 My name is Quadi. I'm excited here to introduce this next panel. And the topic of which you might think is a little bit of a mystery because not much on the website. Who here has any idea what this panel is about? Great. And yet you still came. So that's awesome. That is amazing. I can't tell if you just need a place to sit or what but we will proceed with some very interesting content primarily because this topic is very interesting, right? We're talking about hacking medical devices, hacking critical hospital infrastructure. As you can see all the great work that's being done in this village next door about keeping patients safe. And that's really the key thing we're going to talk about today. And when we say simulation, simulation comes in a lot of different flavors. There's a lot of different definitions. But if we think about it, we're really talking about what could happen to patients that are connected to these devices that are vulnerable. How can we study that ahead of time? Because we don't want to be discovering it after the fact, right? So we have to use the critical tool of simulation whether or not that be high fidelity simulation when we train doctors or whether or not it's going to be simulating attacks in different environments so we can better understand and learn them. So that's enough of my introduction for the topic today. I'm going to go ahead and start introducing some of our panelists. Dr. Saxon who is listed to be on this panel had a family emergency this morning and actually has flown out of the state. So I apologize to anyone who wanted to come for Dr. Saxon but she sends her regards. We're going to go ahead and start off. We have Dr. Julian Goldman at the end. They're each going to give their own introductions. We have Dr. Suzanne Schwartz. Yeah, Suzanne Schwartz. And we have Mr. David Guffrey. I'm excited. They'll now proceed with their own introductions. I'm so sorry. Listen, I went to public school and I can't spell anything. So please forgive me. Yes, yeah. It's the anesthetic. Please. Of course. Thank you. Okay, so it's been given away. The secret is out. I'm an anesthesiologist. I work at Mass General Hospital and I'm also the medical director of biomedical engineering for the partner's healthcare system. In 2004 I started a lab working on medical device interoperability and a few years ago added cybersecurity to our portfolio. And we have a lab which we have no patients of either kind. And so we have a simulation environment. We have a sandbox in which we can look at the different scenarios and what the clinical impact might be if either a device or part of a system is affected. Our work has been supported mostly through federal grants including work supported by the FDA. So when Dr. Schwartz is passed on, the mic is passed on to her. We've been collaborating closely on medical device cybersecurity and also with other agencies. In order to provide information and resources, education, knowledge, and work together as a community to address what we know is a serious threat and to avoid any negative effect to patients. And that could happen if a device is affected. It could happen if a device isn't available. It also could happen if incorrect information is disseminated to clinicians and it overwhelms them. So like any complex ecosystem, it's really difficult to address all the issues. But we're working with a lot of collaborators and trying to do that. And we're looking forward to the conversation today. Thank you, Julian. So I'm Suzanne Schwartz and I'm at FDA Center for Devices and Radiological Health. I work as the director of a new office as a result of a reorganization, the Office of Strategic Partnerships and Technology Innovation at CDRH. And it is a pretty expansive portfolio that we have within this office. All extremely exciting leading edge work which makes every day an extraordinary challenging but again intellectually, scientifically stimulating and exciting portfolio. Included within that portfolio is medical device cybersecurity. Interestingly enough, my background, I'm a clinician as well. I'm a physician. My training has nothing to do with cybersecurity. I'm a burn surgeon actually. And prior to coming to the FDA what will be nine years ago in October, I worked both within the clinical and academic sphere as well as sometimes spent in the private sector as well working within the medical device space for a start-up technology company. But when I came to the FDA as a medical officer, I was placed within CDRH and was involved really in the pre-market side of review and consultation on submissions of new technologies that has to do with my field, burn injuries and wound repair. Really exciting. As a result of long story short, as a result of the work that I was doing, I was introduced to the field of what's called emergency operations and medical countermeasures at FDA and was assigned to really represent efforts on behalf of the center for public health related emergencies. And when we were struck several years ago, this goes back to 2013, with the presentation of vulnerabilities of medical devices to the agency and really we're not sure what we were supposed to do with that information. Especially when it comes in as a huge package of information through the researcher and through the Department of Homeland Security. The agency had made a decision at the leadership level that it's within this public health response role that we would undertake efforts for medical device cybersecurity. So what started out, the point here is what started out as purely reactive and response subsequently evolved and morphed into a much more proactive forward leaning stance. And it took really putting together a team across the center of experts that really represent the entire product life cycle. But beyond that, it was really about recognizing what we lacked. And that's a really important point for our discussion here because it's recognizing that there is a lot of expertise, knowledge, resources that the agency did not have and still does not have with respect to medical device cybersecurity. So what do you do in that set of circumstances? You reach out. You collaborate. You look for partners. You look to