 Hi everyone and welcome to How Do We Uniform, Uniform November Foxtrot Uniform Charlie Keelow Unfuck Things. Can we really unfuck these things or is a TAR of you and for those that don't know the military script and slang this is well go google it it's more fun right I don't want to tell it all to you guys just go google that this talk is not your normal talk right this is an interpretive dance this is me getting on my soapbox because I'm five foot nothing and tell you all the things that needs to be unfucked this is my own opinion this is no one else's opinion this is conversations that have been had this is observations that's been made so if you're easily offended this is not the talk for you scroll past go do some other fluffy stuff so who am I I am a deaf congoon I'm the father of DC 2751 we solely focus on reverse engineering medical devices and making things better I'm also an avid biohacker village supporter I think this is the best village at deaf con it's the one I certainly most enjoy I'm also currently an independent researcher for mechonic and as you can see in the beautiful picture on the right that is my mechonic ICDR it's what keeps me breathing and kicking and doing all the things I'm also deaf I are lethal forensic aids I've been doing forensics and incident response for many many years yes I look very young but I'm much older than I look I'm a member of I am the Calvary I'm a patient and I proudly refer to myself as a cyborg now I wanted to do a different talk this year because I I believe that if we know what is wrong we can find ways to fix them so this is the talk for all medical device enthusiasts those that want to unfuck the things those that want to fix it and make it better so let's talk about the legacy of all problems right I sat down the day and I did the maths in the U.S. alone there is 600 000 new implantable devices every year these devices last for approximately a decade so you start adding these up we have a whole sea of devices that sooner or later will add to our technical debt in a single hospital this if you put all the devices together within a hospital in the U.S. who have 10 to 15 million connected medical devices that's about 10 to 15 connected devices per patient bed to give you an example I was in ICU because often they none my heart's an asshole and it lands me into ICU for some TLC right so I go have my holidays if you look around you have infusion pumps you have monitors you have external monitors monitoring your pacemaker or your ICD and you have central stations it is this big ocean of leaping lights I know Jason Street always refers to it as a box with linky lights well go be in an ICU bed you'll see lots of those so when we start realizing how many hospital beds there are how many devices are attached to those beds we start seeing the magnitude of the legacy we see the ocean of devices we are faced to protect what to fix now this is what led me down this path is that I think we should start fixing the ship now we can't wait for another year go and wait for two because we're adding to our problem and now as we've seen COVID healthcare has changed forever the boundaries have been broken the parameters no longer exist so you wonder why I say the legacy well in case you did not know most medical devices are coded in C so I what decided to do a dad joke the question is how are we getting it so wrong and yeah just someone said that someone was me I want to know why in three years we've made no strides or why in three years we're doing the same things over and over well let's start at the beginning lack of clear definitions there's no consistencies in the terms that we use I often go to talks and I realize well we're talking about medical device security but the more that we are listening I realize it is a windows 10 endpoint within a healthcare establishment that we're talking about surely that's not the same as an insulin pump an infusion pump or even a pacemaker those things don't even look or act the same so I decided to do any good research it does and I went to the dictionary I looked up the terms so let's explore healthcare the field concern with the maintenance and restoration of the health of the body and mind right it's hard but this is what healthcare does this is what hospitals do so surely any device that they put there to help facilitate this should be called a healthcare device so let's explore what is the meaning of medical relating to medicine or the practice of medicine so it is something that allows us to practice medicine healthcare is something that we give to our patients for me I started to see the clear separation between the two each one has different responsibilities each one has a different function it is very important that we start differentiating from the two an interesting useless fact that you know that a cotton swab is seen as a medical device yes that is for ICD chain and billing purposes I sure as hell don't think it's a device I think it's a disposable it's something we only use once so let's see what is a device something contrived for a specific purpose usually a simple mechanical apparatus okay so your insulin familial pacemaker those are all a device right well now is the question is it medical is it healthcare we need to start differentiating because each one of the two have different controls different threats different weaknesses and vulnerabilities in fact they have different operating systems we need to clearly understand what we are dealing with now the question is is it a healthcare or medical device which button will you choose which one will you use I get very confused because we're using the same terminology for everything because medical device sounds much more sexier than a healthcare endpoint or a healthcare device but that leads me to the point that if we don't start defining these things out and understanding the ecosystem we are safe to protect we are setting ourselves for up for hiding we are literally looking to respect this is something that I'm living my life towards when you talk you are only repeating what you know or when you listen you learn something new so I went on a so I went on a year-long journey to understand what devices are telling me I wanted to know what secrets they hold why things are so wrong is that we're not assigning responsibility accurately I know it's a word that everyone fears because no one wants to be accountable responsible for decisions or things they fault right so let's explore the MDM or the medical device manufacturer's responsibility they have a responsibility to create devices right that aren't unhackable because let's face it now things unhackable you know everyone gets bored and someone figures out how to hack a device but they need to have a device that is secure or as secure and safe as you can have it but their responsibility is to deal