 Good morning, DEF CON biohacking village. It's an honor to be here. If you're confused where you are, you're somewhere in cyberspace at your home, following the DEF CON tradition, you may be somewhere between sober and completely intoxicated. We recommend aggressive rehydration and take a shower. That would really help out. Before you do so, we appreciate you coming to our talk here. The talk is entitled lessons learned from a pale horse, what COVID-19 can teach us about healthcare cybersecurity. Wadi, how are you, buddy? We haven't seen each other in person for a while. I feel like I haven't seen anybody in person for a long time. Was it November when we last saw each other, which for us is like a decade? Yeah, too long. I feel like I'm really missing my hacker family. I've just been talking with my wife about how much I miss going to DEF CON, seeing people in person, walking around. And then also it's kind of depressing to think about it, but it's also kind of a cool opportunity. Here we are at the biohacking village, been invited to speak here on a cool topic like this, and people all around the globe are going to be able to watch this. So I think we should go ahead and kick it off. What do you think, Jeff? I totally agree, but first I think it's just so important to shout out like what an amazing accomplishment and achievement it is that villages like the biohacking village and others and even DEF CON itself have been pulled into this safe mode, virtual experience. As people who have done events ourselves, I can't even imagine the amount of work it took to do this, knowing that our friends at the biohacking village and I'm sure others have been working like since last DEF CON on doing an amazing physical event. And then all of a sudden kind of having to reverse course and change that. So I just want to give them a huge shout out and major props for what is a job very well done. But yeah. Golf box. Sure. Absolutely. And more and more. Let's kind of get into a man. I think when we originally came up with this. So first of all, I guess for those of us who we haven't had the pleasure of meeting. My name is replicant Jeff. I am an anesthesiologist and security researcher hacker. My name is Christian and math. People call me quality. It's my handle. I'm an emergency medicine physician. I didn't assistant professor over at UC San Diego. I mean, we both had the privilege of taking care of patients during this global pandemic we have, you know, been in the critical care units and the emergency room, treating patients with COVID-19 and it's been kind of a surreal experience for us because before all of this, we were and still obviously are, you know, advocates for security and health care. Being security researchers and kind of having this thesis statement that healthcare security is more than just privacy and patient records and things like that there are, you know, vulnerabilities and we've gone over this extensively at other def cons and other gatherings to talk about these things, you know, medical devices and healthcare infrastructure are as vulnerable as any other area of connected life. And we know that those vulnerabilities have the potential to potentially affect patients, both in how we care for them and their long term outcome so we, we've kind of been pushing this thesis for a while and then all of a sudden we found ourselves kind of on the front lines, need to think of the patients during this pandemic and that's kind of changed. I think a little bit of our perspective about ways in which we as a healthcare system can prepare for not just events like this but also security related concerns as well. So I think what we wanted to do is kind of see were there any insights that we obtained from our clinical practice and kind of how we think about disaster medicine which we'll get into and utilization of resources and and readiness and preparedness in a medical type of emergency. Can we apply some of those thoughts and lessons to the security realm. Sounds like a plan. Sounds like a plan. We're going to go ahead and get kicked off many of you out there like, what is disaster medicine doesn't make any sense like I'm familiar with cardiology right to take care of the heart. I'm familiar with gastroenterology. You know they give me a volume. Have me show up next morning and then scope my intestines. Well, many of you out there might wonder what is disaster medicine and so under medicine generally a medicine you know surgery, the practice of thing care someone's health and treating disease. There are all sorts of disciplines. There's emergency medicine, Jeff practices, pediatrics and anesthesia. And there's so much to know in modern medicine, new treatments, new diseases that we or sorry disease that we learn more about. And as a consequence, it's impossible for a doctor to know all of it and it would actually probably be very unsafe for a doctor to practice, you know, every form of medicine. We specialize under the House of Medicine with all these different specialties. There's a subspecialty, a niche, a further niche if you will, that discusses and studies and practices disaster medicine. Disaster medicine is how do you take care of people, not when you're in a fancy hospital where you have two MRI machines, an entire trauma team, you know, dozens and dozens of doctors on a particular service, hundreds of nurses instead, how do you take care of thousands of patients during an earthquake or during a hurricane? How do you take care of patients as they're swelling through the front doors of your hospital during a pandemic and you can see that there's some clear disaster medicine being practiced today all over the globe in response to the global pandemic and this is a picture of a disaster in the United States and a particular specialized team that the government can call upon to remotely, sorry to go to a particular location and practice disaster medicine. These are called DMAT teams or disaster medicine assistance teams. These are comprised of multidisciplinary teams, nurses, technicians, doctors