understand exactly what it is that we need to be working on together as a community in order to address some of these really complex challenges and this evolving space. And it's really as a result of that over the past several years that we've come a significant distance. We still don't make any mistakes. We have a long, long way to go as an agency and as a community. But it is an arduous journey. But it's through the types of collaborations and partnerships that we've had through your community, through the hacker community, with industry, with healthcare delivery organizations, with patients, with others that has brought us to where we are right now in articulating policy guidance, in defining collaborations and understanding what are ongoing challenges and we'll continue to do that as time goes on. Thank you. Hi, I'm Dave Guthrie. I'm the biomedical cybersecurity specialist for Partners Healthcare. I lead the medical device cybersecurity program for operations and research across the healthcare enterprise. Background is kind of winding and varied. So I started out doing electrical stimulation feedback systems and signal processing nonlinear and linear systems. Transitioned into doing virtual reality as well as brain computer interfacing and other kinds of sensory motor integration. Came to Partners Healthcare a number of years ago, was on the medical device integration team leading architecture development, medical device integration across the enterprise with our health record system and overseeing cybersecurity as well as monitoring systems pieces for the medical device integration. And a few years ago, transitioned to this current role, leading the medical device cybersecurity program across the enterprise. So I work organizationally across all of our sites, all the different information systems groups as well as our clinical groups, biomedical groups and conduct research in the medical device interoperability cybersecurity program lab that is co-run with Julian Goldman over here, who is our medical director of biomedical engineering and in conjunction with our chief information security officer, we do a lot of work across the organization for both operations and research within the lab and we'll talk about some of those activities here today. Give it up. What a panel, huh? I'll just keep it for a minute and pass it around. All right. I'm waking up. I think we're going to talk about a lot of serious problems today, right? We're going to be talking about some of the big difficulties that still remain in the space, issues of patient safety, et cetera. But before we do that, I think it's important for us all to take a little history lesson, if you will, and look back at how far we've actually come. So being involved in this space for several years now, I remember first coming to this and thinking, wow, everything is broken. It's a giant dumpster fire, right? How many people have heard that? Like healthcare cybersecurity, medical device is a giant dumpster fire. You know, I don't know how raging it is right now. I mean, there's probably some varying opinions. Could you roast some marshmallows? Probably. But I think it's important for us to take a little bit of a trip down memory lane. I'm going to ask each of these panelists to just reflect briefly on how far we've come. Please, if we can start. And just talk about how far the space has come. What have you seen in the last 10 years or so that gives you some hope about what we've accomplished before we just tear it all down with the negative stuff? Sure. I think, you know, regarding how big the fire is, is it only sufficient for roasting marshmallows or what, I think put into perspective that when we talk about medical device cybersecurity, we have to kind of think about which part of the system we're talking about. Are we talking about a device itself and devices being affected? Are we talking about men in the middle attacks of data that might flow within a health system? Are we talking about, for example, ransomware of health records? And probably the answer in where we are with that differ depending upon which part of the system that we're talking about. But I think, you know, just even before digging deeper into that and we'll all do that, I think everyone should have a small sense of comfort knowing that medical devices have always been imperfect and they've always have the potential for failing. I mean, that's what equipment does. And so the basic part of medical training, of clinical training, nursing training, biomedical engineering training is to deal with equipment that isn't performing correctly. Things break, they don't work. And so depending upon the criticality of a medical procedure, there are backup systems in place and always have been. And as an anesthesiologist, for example, we've always expected that the anesthesia machine and ventilator will fail during an anesthetic. We always expect that our other equipment will fail. We've always thought that way ever since these things were developed and when they used to fail a lot more frequently than they do today. So the reasons for failure are different. They used to simply be mechanical failures, pneumatic failures. And now that everything is microprocessor based, we have to be more concerned about cybersecurity. But at least so people don't cancel the surgery that's scheduled for tomorrow or next week, be aware that failures happen. Now, we're not used to seeing large fleet failures of entire products across the whole hospital, for example, which of course is the big fear with cybersecurity. However, those things have happened also completely unrelated to cybersecurity. For example, if there's a defect in the plastic tubing that's used for infusions of medication and all that truckload of that defective tubing arrives, it's all distributed throughout the hospital. The next thing you know, all the pumps are affected. There have been software upgrades over the years that have caused problems with medical devices, critical devices. So even that is not entirely new. But in a sense, the vector and the nefarious nature is what's changed probably the most. And so I think the end result of this is we're talking about it now, we