 All right. Hey, I'm Quati. I'm a weird guy, but I have a foot in two different worlds. My day job is an ER doc, so I practice the emergency department. I also do a lot of research in the security space, so where medicine and security collide. Enough of that. Follow me on Twitter if you want. Next slide, please. So, you know, this has been my life until things in my neck of the woods kicked up for COVID. So, you know, we talked about how toilet papers with gold. There was this crazy-ass Netflix show, but things have changed. You know, the pandemic started off about tigers and toilet paper, but it's quickly gotten out of hand, and I promise this will come relevant a little bit. Next slide. You know, one of the biggest disappointments in my life in COVID so far has been my inability to eat burritos, like I used to before. I'm sure many of you out there are experiencing a similar problem. I haven't figured out what the problem is. I will say, coming from San Diego, DC 858-619, we have the best burritos in America. And so, this is a big bummer. Next slide. This is my day job. So, this isn't a shot from my ED, my emergency department, but it's pretty much any of the emergency departments across the country right now. And this is a lot to do with- The time is four o'clock p.m. The next piece of shit is then we splash COVID in on that, and now we have basically a greatly diminished ability to take care of patients, and generally a crazy shift every time we go into work, and we're just seeing patients left and right. Next slide. So, we built these tents, and this is how crazy it was. So, we were so worried about patients overflowing out into the parking lot, et cetera, that we built these emergency tents. And all these hospitals across the country started as quickly as possible, deploying any connected technology they could to extend the capabilities of a hospital into parking lots. So, and generally speaking across the country, this was the right thing to do. We were so worried about running out of ventilators, et cetera, that there's a mad rush to plug everything into the internet. Next slide. Just give me a favor out in the crowd, like throw out some hearts or something, if you've been seeing your doctor by Zoom. Oh yeah, I got some people out there. It's not the weirdest thing, I don't know. I'm also kind of curious how many people out there really would prefer this, but all of a sudden we went from this world where in emergency medicine where we take care of heart attacks and gunshot wounds and appendicitis, and sometimes even like just tone it, hangnails. All of a sudden we had this capability to do telemedicine, because we were worried about what happens if our faculty gets sick, what happens if all these ER docs and nurses get COVID, and they can't come into work. But the patients are just going to keep coming, so we thought to ourselves, we don't normally do telemedicine or emergency medicine, that's for like primary care doctor, you're crazy dermatologist or whatever, but in emergency medicine for the first time, we're taking it from our homes when we get COVID, because otherwise those are going to be lost resources and patients aren't going to see doctors, so it'd be better to see them over an iPad than not see a doctor at all. Next slide. And so all of this is kind of my day job, but for the longest time I've been a hacker just like you guys out there. This is me playing open CTF. Shoot, that must have been my fourth death on 14 or fifth. No, that's probably like 16. And so when you grow up a hacker, and all of a sudden you find yourself in healthcare and you can't help but think about how easy it would be to socially engineer people in your space or how insecure some of these systems are, or that you're using medical technology with legacy operating systems, machines that have been unpatched for over a decade, these types of things are realities in a lot of places in the world is that in the race to digitize medicine in the race to increase electronic health records and a variety of other things, what we had at the end of the day was hyperconnectivity without the commensurate attention to security. And it's not one of those things that people pay a lot of attention to primarily because it's expensive. There's a lot of other things going on in the space like COVID for example. And then also when you buy a medical device, there's a decent chance that that medical device is going to be in production for years and years and years, right? So if you're at a bank or another company, you might have a much quicker hardware and software lifecycle, as opposed to something like an MRI machine that costs over a million dollars for a hospital and when they buy one, they literally have to knock down walls in their hospital to put it in and that device is going to be in production for 10 years. Well, if it took five years to develop it, what operating system do you think it's using? It's very first day, it's on market. It's going to be the operating system from five years ago. And so what we have been seeing unfortunately a lot of time is these legacy, the legacy machines are sorry, our medical