that go to a place in response to a disaster. They'll organize how they take care of all those patients, they'll deploy electronic health systems, and then they'll be able to help treat all of those people, perhaps in a high school gym, for instance, instead of a hospital. So these are called DMAT teams, they practice disaster medicine and they study it. You know, lessons learned from Hurricane Maria, for example, will we study that, do academic papers and publish them so that the next disaster that rolls around were better prepared to respond to that. Well, Jeff and I are thoroughly convinced that there should be a subsection of disaster medicine called cyber disaster medicine. And we picked a picture of the DEF CON CTF for a couple different reasons one, because a lot of what cyber disaster medicine is going to be is merging the two disciplines of clinical practice taking care of patients health treating disease, while also addressing the logical problems systems of connected medical technology that are malfunctioning or perhaps being attacked. That's really our premise of what Jeff mentioned. Our argument our thesis is that if you attack a hospital because it's so connected, and so interdependent on vulnerable technology. If you attack that it won't be available for patient care, or the integrity of the data flowing from these systems will be changed and unreliable consequence patients health will be affected. So we think there needs to be essentially a cyber DMAT team right so where we take doctors and hackers and nurses, put them in a team, and if some hospital in Nebraska or some hospital in Idaho gets hit by a ransomware attack for example, and they are unable to take care of patients, they're going to need both the medical expertise, the person power to respond to taking care of the strokes and heart attacks that are happening, while also simultaneously working with the technical teams to mitigate the issue and fix those damages to the technological infrastructure to restore care. We think convincingly though it's going to be more and more of a need of these hybrid teams where we have both hackers and doctors responding to attacks on health care infrastructure, we call that cyber disaster medicine. There's two points that I want to make real quick about the concept of disaster medicine in general is that it assumes that you're going to be operating from a standpoint of very limited and constrained resources right, and it also implies in some sense that the outcomes you are able to achieve are going to be less than the ideal outcomes that you would have in the non disasters situation, and that there is there is some sense of needing to triage priorities Absolutely. And one of the kind of foundational tenets of disaster medicine is the concept you mentioned of triage. If you have 10 patients in front of you, one is dead or just nearly died. If three are dying, and three are okay and some are in between, you need a system to be able to respond in the right order to take care of the patients that you can best help with. So, you know, a controversial part of this is, you know, don't treat the patients that are about to die. Those patients need advanced airways. They need, you know, you know, five, six people to major surgery. Yeah, they might need major surgery. They might need, you know, a lot of broad spectrum antibiotics to need a lot of things that you might not have. If you spend your time focusing on the people who are dying doing CPR, those types of things, then those three people that might benefit from your care that don't need that many resources but still could have an adverse outcome. If you don't pay attention to them immediately, those are affected. So it's, this concept of, can you make a system? Can you make a philosophy, if you will, a protocol to be able to respond and make decisions on who you treat with the limited resources you have and in what order. So these are foundational things. I mean, if you don't have a choice, you don't have a choice. If you're responding after an earthquake, you can't treat everyone at the same time equally. You have to pick and choose. I think in some sense the idea of triage in a healthcare delivery organization from a security standpoint has been one of the trickier things in normal times, right? Because we almost have like a paralysis of indecision. People like us talk about all the ways in which we could improve foundational and infrastructure security of a healthcare delivery organization. We talk about medical devices and things like that. Sometimes it can seem like there are too many things to fix, whereas this triage mentality helps us kind of focus our priorities and really kind of hone in on the things that may be actionable with the biggest yield and impact for resources invested. Yeah, I completely agree. We love security. You know, we drink the Kool-Aid. We are adamantly believe it is a big risk to patient safety, but this is just one of dozens of issues, really serious issues facing healthcare across the globe. Security is just one of them. For instance, you know, the disproportionate allocation of resources for disadvantaged populations, right? Like population health is a big deal. Social determinants of health. Security is just one of these things. And I agree that it's just triage element of it. COVID's blown all that up, right? So we have a global pandemic. It is sucking every single resource it possibly can out of the healthcare system and things like security, undoubtedly in the triage, if you will, are going lower. I understand that. That's very important. You have to take care of those patients. But what I fear is that we are putting far more attention to treating the immediate issues of COVID, not realizing that we are really opening ourselves up to the vulnerabilities and we're not fixing them. And as a consequence, we could have a one-two punch. We could have COVID and then a ransomware attack on top of it. Our ability to take care of patients in some of the hospitals across this country is already so hard. If we