didn't ten years ago. We're thinking about it now. And what we have yet to do is start to ensure that everyone has a higher level of vigilance for cybersecurity related device failures. And we need new ways of being able to address those when they occur. So instead of going on for an hour, I'm just going to stop right there. Julian, I'm going to pull on one thread that you mentioned because I think when I reflect on the past several years, I think a lot of it comes down to a significant change in culture, a significant change in mindset and how we think about cybersecurity. And what I mean by that as an example or illustrative of where we are now versus where we were several years ago is that in many of the conversations that we would have, FDA, whether it's with industry, whether it is with healthcare delivery organizations, whether it's with just general public, it was kind of that can never happen. That's just purely hypothetical, theoretical. I don't need to be worrying about that. And how that would translate with respect to how even industry would view an issue that we'd bring up. It was like, well, you know, but we don't design our devices to be thinking about the potential mal intent or nefarious intent. We're designing for intended use. So think about the shift in mindset that we've asked of industry in the design of new devices to be putting on the hat of the adversary to be thinking about it from the standpoint of threat modeling. It's like, no, we need to consider other potential mechanisms by which a device could be used other than what it was, perhaps, you know, in the most beneficent sense intended for. The same mindset shift was required of healthcare organizations and of providers, because all of us who work within this field, it's hard for us to wrap our brains around the idea that anybody would want to do anything bad. That why would you look to disrupt operations within a hospital, the most vulnerable of individuals there? Why would you do such a thing? Nobody would ever do such a thing. But the recognition over the years, first of all, that hospitals, you know, in some ways they represent that they are a soft attack surface. And they therefore have to be thought of as kind of a hostile environment in terms of attempts at attacks on the systems. And CISOs of hospitals will tell you that that happens, and that's been happening day in, day out, all the time that they're constantly trying to defend from attacks, attempts at intrusions. So when you think about the requirement of taking on a very different posture here, that means really moving to a different place with regard to what, first of all, FDA would expect of manufacturers in the design of devices, as well as in the ongoing vigilance and management and monitoring of these devices throughout their lifetime, and what the expectations are in not only in the monitoring, but then therefore in attending to vulnerabilities that do get identified through the lifetime of that device. And we cannot just ignore those or leave those, but they really do need to be looked at, assessed, validated, assessed and determined in terms of what the potential is for patient harm, for a safety concern coming out of that vulnerability word to be exploited. So those are, you know, some prime examples of what, you know, at the very core, the very foundation is required in order to move the ecosystem. There needs to be an acceptance of changing that culture, changing that mindset. It is an ongoing process. I think that we've certainly seen a lot of understanding of this and buy-in from industry, as well as from the hospital healthcare side, particularly, again, from CISOs that are on that front line, where there's a lot of work that's yet to be done, and I think that this will be a good also segue as we talk about today's discussion in medical simulation, where there's a lot of work that has to be done, is with the clinician community, clinicians and patients as well, but clinicians who are, again, focused on treating patients and giving care and thinking about things in the most kind of beneficent manner. The notion that something can, something, someone can impact on a device's safe performance, and therefore considering the benefit risk calculus, understanding what that is, and how to have dialogue with patients, and how to also be on the lookout for that, that is a whole new world. And that's a world that, you know, Christian and I have, we've talked a lot about, and that is where we need to be thinking about as we go forward. Medical simulation offers a real, you know, extraordinarily, really excellent tool in terms of being able to do that, particularly because it's something that resonates with the clinician community, and we'll talk about that as we go forward. I would say where in my tenure, my tenure hasn't been as long in the field as the other two well-respected people next to me. However, what I have seen in this timeframe has been a rapid increase in connectivity. So medical devices now are not functioning as an island. We don't even have vendor systems individually functioning as an island. You have a system of systems that are connected together with, you have imaging, you have clinical monitoring, you have electronic health record systems, you have laboratory systems, we have even R and D systems. They're all tied together in some manner, all on our networks. And because of this rapid connectivity increase over the last number of years, as a result of several governmental initiatives, as well as other aspects that have gone into this, this threat surface is increasing with that and the awareness of cybersecurity and the need for cybersecurity is increasing in the medical community. We have individuals such as myself now popping up at other health institutions across the country where you're having medical device specific experts devoted to securing their systems within the healthcare organizations. We have procurement aspects that are going into your, you're considering cybersecurity now as part of your procurement process. You're assessing your medical infrastructure intake into the company prior to deployment and you're making recommendations and mitigations as a result