devices are obsolete and using basically legacy operating systems while they're still brand new. Next slide. I do some research, so I actually have to publish and do a bunch of stuff. So one piece of research we did that turned into a DEF CONTAC at 20 was we looked at the 911 system. So I study a lot of out-of-hospital cardiac arrest, so basically what happens if your heart stops right before you do shocks and CPR and I listen to thousands of 911 calls and after I listened to so many of them, there were some failures I noticed and one of them were technical failures. So for example, someone would pop up in their phone, try to get some location service to identify where they were because a dispatcher on the 911 call would be asking for their location and they would say, you know, I'm here but in actuality they were half a mile away because of bad location technology or if they were using cell phone triangulation for example to identify where a patient in distress was, we can tell based on, you know, there's a whole bunch of reasons why that technology could fail. And one of the things I realized was like, what is the security and technical underpinnings of our 911 system, you know, a system that so many patients rely on every single day in the most dire circumstances to make sure that they live. And so we did some research over a year that talks up on YouTube. I think it's f-con 20 or 22, you can remember, but the talk just goes through basically how insecure and antiquated our 911 infrastructure is. If you're an old phone freaker, you're going to get a kick out of the talk because of just how old the technology is that they were using back then. And then we did some stuff a couple years ago looking at how secure our laboratory information systems, you know, when you get your labs back from a doctor, you notice your doctor, they order a bunch of blood or an x-ray. And how secure, how confident are you in the integrity of that data? So we looked at these things called laboratory information systems, and we were able to basically show it's relatively easy to perform some very trivial man in the middle attacks or person in the middle attacks and change laboratory values and patients in the hospital. So what did that mean? You go into the hospital and really just ate the bad burrito, and that's why your stomach's hurting. I changed your blood work to make it look like you have diabetic ketoacidosis in an emergency condition. The doctor looks at your labs and she says, oh, wow, it looks like you're really sick when actually you're not re-changed the values, and they give you a treatment you don't need. And in that case, it would be something like insulin. If you give someone insulin when they don't need it, they can die. And so we were able to show you can change all sorts of things primarily because of this use of old antiquated protocol called HL7 or HL37. We can talk more about that later, and I'll post in this in the discord some links to that stuff if you're interested. Next slide. All right, I run the do no harm panel at DEF CON every year. Please come check this out. I run another conference too called CyberMed. I know I'm not drinking right now, and I said cyber like 15 times. I'm sorry. Give me. Next slide. All right, so this is what we're going to talk about today. Wait, what? I'm here at DEF CON Groups All Space PR. Why the hell are we talking about this old ass picture? I don't see any badge life in here. I don't see any alcohol and pottery of Hacker Jeopardy. This is the most important thing to me, and this is my favorite painting. It's called The Doctor, and it was painted in the late 1800s. And the reasons my favorite painting is it reminds me why I go work every day. Now quickly let's just take a look. At the top right, we got a mom and a dad. At least that's what I think they are, and mother has her face down on the table and dad made in mind she's weeping. Dad looks concerned. The left side of the painting we see the title of this painting, which is The Doctor, looking concerned over a child, a focal point in the entire painting, and that's the patient. I have been that doctor before. I know what that doctor is thinking, and I've tried every treatment under the sun. I've tried every medicine I know. I've tried every ounce of training I know, and I don't know if this appointment patient is going to make it through. Next slide. This is healthcare today. So that was the healthcare of the late 1800s. This is the healthcare of today. It has something very similar. It has the patient in the middle, but I want to draw your attention to everything around the patient. You see all those linky boxes. You see all those wires and cables. Imagine what the wireless is, and the traffic is around the station at that exact moment. This is modern healthcare. You cannot engage in healthcare most hospitals in the United States without facing this reality that everything's connected. A lot of it is insecure. We're doing our best, but we have a long way to go. Next slide. So we screwed this up in medicine a long time. So these are two publications. One was called To Ares Human. It's about