had to deal with a ransomware attack on top of it, my ability to take care of COVID patients in the emergency department is going to be hindered. That's going to hurt my patients. And so I think foundational security issues are still something to pay attention to during this pandemic. I mean, that's another tenet of disaster medicine, right? You need to fortify your infrastructure during a particular crisis with the anticipation that subsequent issues or events could even further hamper your ability to get the best outcomes in your emergency situation. So let's move on to some of the points that we came up with just in conversation earlier about some of the things that we as clinicians on the ICU core in the emergency room have drawn as parallels to some of the issues that we as security researchers wearing that different hat were worried about and kind of thinking about pre-COVID and see if there are some areas where we can draw parallels and maybe even lessons from that. So I want to talk a little bit about kind of just basic data gathering, right? So this idea of having the information you need in order to make actionable decisions. At the same point of the pandemic, I remember I was out of the country back in February on a medical surgical mission trip, and we at that point just started receiving information. I mean, Sacramento, I work at UC Davis Medical Center and we were actually the first hospital in the country to care for a patient who was diagnosed with coronavirus and they weren't able to identify the source of spread. So the first example of what we call the community acquired case and that kind of set off this initial first couple of weeks to early months of uncertainty where we really didn't have a good idea about what the epidemiology looks like, right? We knew that there were reports earlier in December about where it had originated from a global standpoint. We knew that we were starting to see cases in other parts of the world, particularly Europe, but we really didn't have a sense of what the overall disease burden was in the U.S. and our communities, and we thought that we were still at an earlier enough phase that we could do individual kind of contract tracing and isolation, kind of this containment model, as opposed to the sort of mitigation that we're now in. So I think there were a lot of factors that played into that, obviously, and we don't need to necessarily get into that as much, you know, some of the issues with cross cultural communications between countries. Some of the mechanisms that we had in place from a federal standpoint that were either kind of like mothballed or not rolled out quite as effectively, but really had a surveillance issue in the beginning period of this crisis. So do you feel like in in healthcare, there's a similar almost like fog of war when it comes to security when it comes to understanding the threats faced by individual organizations, kind of how robust are we with respect to being able to communicate and share intelligence from that standpoint. I think in some regards we've made like huge strides right so things like organizations such as the Health ISAC, allow partners to pretty quickly communicate some security issues so for those of you listening on watching this video. So if you're a part of that, you know, you're going to get multiple emails a day from some of these threat intelligence sharing organizations saying, Oh, this is going on pay attention to this and sometimes the conversations even get to the point of well I built some tools or these are the rules I wrote or these are this is how I'm mitigating this particular attack. Those types of things do happen. But generally speaking, we are not, might say we healthcare security is not anywhere close to where it should be. Just because these organizations exist don't mean that many hospitals are taking advantage of them because of one of the primary things that we want to bring just back to the back to everyone's mind is that there are not a lot of people that work not a lot of security people that work for healthcare. There's a dearth of people and resources around insecurity around healthcare. So even if you do have robust communication channels which I don't think we have but let's say we do need people to receive that information digested and act upon it. And so, at the heart of this issue of coven we had very poor surveillance the beginning. I think we have had a chronic issue a chronic lack of appropriate surveillance of healthcare security. There are a couple barriers I think to that you know there's HIPAA. Now I'm going to go ahead and say, of course, I think I could speak for Jeff, we're big supporters of HIPAA we think the protection of patient information is really, really important. You know, we are hackers so we care about our data and it being secure care about our privacy, but HIPAA or if those are enough there, that piece of legislation that essentially penalizes people who breach protected health information leak it lose it etc. It's been used as an example of why you can't share information. I can't talk about a breach when we lost a laptop or I can't talk about a particular vulnerability a piece of malware that hit because it might be a HIPAA concern. And we need to make sure HIPAA comes first, as opposed to information sharing and protecting the hospital down the street from getting hit with the exact same thing that I did. That should be the priority and it's not. There's liability concerns. So there's the thought of, if there is a breach of a hospital or hospitals under attack, you know, what will the hospital be liable for for instance, the vulnerability that was exploited had a patch six months to go. And because healthcare entities deal a lot with other types of legal issues and security is not typically one of them, their legal teams tend to shy away from disclosing information sharing information in a timely manner. There are always branding concerns. So people don't want to go get care at hospitals that have had breaches. Why? Because they're afraid