of that. You're reassessing your existing inventory that may have been, your medical device systems may have been in operation for decades potentially and you're looking at it with a new lens to see where are your potential weaknesses, how can you fill them and where do we go for the future so that we can make better decisions. Awesome. So of course we picked the best of the best, right? The people most aware of this representing institutions that are very savvy when it comes to medical device, critical hospital infrastructure security, right? So the best of the best, right? I'm going to ask a provocative question to the panelists here. Put on the hat of a middle tier, somewhat rural hospital that takes care of 100,000 patients a year. So it still takes care of a lot of patients but isn't connected to a big hospital network, doesn't have tremendous amounts of resources, etc. And take what you know about how hard it is to secure these systems, how vulnerable it perhaps could be and answer the question, do you think that if a patient was harmed by a device that was compromised by a piece of malware or some other thing that we would, that hospital would be sophisticated enough to detect it? I think that's a very tough question to answer. Where I would start with it is it depends on, A, the monitoring infrastructure that they have, B, the relationships that they have with the medical device manufacturers themselves and C, the technical personnel that they have on staff. This is a mid-sized hospital, not a small rural community hospital. So you can suppose that they are going to have some technical resources, you are going to have some form of network monitoring, you are going to have clinicians that are going to be able to see changes in behavior of your medical infrastructure. And we have many manufacturers in the field that are on top of their game and they are act, they will actively work directly with the hospital to help remediate and mitigate their risk. So as long as those relationships exist, I would think that you can, it's going to minimize the potential impact. I can't, I can't directly answer it fully. No, it's hypothetical. It's my favorite one because you can't answer them. I would be pessimistic about the ability of such a hospital being able to recognize a cybersecurity related incident as being just that. And I think it has a lot to do with the fact that the hospital is not well resourced. It is in perhaps an environment or a location that is geographically well, well removed from some of the, you know, bigger academic or bigger, you know, clinical centers where there is a lot more likely exchange and dialogue happening across the C-Suite's and the operational folks within those organizations. And we've heard that, you know, we've, there's been an analysis, it's really done of that several years ago through the healthcare cybersecurity task force actually that kind of surveyed what does the nation look like with respect to its current state of preparedness and capability. And there's a very wide spectrum across the United States for hospitals and healthcare facilities, which leaves us certainly very concerned about those types of facilities and how we, as a collective, as a community can bet not just government, but really everyone, the private sector as well, think about the notion of partnerships and other efforts creatively that can help those types of institutions that may be, again, more remote, more siloed, less resourced to assist when these types of incidents do occur. Thank you. Well, I think we should consider what kind of issue we're dealing with, what kind of attack it is. Is it something that's intentionally in stealth mode or is it something that's intentionally not? So if the Windows desktop screens pop up or ransomware notice with a very long, hard to remember Bitcoin, you know, information, I think he's sure the hospital is going to know that's been attacked. If, on the other hand, someone is performing a man-in-the-middle attack to modify lab values and other data with an intent to assassinate someone or cause harm or disrupt operations, I imagine it would be very difficult for anyone to detect. If a medical device is bricked, if the medical device obviously isn't functioning correctly, what people will do is grab another medical device, call their bio-med department, clinical engineering department, call the manufacturer and say, hey, you know, this thing's a piece of junk, please fix it. Manufacturer might examine it and hopefully would identify that it was a malware-related issue. If it happens to many devices as soon as they're connected to the network, I think the light bulb will come on pretty quickly that something isn't right. And probably most hospitals would, you know, one of the things they would do, of course, call the manufacturer and hopefully the manufacturer would know. And a lot of small medical device manufacturers aren't resourced. You know, probably to sort this out easily. There are a lot of mom and pop operations. Others that are larger are well resourced, but they'll often call up the FDA and they'll call Dr. Schwartz and say, we got a problem. Could you help us out? What do you know? What does the intel look like? So I really think it could cover the whole spectrum and to some extent depends upon how stealthily they're intending to be. I'm not looking forward to that day. There's a lot of talk about how we need to do a lot of technical work and process improvement from when a security researcher finds a vulnerability in a device to when they interact with the medical device manufacturer interact with the regulators to perhaps when they put in mitigating controls, perhaps patches. I mean, we spent a huge amount of the last 10 years talking about that process. We're going to transition a little bit into talking about this unknown part. Just to put a little bit background out there. Imagine an implantable medical device needs a patch. This patch doesn't go over the air, like your phone, right? It's not a very easy thing to deploy. In fact, it almost always has to be deployed by a doctor in a doctor's office. Why, you ask? If it should fail, then the device won't work and you'll