the millennial time. The other one is Crossing Quality Casemom. We talked about basically, let's look at data in medicine. Does this medicine work compared to this one? Does this treatment work on it compared to this one? We want doctors to use evidence-based medicine, but we also want to recognize that a lot of the time medicines, healthcare, doctors, nurses, the infrastructure, all of that actually hurts patients sometimes because we make mistakes. We give someone medicine that they're allergic to. Looks like the slides took them. Can you guys, uh, brought some, uh, hearts if the slides are down? Yeah, looks like they're down. ATX, can we reload those? Or are we, uh... What just happened? I think he grasped as much as we are. Just a second. Well, thanks, man. I'll just kind of keep going a little bit. So basically, there have been plenty of examples of where in medicine we've actually hurt patients when we went to hell. One of the examples is in about that 20s or 30s, you were almost empty to die of your premature infants. The reason was that premature infants have very mature lungs. They can't breathe. And it takes a long time while they're in the womb for those lungs to mature. And for the first time ever when we had better plastics and primarily when we had the power to concentrate and store oxygen, we were able for the first time to let premature babies live. So we had these little incubators and, uh, we were able to keep babies warm. We were really giving oxygen because their lungs weren't very good. Please, uh, tell me, I want, uh, in the audience, I want you to throw up a applause if you think you should give the patient 100% oxygen. Let's pump all as much oxygen as possible into that little incubator. Or if you think we should do 50% oxygen, uh, throw up some heart. So heart for 50%. Uh, okay, we got 50%. Does anyone want to do 100% oxygen? Those lungs are pretty immature. Throw up some applause. Now, so basically we had the question, right? Babies were living for the first time. I'm going to pick what concentration of oxygen we're going to put in their incubator and we went with 100%. And then these babies were living. A lot of the big percentage of them were actually out of line. Um, this is the site of reason why Stevie Wonder is blind is because he had to retina with the prematurity and actually it was the oxygen that was causing the blindness. We didn't know if it was premature babies or more left to be blind and now they're living or it actually ended up after we studied tens of thousands of patients that the oxygen was what was causing these patients to go blind. And so we went from going 100% oxygen to 50% oxygen. This is one example of how treatment we used actually hurts the patient. Another one is, uh, phyllidomide. There was a nausea medication market mostly in Germany in the 40s. Um, for nausea is a drug called phyllidomide. Well, for a lot of reasons, um, a lot of them, you know, inexcusable, was never tested in pregnant persons. So what does that mean? But pregnant persons get nausea and evaulomide all the time. So they wanted to use this drug called phyllidomide. They gave it to pregnant persons and basically cause a lot of birth defects and death as a consequence of poor research practices. That's quite cool. We're back at this guy's like, goat seeing out in his iPad. Please go down like three or four slides. All right, keep up, all the way. Keep going, keep going. You're going the wrong way. No. Wait for it, okay. You're going the wrong way. Yeah, yeah, there you go. All the other way. Keep going, keep going. Keep going, keep going, keep going. Okay, here's phyllidomide. Great. So this is, uh, okay. Now we have this potential new failure. Now I'm going to start off right now. You're asking yourself, wait a minute. You're telling me that the cybers and, uh, you know, these malicious cyber criminals, are they hurting people? No. If we make it to the end of this talk, I'll give you a little fizz lines on why I think that's the case. But what do we know about how security of medical devices and how empirical hospital infrastructure can affect patients? All right, this is a slide about a paper I published over 10 years ago, uh, by Kevin Thu's group. This was for Barnaby Jack, and they basically talked about how, uh, easy it was to, uh, wirelessly attack and plant, or basically, you know, these are, you know, these devices that can affect a person's body, and wires come from this implant and go into their heart. Uh, there was some concern that they were able to induce shock. So you were on TV, and you watch any of those shows about the emergency department, you know, and they shock someone back to life, or these devices can shock. And if you get shocked and you don't need to, and it happens to shock you at the wrong time, it can actually go away. Next slide. Not shocked to communications where these are some, this is a great research done by J. Radcliffe, um, who basically reverse engineered his own insulin pump, say, but he the hacker himself was able to show how easy it would be to deliver a potentially deadly bolt of insulin. So if you don't know that, if