their information is going to get breached or they're afraid while they're there, they're going to get hacked and something bad will happen then. So healthcare institutions generally are adverse to sharing information because of branding concerns and market share competitions, which is some fierce, fierce competition in healthcare. I was going to say there's also an incredibly complex hierarchy, right, even within a single healthcare delivery organization with respect to a number of people that are involved in some of those branding issues that you talked about, some of the legal and liability issues. And it's very hard to centralize and coordinate decisions with respect to security sometimes because they affect so many different aspects of a hospital's function. And we kind of saw something similar in, in, you know, the overall, I would say government response to this current crisis is that you just have a lot of different levels of leadership, levels of decision making levels of stakeholders from a, you know, from a federal state and local level and sometimes those wires can get crossed and sometimes there isn't the best communication with the degree to which there are spheres of responsibilities overlap. So sometimes I think we make mutual assumptions that somebody else is covering a certain problem, whether it's things like PPE or bed capacity or things like that. We sometimes say, well, don't, you know, don't worry about the number of ICU as we have because the federal government will send this hospital shape or, you know, we're expecting a shipment of PPE from this state. And sometimes I think that degree of organizational complexity makes it really, really difficult to make quick streamlined decisions. And sometimes that can also affect the composition of the teams that you're working with, right. So if you have a system that is not quite as efficient or as effective, you can get pretty high turnover. We've seen that before in hospital security teams, right? There's this additional level of complexity that comes within working within healthcare that people from the outside aren't always accustomed to and sometimes that can be very frustrating to the security professional working in healthcare for the first time. And I think we've both seen instances of pretty significant burnout and turnover in that sense, simply from the complexity of the overall organizational structure. I completely agree. You know, hackers want to make things better for the most part, you know, we could talk about malicious adversaries, et cetera, but that aside, hackers, security folks, they're trying to make things better. They're trying to make things more secure. And when they go work for a healthcare organization, that's a great opportunity to do some to take your knowledge and your skills and put it towards helping people. You might not be at the bedside pushing a medication in an IV, but if you're supporting the hospital's infrastructure that made that medication administration possible and safe and secure, you're really, really doing something good. Just like you mentioned, we've heard horror story after horror story about talented security professionals, talented hackers going and working at hospitals, taking a pay cut, and then finding concerning things, bringing them to the center of their leadership and at the end of the day saying, we can't fix that issue because of insert some reason. The cardiologist said no they want to use that vulnerable device because it's their favorite or we don't have the budget to do that we need to buy a new MRI machine, etc, etc. It can be demoralizing to work for a healthcare organization in a security capacity and feel like you can't really change things. And a lot of that has to do with the bureaucratic complexities, you know, COVID, there are so many different agencies and state governments, etc, it's just turned into this bureaucratic nightmare. Even in the best of times a hospital is still a bureaucratic nightmare with so many different layers of administration and clinical expertise that at the end of the day, the bureaucracy can cause rapid turnover of our security professionals and, you know, we need them there. The 2017 Health and Human Services Task Force report commissioned by Congress came back and said they thought a minority of hospitals in the United States have even a single full time security professional on staff. You know, but yet we still march forward connecting more systems together, increasing our attack surface, etc, without the commensurate investment in security personnel. As a consequence of that we're putting ourselves in an even worse situation where we are more vulnerable, we have less people to respond to and the bureaucracy is getting even more complex. It's an impossible proposition at its face. That problem of turnover. It really highlights how important institutional memory is, right, and I think that was something that we saw from the standpoint of pandemic response to is that there were structures in place to work play books in place. Some of the problems that we've run into could have potentially been soluble and I think we've both seen examples of clinical situations. With respect to security where, you know, people have worked on a problem, they've even come up with a potential solution to a problem they've even started to implement that solution. And then they go, whether it's for, you know, other opportunities or just the disillusionment that was already talked about they leave, and the next person coming in sometimes doesn't have the ability to pick up where they left off they have to kind of reinvent the very beginning and that that that chance to build the institutional memory is is kind of lost. Absolutely. And that's a problem in a lot of different industries but it's particularly important in healthcare because there are so much there's so much specialized weird medical devices. It feels like if you work at a hospital you know I don't work for it in a hospital or security at a hospital you don't only have to know the technical