with the devices both pre-market and post-market meaning that if a vulnerability is found pre-market they need to fix it before going to market with the device they need to do everything in their power to make sure when what they are building both on a firmware and a hardware level takes into consideration the security challenges as well as the clinical features because let's face it security is not a functional requirement for medical devices they are there to offer medical care to patients often we see the security slapped on after the fact where it should be coming from design throughout manufacturing to when it goes to market now we have a fairly secure device that's gone to market for example an ICD lost for 10 to 15 years I can almost guarantee you that in that time someone will find a vulnerability now we need to fix that vulnerability the hospital healthcare establishment has no power to fix the firmware or even fix the physical device if there's a vulnerability found this remains the MDM's responsibility part of their responsibility is having a catalog or register of the information or everything that goes into their products right for every product they put on market they have responsibility towards the end of the lifetime of that device if it breaks they are the only ones that have the power to fix it no one else now we get through what is the FDA's responsibility well I say the FDA year but because it's a US conference but everyone follows suit of the FDA if you start researching medical legislation around the world you will see the terminology used by the FDA been rolled off in other countries meaning they are the leader in this they are the one that everyone looks up to they need more legislative power they need more teeth they need to be an enforcer of what the standard is they the one that has to keep the MDMs on track they are the ones that gatekeepers to the market for products they are the ones that need to enforce the fixing of the problem I know that they currently working on new guidances and I surely hope that it's got more teeth an example of this is in the guidance is currently at state reasonable risk analysis needs to be done however the reasonable analysis that is required for it to meet the reasonable test is not specified so again we have guidances that don't have enough detail or standards out I'm hoping that from a legislative point of view we can actually start setting the term of what is expected from a medical device both on a clinical and both at a security level and this is not just for implantables I know it's it's a little bit hard and when it's you know inside someone but let's start categorizing it let's start standardizing the things and setting up the rules of engagement you know what is expected of a device how should it be used and how it should be updated these are things that only can be done by the FDA they are the rule setters they are the ruling forces let me look at what is the HDO's responsibility their responsibility is to keep their patients alive their responsibility is to have these diversities of devices on their networks but they have to implement them in a safe way taking into consideration the type of device it is how it communicates and how they are going to introduce it into their ecosystem those are the responsibilities of the HDO they do not hold the responsibility for updating firmware or even vulnerability management of devices that should be a manufacturing role we've seen that during COVID-19 HDO's are crumbling globally healthcare is fracturing and the fact is that they are designed their purpose is to deal with pandemics and viruses we are now expecting them to take on both cyber security and do the job of a manufacturer or do the job of the FDA that is not what they designed for so how can we expect that they will not crumble and break even further as a security researcher or a hacker I don't want to be responsible for breaking healthcare more I'm going to be responsible for making it better so we should take into consideration that the decisions they make on a daily basis are life and death they have patients connected to them we shouldn't be making things harder for an HDO who should be supporting them and making it safer for them to implement the last thing I want is for someone to have a device breached and a patient to lose their life it puts science back tens of decades and and the fact of the matter is I would not be here without my device I would be dead at the age of 19 it has extended my life and for that I'm grateful and thankful so we cannot go forward and break things more until we have an understanding how we can build them up now the third problem is two worlds colliding meaning we have this complex ecosystem that has different devices but we have one way of implementing them we have a cookie cutter approach when it comes to introducing medical devices into a hospital because we don't define these out properly are we heading for a big bang or is it going to be a meeting of the minds I think we are facing a situation where we're going to have a big bang bang because all we need to happen is for these controls to fail and can you honestly tell me that you have the same controls for a Windows 10 machine versus a patient bedside monitor running something like busybox vxworks or proprietary software are these the same do they look the same do they sound the same do they crack the same I don't think so I think each one comes with different sets of challenges I found that a hospital is the most complex sea of devices that I've ever seen and this is just me walking through a hospital have you ever noticed how many different manufacturers can be under one roof do you think that those devices are all made equally in the same do you think every manufacturer implies the same controls has the same way of thinking no everyone functions in a silo because there's no clear standard the standards we are using are those for iot devices or for regular computers or laptops or endpoints there's no set of standard specifically catering to medical devices and to be clear when I say medical device I mean that thing made by a manufacturer not a Windows 10 running software that's a different conversation again leading into this it's the the diversity of it all have you ever spent time in a hospital and just looked around and then think to yourself I wonder how they've implemented this a lot of hospitals will offer you guest wi-fi those systems are often not segmented there's the the saying in security trust but verify right we just give everyone access all the systems has access to everything because we want to make it easier now I ask you if you look at this picture most of those devices are connected onto the hospital network these devices all have communications but all these devices are most likely very different in