you get insulin on your diabetic and it's at the right level, great, you live. But if you don't need insulin and they give it to you, it can actually kill you. Next slide. Uh, some more pacemaker research. Uh, and before Barnaby died, he was going to give a talk about hacking pacemakers, you know, recipes, Barnaby. Next slide. Not just, uh, not just medical devices, it's critical hospital infrastructure. If you're interested in this, uh, hospital, about three or four days. A really interesting story. I recommend you read, uh, kind of what happened with that. Next slide. Uh, we're devastating to, uh, you know, hospital operations, especially for the hospital offline for three days while in Boston. Um, we had some infusion pump stuff though. You know, it's not always the obvious stuff like an insulin pump or a pacemaker. There's a lot of connected medical technology that is vulnerable. These are infusion pumps. So you go to the hospital and you get an IV. Uh, this is a, you know, bag of medicine and a tube that goes into an IV into your arm. Um, sometimes it's just, you know, saline or essentially water with some salts, uh, to help hydrate you. But sometimes you deliver medications through your IV. And sometimes we have to give you those medications over hours. And so if you control the rate of medication, if you get a little medication, it doesn't help. If you get too much medication, they talk to can kill you. How do we control the rate of medicine going into a patient? Well, you see things called infusion pumps. They're basically mechanical pumps attached to embedded systems that can be able to look at software, drug libraries and control the way of medications. Well, you know, I don't know, 10 years, 15 years ago, they were like, you know, the next great generation these is going to be, uh, let's put them on Wi-Fi so we can connect them to the network for, you know, a variety of reasons. I ended up happening was, and this is the most widely publicized example of this, there were some significantly scary vulnerabilities associated with infusion pumps where they could give you way too much medicine, way too little medication. A primarily vulnerabilities involving really poor little authentication practices. Next slide, please. Okay. If you're into this, this is such a weird story. So some security researchers, instead of finding, they found some vulnerabilities in the pacemaker. Instead of going to the manufacturer and engaging in, you know, disclosure, coordinated disclosure, they went to like a hedge, like a pseudo hedge fund, and they said, listen, we're going to release all this research about all these pacemakers or FUBAR. We want to short the stock with you. And that was how it made a lot of money. At least temporarily, the stock bounced back and this thing's getting litigated the hell. But long story short, this really interesting kind of change in the research landscape around medical devices. Next slide. Okay. I mean, I'm sure, you know, throw some hearts out, throw some applause at whatever it is. Let me know what you're out there. If you heard about all the ransomware taxing hospitals. Cool. All right. Now I know that if you're responsible for one, I don't know what's got you there. All right. Listen, ransomware is in hospitals. And when COVID started, there was, I remember reading some of the news headlines, I was like, a bunch of the ransomware crews were going to come together and say, we're not going to get hospitals during COVID. A couple of big ones. So I haven't seen, you know, of course, ransomware is kind of a plague. It's always gone around. There's been a couple hospitals recently. But largely speaking, it's been sort of research infrastructure. So there's some new stories recently of state actors going after COVID research or ransomware groups going after academic research establishments. But of course, we can have a conversation about health care and hacking without talking about want to cry. It's so crazy when it's happened. I remember thinking to myself, like, whoa, I don't know if we're never going to have anything like this again. It took out over 30% of the United Kingdom's national health service entire infrastructure. What does that mean? Imagine if malware hit the US and took out one out of every three hospitals across the country. Now think about how disruptive that would be to clinical care. Think about the patients that are going to be having stroke and heart attacks and having severe life-threatening infections. Can you imagine how impact will potentially could have been? And so, you know, that's really changed a lot of things and catalyzed a lot of positive actions. We're looking at the security of these devices and a better life. The FDA is a bunch of great work talking about how we can make these devices more secure at the echo. So when they come to market, they're not played with a lot of the problems that we've been dealing with for the last 15 years. Next slide. Next slide. All right, and then check this out. The crazy thing is the FDA actually recalled a medical device, not because of the problem with prone to break or because the wiring