infrastructure and routers and firewalls like you do at any other organization. You also have to know all this weird. This device on the fourth floor is a 10 year old infusion pump, and it acts very strange and we have tried our best to mitigate its vulnerabilities in the following way. And when it does this function and when it doesn't do this function. This is the health implication. There's so much more context around the technological infrastructure in a hospital that is outside the regular domain of security. And so if you don't have institutional memory if you don't can't pass down that knowledge that healthcare context specific knowledge. If you don't exist and you just have rapid turnover, you're risking someone forgetting about the device or what you did about it and as a consequence you're just putting yourself out there more and becoming even more vulnerable. So, I, I want to talk about communication a little bit because I think that this is something that has been very challenging from a clinical standpoint right and so tell me if you have had the experience where you are caring for these patients. You are constantly receiving updated protocols with respect to how to safely use protective equipment or the certain situations in which, you know, an aerosol generating procedure might be taking place. So you need to have an N95 at that point, but if you're just going into, you know, assess the patient, you can get away with contact droplet precautions. And the first that we are learning in real time about the sort of natural course of this disease about best practices for how to to treat it that communication from a clinical standpoint is very important. And there's a there's a there's a transparency that I think with the best examples of this that's very beneficial to kind of tell people, this is the information that we're seeing this is how we're making these decisions this is why we're doing this in a certain way. And when you have situations where that's not the case. You know, whether it's canceling elective surgeries, whether it's how we allocate beds, whether it's our testing protocols and things like that. It's very demoralizing and kind of dispiriting sometimes for the clinicians across the country to be put in situations where they don't really understand how the decisions are made or how they're communicated. And I would just hire other filter over that with respect to certain, you know, trustworthiness of information from a partisan or ideological standpoint, what we need to get into, but clearly communication and how we talk to each other. During these types of situations is has been key on the clinical side. And I was wondering what your thoughts were with respect to how we talk about healthcare security and those issues. I remember when we first started seeing COVID patients at my hospitals. And I remember many doctors across the country were getting their information about how to treat them on Twitter. You know, should you give large amounts of IV fluid? Should you give patients IV profan if they have? Remember that there was this issue about whether or not NSAIDs like IV profan could make it worse. There was, I remember this adamantly the first time I had to intubate a COVID patient. It was because there was this very early information saying, hey, you should intubate these patients early instead of try noninvasive airway. There was this high-movers like high-flow oxygen or BiPAP. There was this fear around BiPAP that if you put this on, it's a mask essentially goes over their mask and provides positive pressure and helps patients breathe. The fear was that that would aerosolize the virus and that everyone in the room, even if you were covered head to toe and PPE would get the virus if you put a patient on BiPAP. There's all this different communication streams, getting information on how to treat patients on Twitter, the academic literature, which is the foundation of how we treat patients, right? So in medicine, we do studies, we design things, and we collect data, we publish on the scientific method. In COVID, a lot of that we didn't have time for. We didn't have random placebo-controlled trials on Ibuprofen yet. We didn't have this type of information. So these communication streams, they just weren't authoritarian. They weren't coming in a coherent way. There was conflicting information. There was a lot of concern about where the data was coming from, you know, and as a consequence, I think it really just paralyzed a lot of frontline clinicians. We were, what do we do? I heard we should do this yesterday. Now I'm hearing we shouldn't do it today. That was really unfortunate. It's parallels in healthcare, cybersecurity are many. We've already touched on a few, you know, information sharing, being one of them. But I just want to bring up a very important part of this, which is if there is any silver lining out of what, you know, of the response to coronavirus. It's that the academic journals that a study could take years to collect data and publish big journals like the New England Journal, Lancent, a few JAMA, etc. They said we need to rapidly review this literature and start getting it out there. So they reduce their standards for what would get published a little bit for the sake of we need to rapidly publish. At the heart of that is this need for information sharing and communication. It wasn't the best, but at least they tried. We don't have that in healthcare cybersecurity. We don't have hospitals knowingly giving us information data, anonymized data on a tax. We don't share data and study it critically and publish that very often instead hospitals are saying, we got breached, we don't need to study this we don't need to share the raw data instead we need to forget that this happened, pay our We really need to change our philosophy in healthcare security to collect data pool data design studies where we can make some meaningful conclusions at the end of the day. That science, we need to share that with everyone you need to go through peer review so that other