how they apply security and let me tell you often we do this thing with securities and afterthought or a post market situation we don't give developers or hardware engineers the information to become security minded developers security minded hardware engineers security can be built into every portion of your pipeline and should be we should be taking this as a requirement to look at I'm also big that one day these devices will be hacked in fact they might already be hacked because we don't have the data to pull from to say whether or not a device has been hacked always an incident response we come after the fact and say oh if I only had logs or if I only had this piece of evidence we should be building in these controls to be able to visualize what's going on on that device now you might ask how I know this well I have a whole room full with medical devices I have a whole library filled with firmware I have been doing forensics for the last year I'm trying to determine whether or not there's any logging or whether or not I even have the ability to do a forensic investigation and I can tell you that no because no one considers the fact that these devices will inevitably one day get reached if they have not already a big thing that I want to see change is that we have proper standards and rigorous guidances these things should be enforced they should not be if you want to do the following there should be repercussions for MDM not following standards and guidances I have spent significant time looking at the NIST standards currently used for medical devices these things are referencing machines that have windows or Microsoft or different protocols they don't take into consideration what a medical device is I want to see controls controls are there for specific devices but we need to categorize these first and I think before we get ahead the first and foremost thing that needs to change is the fact that we need to start understanding what a medical device is as well as subcategories of that device I think once we have clear understanding we can have better standards I would love to see in this standard specifically catering to medical devices specifically taking into it you know consideration the unique challenges they face and how do I know these things data never lies right it's the one thing that you can listen to yes data can be manipulated but this is data that's collected over long periods of time healthcare has become the biggest target at the moment not only are they facing keeping people alive they are facing attacks from all avenues the internal threat or the malicious actor from within has certainly taken a rise I was very shocked to learn the other day that 18% of healthcare workers stated that they would sell patient records for the right price we never consider that the greatest threat might come from within so now we've spoken a lot about the problems but there is a saving grace there's something that I really believe has the right approach to dealing with the complex problem that is medical devices within a hospital it is called the zero trust network trust neither a zero nor a one this turns the whole security on its head where we no longer just trust but verify we verify but never trust we no longer have this perimeter based defense structure that we used to have I think most hospitals build this huge rule and make their perimeter hot but never considering that patients work in and out of a hospital wearing wearables with embedded devices or you know introducing medical devices that are connected I've often seen that hospitals get breached via a phishing email or via a system that should not have access to the whole entire network this is a very important thing for me because this could lead to us defining that you know the least privilege and the least access that a device should have on a network and especially with electronic healthcare records moving to the cloud not every system needs to have access to that we should be limiting what devices have access and how they have access and I think one of the biggest things and the most promising things is if we find that a device is no longer conforming to the rules and the controls we set up you can revoke the access for that device it breaks down the perimeter and makes it more secure it makes it more manageable because now we have the ability to differentiate between devices and we don't have to have a cookie cutter approach to healthcare security another big thing I realized is as researchers or the FDA or the MDM we don't like to play nice together we don't like to listen to someone that has a difference of opinion than we do we don't like criticism we don't like to debate situations but the fact remains that working together is the only way that we get to solve healthcare after all it takes a village or even two for that to even happen I think it's a smarter way to pull resources together and hit this problem from all sides it needs to be a multidisciplinary approach to solving a problem that is healthcare and medical device security so let's see some solutions we need to define things better we need to assign the responsibility and accountability to the parties involved we need to not trust implicitly we should not put devices into our networks and trust them with the keys to the kingdom we should assume that a device is breached at all times because most likely it is because you don't know otherwise at one point of time we are going to see medical devices breached well they might already be we need to standardize and set the tone the rules of engagements the rules that are expected from someone and by someone I mean the MDM these things need to be defined and clarity needs to be given to what the expectation of a secure device is I want to see these things on black and white I don't want to have the conversation anymore I want to call to action to make things better to change it now before legacy comes and bites us in the ass because every year we wait every year we take it adds so much more to the problem at one point the problem will become unmanageable if we don't do something now if you as a researcher find a vulnerability do the proof of concept reach out make things better but don't just find a problem find a solution because finding problems are easy breaking in as easy but it's finding a way for things to work better that is going to change the world fundamentally and it's not one person nor two people but a whole collective effort that will change the future of connected devices thank you very much and please feel free to reach out hit me up on Twitter email me go comment on my blog but I'm looking forward to your questions and I'm looking forward to the discussion and thank you for giving me an opportunity to get on my soapbox and for once be tall and shut in a room about things that are making me angry