that goes into it was likely to fray and cause electrocutions. We're speaking for all sorts of other medical devices on a regular interval. The first time ever, we actually had a recall because of a nasty vulnerability. I could, in this article, mention a lead to potential patients' safety concerns. And so, for the first time ever, we had the FDA saying, hey, we can't tolerate this. We're going to actually recall the device. Then you've got to be like, wait a minute, I said, first, why isn't this happening all the time? It's a really big deal to recall a device. Patients might not trust devices after you recall them. So if you're diabetic and you've been told that you have some hacker can kill you by you're hacking your insulin pump, you may not add an insulin pump next, right? If it's a recall, you might not trust the technology. And sometimes, these patients will actually suffer from their lack of trust in other devices that might be more secure just because they don't know the difference between security and one insulin pump versus the other. So I recall a really big decline. That's for the FDA to do this. I really want to applaud them for that next slide. So I hope you can see like into this picture that we're pretty fragile. There's thousands and thousands of devices on a hospital network, hundreds of workstations, depending on how big the organization is. And in 2017, there was an issue this report. And it has been asked for, a bunch of the famous people on this group, including some hackers, and they basically came out to the end of this report, basically saying how scary the vulnerabilities of the healthcare system were. And one of the things they pointed out was they thought a majority of hospitals, again, I'm sorry, this is like US focused a little bit, they thought a majority of hospitals in the United States were actually even a single full time security professional on staff. There are some parts or some clutches, if you think that's crazy, you think that your hospital system doesn't have a full time security professional on staff, you throw something up if you think that's wild. Yeah, that's insane. You know, that wouldn't be tolerated at a bank, it wouldn't be tolerated at a lot of other institutions likely. And yet we, those are patients lives are described, these are institutions taking care of kids potentially. And yet they're not going to have the expertise that they need. It's hard, you know, they can't often pay the salaries that a lot of us in the room command. It's really frustrating for a lot of hackers to work for healthcare because they don't get the freedom to fix a lot of the issues they find. And it's all absolutely valid. If you're looking to make a difference and you're looking to make a career change and you want to put your skills to good use, I really encourage you to check out working for a healthcare organization. It's a challenging environment and it will follow these issues, but you're also going to have a little trial by fire because I think we're also seeing pretty well documented and publicized campaigns of state actors going out for healthcare. Next slide. All right, I'm going to let you guys read this later. Basically, this is software is what powers modern healthcare. There's so much of it now. And if we don't pay attention to it, we don't secure it, it's going to be a problem. Hackers don't step up to help secure patients, the devices that they use. It's not just going to be ran with medical data that we're dealing with. It's going to be a much bigger problem. Next slide. Next slide. So I already kind of told you, I can't tell you a story. I can't show you news clipping of someone who died because, you know, their pacemaker was hacked. But I will just tell you, and this slide doesn't translate well because we cut it into images. But let's imagine you have a diffusion pump. It's running embedded windows. It gets infected. It's on the network, on the Wi-Fi, it's exposed. It gets owned by some crypto mining malware. And as a consequence of that, it's going to be a huge problem. It's not going to be closed because it's infected. This is a hybrid. You know, I told you, I think that this is likely far more relevant than we think. But we lack the sophistication to actually measure it, to go out there and find evidence of it because we're not even looking. So this pump's malfunctioning. Who in the hospital is going to even recognize this malfunction? Well, the best person is probably going to be the nurse. It's the person putting medications inside the pump, you know, actually interfacing with the pump. So nurses are overworked, amazing clinicians. I can't do my job as a doctor without them. I will say a lot of nurses would not recognize this because, you know, I've asked them, it's not any fault of their own. It's that they're busy and they have four other patients in the ICU, you know, COVID's happening. They're not necessarily looking at that device to make sure that the right number of drips are coming out of the IV bag interpretation. They trust the technology and that's what I've heard over and over again for nurses in the field is that