people can review the data and make sure that what we're saying is consistent with what they've experienced. At the end of the day we can answer some fundamental questions, things that people on this video call have heard time and time again, for example, the question, should you pay the ransom, if your hospitals ransom, you'll hear 15 different opinions about whether or not you should pay the ransom, if your hospitals under ransomware attack. But what we don't have is a reliable data set from all the prior hospitals who've been ransomed, looking at things like outcome, how much they paid so that we can take that data, make meaningful conclusions and through the scientific method provide recommendations at the end of the day that are evidence based in all that evidence based medicine, we want to make pick the right treatments and do the right thing because there's evidence in healthcare cyber security we don't have the evidence based because we don't share it. We really need to change that co vid we were able to not perfectly, but we saw some glimmering hopes of hopefully in some respects, particularly with the journals of that getting better. I totally agree. I want to just go back and clarify to that. You know, when talking about the sort of mixed messages that we had early on that in of itself is not a problem right. It's okay if we don't know initially in a situation like this whether the best clinical intervention is invasive mechanical ventilation or non invasive or positive pressure ventilation right. It's okay in the initial period of this more still collecting those data points to be able to say we don't know there are a couple of different possibilities here and we're going to try one or the other. I mean that's the scientific method that's the process by which we generate a hypothesis and then test it so having different options or different messages initially is not an issue it's then needing to as you said gather that that data and I think we even before all this we have been of the perspective that if it does turn out that you know we are able to look back in five to 10 years that health care security was not necessarily the issue of magnitude we thought it was I think you and I as scientists are both going to be fine with that, and I was able to say you know it's where we're much more at peace with the with the concept of advocating for these issues and for not trying out to be a big patient safety issue then if we were to sort of ignore them and allow it to be that as as kind of a tangent to that I just wanted to ask you briefly because from a standpoint of communication in this space in the healthcare security space we often get opposing viewpoints which is totally fine. But, but, but something I've been thinking about is, we have come into into conversations with people who have said you know healthcare is something that we don't think attackers are particularly motivated to to sort of target or focus on. Because you know it's a hospital and why would you go after a hospital or why would you go after a medical device we just we just don't think that's going to be a powerful motivating factor for people. We've obviously seen some examples over the last couple of months where there have been attacks at institutions that were actively treating covert patients are actively engaged in covert research. In some of those cases, the particular, you know, there was a very precise targeting based on that fact and that situation. What do you think about the argument now that healthcare is sort of this different sacrosanct space that won't necessarily be the focus of other types of attacks because of its kind of unique nature in that sense. Yeah, I think that's demonstrably false he brought up a couple good examples of adversaries who willfully have targeted healthcare infrastructure primarily covert research for a for their own gain. And I think those out there that are still saying, you know, hackers aren't going to target healthcare because no one would ever be that evil really just need to wake up to the fact that two things are true. One, adversaries are doing that we are attacks are increasing they're not decreasing to and then to many adversaries might not even know that they're attacking healthcare. Right. So there's no, there's no like set of IP addresses that are only allocated to hospitals right so if you're out there scanning, trying to propagate malware, you could hit a hospital and not even know it right and by the time you figure that out the damage might already be done. So I think we really need to go away from this paradigm of, let's prepare based on what we think attackers motivations are clearly to a understanding their motivations but also assuming that we might not fully understand their motivations or they might not, their motivations may be ill aimed, or that they might even be intending to harm us. That's the way we stay safe. You know, it's not barrier head in the sand no one's evil enough to hack healthcare. It's instead assume it's being attacked every day because it is, and treat it like any other valuable resource that a hacker, you know, a malicious adversary might be going after like a bank, for example. And these types of, and then also the research infrastructure is really important, you know, people don't necessarily equate the scientific method and institutions of higher learning as part of the healthcare infrastructure but they truly are many universities in this world are connected directly to hospitals like their networks are actually connected right so. In addition, the work that is done on the university side or the biotech side directly influences clinical practice and if you take out, for instance, a COVID vaccine data cohort right so we are testing the vaccine for the covert roll out. If you attack the infrastructure that collects the data about those results you could put the vaccine back weeks to months. And as a consequence patients will die. That is a scary proposition and we understand that it's not very clear where the boundaries of healthcare