussed before. And it's a much smoother, it's a much more collaborative, and it's a much more effective process for us as an agency. So we're not having to stand over everyone and check their work. And it really just benefits patients overall that we all have these kind of relationships. If you were looking for specifics, like specific dispositions that I could point to, I'm trying to think like what are some of the best examples that we've run into lately. It's been a little bit confused with COVID, as everyone can, I think probably sympathize with. There's a lot going on. But maybe one that I'll point out to, this is the last one that FDA did a safety communication on. It's swen-tooth or swen-tooth, however anybody wants to pronounce it. This is a cross-industry problem with Bluetooth low energy. And it didn't just happen in the healthcare sector, but we were the ones who ended up kicking off a lot of the response. But the researchers were in Singapore, the vulnerabilities impacted just numerous medical device manufacturers. But what was really impressive about that is our ability to connect the researchers to the medical device manufacturers and the researchers' willingness to be connected to the medical device manufacturers.