they are trained to trust these pumps. In fact, the pumps they're taught are more safe than human beings doing it. Human beings can show the rate of medication going into a patient by, you know, titrating some little dial. It's far more prone to mistakes, either underdosing or overdosing a patient than an infusion pump. So they're taught to trust it. Let's say for, you just have a crazy day and the nurse picks up on this malfunctioning device. What are they going to do? Well, they're going to call it by engineering. This is a part of the hospital. These are people that take care of medical devices and they're going to come and replace it. That's what they're going to replace with the exact same vulnerable model that's likely unpatched and it's going to be here pretty quickly infected with the exact same crypto mining malware. But on the side, they're going to take that infected device I imagine in the basement. You know, this is kind of a joke I say. I think all bio engineers live in the basement. Not trolls, but that's just in my mind where this device is going. They're going to do some very basic troubleshooting on it. Throw up a heart or a hand or something, whatever, if you think that they're going to do forensics on this device. Yeah, we have to pass this just like me. Yeah, of course they're not going to. They're not security experts. They know about clinical devices. They know about that. They don't know about security. If the hospital is lucky to have any security folks, guess what? They live over an IT and then some closet usually off campus where all the cool people hang out with us. But they aren't going to even know that the device is likely infected. Well, if they can't fix it, you know, if they flash it and it's still acting up, who are they going to send it to? Send it back to device manufacturer. Ask a bunch of device manufacturers. When you get a malfunctioning medical device back in from the hospital, do you even consider the possibility that it's infected with malware? And guess what? Raise your hand if you think even one of them said they do forensics on function medical devices. They lack that expertise too. At a consequence, they're just not going to look for it. The problem we're not even looking for and it's perfectly designed for us to not have anyone even asked a question, let alone the skill set for us to find. I think the next slide I'm prompted. I think that was a move along signal. What we're going to do is have a crisis of confidence. You know, we don't want patients in that trust medical technology or to trust healthcare. And that's a big problem. Well, you can go back that slide of the anger old guy. Eric touched upon this, which is it's important for us to be trusting some of these systems because we don't want people having heart attacks and stroke saying, I don't want to go to that hospital. You know, I heard they had a breach of patient records last week and I don't want to be hacked. And while they're having a heart attack, right? So if we don't do a good job, if hackers don't come and help healthcare do a better job, teach them what they're doing wrong, just keep clear of this infrastructure. We face this very real possibility that either the infrastructure is not just not even going to work at all in the case of anonymous data sourcing Boston Children's, or it might work and it might actually be somewhat robust and secure, but patients still don't trust because they're reading these news headlines in the press. So you go forward a few slides. Right to half hour mark. Just come out if you want me to stop. Keep going. Yeah, going. All right. I'm going to fix this. Oh God, here we go. So there are so many policy elements to this that I think are probably going to bore a lot of actors out there watching this. Thank you for tolerating this. We won't get into the policy aspects of it. But listen, if we are going to be buying millions of dollars of new devices for a hospital, better do a good job recognizing what risk we are going to be accepting on our networks, right? And that involves a lot of work up front. Uh, vulnerability assessments, you know, there's this thing called the basically goes through what are all the three controls available on this particular device, the house to carry out a box is it, and what do you do on the hospital side to make sure when that gets deployed, are you doing so in a way that's most for the patients without causing unnecessary and glorious effort that won't help patients? Next slide. By the way, most of that stuff in there was connected. All right. Listen, we're here at FCon, and I'm so amped to be virtually looking at all of you in this room. And I will say, although COVID's been a little bit of a relief to be here with my hacker family, presenting something that I'm passionate about. But listen, we as mentioned previously, hackers step up. You know, we need people to help us in health care, basically do the medical device research to help us with practices, help us to help secure networks. There's been some actually some great collaborations between hackers and healthcare in these coalitions where various hackers