stop. And so we really need a wider appreciation of what exactly is healthcare infrastructure and what domains are affecting the care of patients they're much broader than most people realize. Yeah, I want to talk really quickly about some of the definitive solutions that we're searching for with respect to COVID and I think you mentioned that, you know, there, there are vaccines that are in the works and I think hopefully people will be able to look back after all this is over with it and say man we really went through that process faster than any other time in human history so that to talk about a vaccine. You know, I think they're already in stage three trials it's in the candidate six months after this virus was first discovered is pretty incredible just from a science standpoint but right now you and I clinically when we're taking care of these patients we don't have direct therapeutics that are really targeted at how this particular virus works and the way that it infects and spreads. We have adjuncts we have things that we think are helpful and a lot of the care just kind of comes down to supportive practices with respect to managing organ system effects and things like that so that hopefully patients recover on their own. So we're still looking for therapeutics that work directly in inhibiting the virus mechanism of action of application we're still looking for vaccines obviously to be rolled out. I feel like there is there is a a association there with how we think about some of the tools we have in security writ large and how those are implemented in healthcare and how we really haven't yet come to a place where we have healthcare specific security tools or practices this is obviously much more relevant to medical devices and things like that but what do you think where do you think we are with respect to getting products and tools and practices that are tailored specifically for healthcare. Yeah I think we're on our way we take this slide image because when we first started getting into this and talking about this shoot Jeff what it was like 10 years ago 15 years ago. I just look back on my timeline and we started med school 10 years ago. Congratulations you old dude. When we first started getting into this, the only solutions that that people would say to protect a hospital were basically just rebranded security tools from other industries right so they basically just took. Let's take the tenants and principles around PCI compliance and let's make your hospital PCI compliant for healthcare medical devices. And what we really saw was that just doesn't work to draw an analogy from the medicine realm. We're not treating covid by giving flu shots right we're not. There are no antibiotics that work for covid right so just because they work in other diseases doesn't mean they're going to work in this particular instance and what we've been saying for a long time is that if you just. Borrow the tools from other industries without understanding how healthcare works and you deploy them in such a way they're probably not going to be very effective right we have a big problem with legacy devices in healthcare for example. That wouldn't be tolerated legacy medical devices that run out of date operating systems that are essentially unpatchable that have really nasty vulnerabilities and that will be around on your network for 10 years for example. You know that wouldn't be tolerated in banking infrastructure of at a large bank and a large well resourced bank right they wouldn't let a machine on their network. That had those vulnerabilities but yet we expect that if we take the same exact approach to banking security and apply it towards healthcare cyber security that we're going to get the same results. And what you quickly realize is that that's just not possible you have to really change your way and understand the context around clinical care for example. You also have to understand how your clinical sorry how your cyber security tools impact clinical care right so they're just as much as there's been examples of vulnerable imaging devices like CT scanners and MRI machines that can be infected with malware and cause availability issues. There's also been discussions about examples of patching these devices so well intentioned patching that results in essentially bricked devices and if you don't have a CT scanner at a stroke center for example or if you had to and you take one out because it's been bricked by a failed patch. The next stroke patient or the next trauma patient that comes in to the hospital could have to wait longer for their scan. And that could mean the difference about whether they get a medicine in a critical time window it could be the difference about why not they talk or they walk it could be the difference between whether or not they go to surgery and get a bullet taken out of a particular location sooner. So these have real implications if you just think you can apply your your same philosophy your same tools in exactly the same way in health care you're going to be sorely mistaken and you have to do so in a mindful way to avoid patient patient care implications and patient harm. Could not agree more my friend listen, we could probably talk about this for another three hours I think we have just barely scratched the surface here. But I think we're almost at the 45 minute mark and what I want to do is leave some time for questions on the live session to make sure that we don't overstay our welcome. This has been really fun. I am so happy we got to do this. I want to thank again everybody at the biohacking village for giving us the opportunity it's an honor. We wish we could see you guys and give you big aseptic hugs but unfortunately that's not the world that we're living in. We just hope everybody is staying safe and healthy, and hopefully this time next year we'll get together and have a have a beer and be able to have this behind us. I miss you man, you should hang out some time virtually of course and looking forward to the Q&A and thanks everybody appreciate it.