have pledged to essentially help defend hospitals that they should go out of the under attack, which I think was a very noble thing. You know, hackers really stepped out during COVID. It's been, you know, help volunteering to help defend hospitals against adversaries and cyber criminals, or also printing PPE, being there to help some of the different disinformation that's really going on over social media. And as a consequence, I think this is hopefully something that persists. I hope that COVID, as awful as it is, will help catalog hackers and healthcare coming together. If you're looking for more continued engagement with something like this, and as I mentioned, you can choose for employment, but you can also just do some research. You know, I went to research on medical devices. I buy them off eBay. You can do a lot of that. You can go on offer up and buy some crazy medical devices. As long as you're doing responsible research, knowing that it's a very big deal, and there's a lot of consequences that you need to take into consideration, we need a lot of your talent out there to help us be more secure. So, please, please join. You can also buy out a village, just one of the DEF CON villages. We really encourage you to check it out. All right, listen, I don't think we should make all doctors aware of cyber security, making experts that it's just not something for you. And honestly, I've been too busy driving Ferraris. Just kidding, I don't have a Ferrari. Only cardiologists have Ferraris. But what we need is we need more nurses. We need more doctors in this space because when you change the conversation from this is just patient data that we want to secure, hey, we just want to get a violation or a reported breach to the NICU nurse saying, hey, listen, if this medical device doesn't work or it's not available, or if the integrity of the data coming from this can compromise, this little 30-week-old baby premature in this commander is going to suffer. That's the type of conversation we need to have by partnering with clinicians. And you know what's going to require some patients on our side as hackers? They don't speak our language, just like you often don't speak theirs. Coming together in these interdisciplinary things, working together, going to be able to make people change their minds about what security means in healthcare, not just hip-up, not just privacy, but also patient safety. Next slide. All right, I'm going to finish up after this little bit. So I'm going to open up for some questions if anyone has this. So, you know, how many out there are familiar with last mile problem? There's many industries have last mile problems. Yeah, so I'm not going to belabor the point. I'm pretty sure. But try to describe it in detail in a butchery. So just forgive me as I do butcher this, but in many industries, it's not necessary. There are certain parts of delivering things to consumers, for example, that are hard. And they might not be what you think. So for example, when you're shipping goods that are manufactured in a different country, you can make the particular product and you can put it in a container ship and you can actually go across an entire ocean and it goes so. You can imagine all the logistics involved in that. But guess what? All these companies that are doing that actually don't dread all that stuff. They dread the last mile, which is how do you get it from the distribution center into someone's home? It's a classic problem in with ISPs. There's so many variations in addresses and buildings that are built differently, et cetera, that the last mile ends up being the hardest part. Well, health care has the last health care security has the last mile problem. And I want to talk to you about it right now. Next slide. Oh, can you show them some better stuff up and you can hear me better. All right. Awesome. So let's imagine we have an awesome hacker. She's donating her expertise. She buys a device off of eBay. And she finds a vulnerability. She finds a nasty vulnerability that potentially kills somebody in a medical device that she buys off eBay. Now, who does she go and talk to after that happens? Well, she probably will engage in responsible coordinated disclosure. I know that there's the language of that or what we used to describe that's controversial. And in any regards, she's elected to do responsible structural coordinated disclosure. She posts a medical device manufacturer. So what is the medical device manufacturer going to do next slide? Here we go. Medical device manufacturer is obligated to respond to that, right? They've been plenty of documented examples of medical device manufacturers that screwed this up, will threaten to sue researchers or ignore them. But that hasn't panned out very well for them. And the FDA has come down pretty hard on those companies. So as a consequence, a lot of them are changing and they're actually engaging attackers. Where's the medical device manufacturer have to do? Well, they're obligated to report that to the regulator, which in this case, on medical devices ends up being the FDA. Well, the FDA is like, and this vulnerability is nasty. We don't want any patients to get hurt. So they're going to issue a public safety communication. They have to in this a lot of this is really hard to get out there and tell patients and doctors and hospitals that they have to worry about this device. And let's imagine that goes off without a hitch, which has never happened before. It's never an easy thing to do. But let's imagine they do a great job and everyone that has that device is made aware of that next slide. So the medical device manufacturer and the regulator are like, oh man, so it's even so concerning that we got to issue a patch. And while patching systems, you know, it's not controversial from a hacker perspective in most cases. But one of the, you know, these edge cases where it is controversial, one of them is medical devices. You know, what if you poorly test your patch and actually cause some type of clinical harm because you're patching something and you mean do a good job testing the patch and actually the medical device malfunctions and hurts someone. Or there are all sorts of different things like how are you going to actually patch something that's in a human being. You know, there are tens of thousands of, you know, tens of thousands of patients all across the globe that have implantable medical devices to call them all into the doctor's office and get their systems patched. Yeah, and you get to say yes, but it's a much harder thing to do than to say, let's imagine they are so on the ball and this medical device manufacturer has patched this vulnerability and it's been in record time and the patch is fantastic. They have to roll that out. And this is where the last model problem is. How do we get from patching a medical device and get it to the actual patient? Because in this slide, the last part is the clinicians, right, the doctors and nurses have to call those patients in and they got to put this magnetic interface onto their chest and they have to update the software. Next slide. Well, guess what? I think many of you out there know that's just not going to happen. It should happen, but it's not going to happen or it's not going to happen in any significant percentages because this last model problem is really hard. No, we have a registry of patients that have these implantables, but guess what? Half the phone numbers aren't up to date or it was implanted, you know, eight years ago and they moved and we have no idea to send them a letter. Or these doctors say, this is stupid. I'm not going to actually do this. It's such a pain in the butt patch or I don't think this is a real issue. As you can see, we have this last model problem. We could do all this great work and everything can go off perfectly, but if we don't get the patients and doctors together and tell them why this is important and have them understand it and advocate for security, it's just not going to happen. All right, next slide. So, I'm at 42. You guys are probably thinking to yourself, you know, we can just go to the end of the question slide. You're talking to yourself, man, why did I get myself into this crazy S talk? I was looking here for overflows. Why are we talking about this crazy healthcare stuff? I want to say I want to thank you for this opportunity. Thank you, Defconn Groups. Thank you, DCA 51619 for letting me talk about this stuff as near and dear to my heart and this isn't the end of the conversation. Call me on Twitter, hit me up somewhere. If you're interested in this space, there's a lot that we can do together to help. And, you know, how often do you get a chance to use your skills for more than just privacy and security, you know, really potentially save a life? That's a big deal. I want to say thank you for what you do. I miss my family and if next year's plague is gone, I'm going to buy you all a beer in Vegas. Questions? I have a question. Yeah, by the way. What are some of the groups that are valuable for people to reach out to to help solve this problem? Yeah, great question. So for those who didn't hear the question, it was what groups are, you go all the way to the end to the question slide, the very last slide, please. The question was, what groups should I get involved with if I'm interested in this? There's the Biohacking Village Group, which has an ongoing presence throughout the year. There's a group called Ion and Calvary. I don't know how many of you out there are familiar with this, but they are really a great organization that's a lot of attention and is able to persuade a lot of regulators like the FDA and other industries. There's a lot of power and a lot of awesome work they've done with Ion and Calvary, things like Bowwood and Josh Corman, and there's a lot in that space going into all the net and they have a sack that they'll invite you to. They don't just do medical, so if you're into hacking cars or airplanes, all sorts of things, but you want to also use your powers for good. The next slide. Definitely check out that organization. All right, another question? All right, cool. Hit me up on Discord if you have any more, and then this is a true, true honor. Take care everyone. Thank you.