need a doctor or nurse nearby to make sure you survive without the function of the device. Does that make sense? Well, you can many people out there who are probably new to this space in the medical device patching world can already understand how hard it must be to patch these things. If every time a device has to get patched, you have to go see your doctor, it's a big deal, right? Now, the question to the panelists are, how equipped do you think doctors and nurses, nurse practitioners, the clinical staff is today at A, understanding this and B, being willing to deploy something like a patch, knowing nothing about cybersecurity or patient care implications. So the question again, how well do you think doctors are prepared now? And then we'll get to in the future how we can maybe change that. That's a good question, an interesting one. These things are happening already. We're receiving notifications that devices might be affected and we contact specialty groups. For example, if a device, you mentioned specifically an implantable device, but it could be something that's connected and not physically implanted like an insulin pump, right, which is similar in some regard, although it's not life sustaining, the pump itself isn't because someone could use an injection instead. When we contact our different physician groups and others, there's really no pushback. They think they're used to being advised by other experts when it comes to technology, and they ask what is the risk, you know, they rush to find out if the devices they have are affected or if their patients are affected, and then they ask for guidance on what to do. Now, I don't think we've hit times yet where it looks like something has a very high risk if not addressed and a very high risk to the patient if addressed for the reasons you mentioned. You know, you don't want to, you don't want to destabilize something. If you have a device that's working and let's say is a very low risk that it will be affected as long as let's say it isn't not connected to something if that's the case, then the, you know, the best course could be transparency, advise everyone, and then make sure that you monitor the situation. And, you know, based on the experience to date, I'm finding very receptive groups of clinicians. I'm an anesthesiologist, as I said, but I work in my role in biomedical engineering, work with all the other groups, you know, across the hospital. And there's really been no pushback, but sometimes what the guidance is not necessarily very clear when we're in a stage of uncertainty, which is usually that first stage. So I have a slightly different perspective, having to deal with the responsibility from the FDA of putting forward recommendations through communication to providers, to clinicians, and dealing with what one could consider a much more high stakes or a high consequence type of situation where, as an example that Christian provided, it would be necessary for the physician to bring a patient back in and have a discussion with the patient over what it is that's about to happen and why, you know, the physician feels that it is a prudent step to take. And we have seen a lot of reluctance, a lot of hesitancy within certain clinical groups, within certain clinician communities. The one that is most prominent, I think it's because also it's the first one that we've really had to deal with has been within the cardiac space, specifically with electrophysiologists. And I think that it's a demonstration of really where we are in, you know, the nascent scene and what will be growing pains here as far as better arming clinicians with what we can anticipate in the future with respect to these types of devices, definitely needing to be updated over their lifetime. And taking that from the standpoint of, oh my God, this is, you know, this is going to create a lot of anxiety and concern and fear for the patient as well as for the physician to something that becomes more of the norm that a physician, you know, can expect that over the lifetime of a device, the device just like a phone or any other technology, will need to receive updates in order to address the vulnerabilities that get identified later on that are not, you know, known or have not been discovered earlier on, that becomes, again, this comes back to the shift in mindset and culture, like that this becomes, yeah, part of what the practitioner can expect and therefore how do we ease that level of comfort for the practitioner so that they also know how to have a discussion around that with a patient. So I think that there's a lot of opportunity for us to talk about approaches that we can take to better educate clinicians, to better inform, to arm them for these situations that we would expect are going to become more normal and that we're not dealing with a kind of crisis every time a vulnerability is discovered within a device that is going to necessitate the physician to take a specific kind of action. And I'll take it just a step back as well. I don't think that at this stage for different clinician groups there's sufficient enough even understanding of cybersecurity to recognize with whom, with which patients they may feel the action or recommendation is appropriate and where they may feel, nope, it's not necessary for this particular patient and how to have that kind of benefit risk related decision, benefit risk excuse me discussion in order to come to an informed decision. One has to have ample background and understanding of what the risk is and what the consequences are in order to be able to render that kind of a decision together with a patient, but we're not even at that stage yet. So simply handing over a set of recommendations or next steps to a physician without having more contextual understanding I think is right now a gap area that needs to be addressed. I'm in full agreement with the other two panelists. I think that there is definite room for improvement regarding the educational process and communication process. So over time there is going to need to be a shift that medical devices will need to be patched just part of normal course. Eventually we're going to find vulnerabilities in almost everything. That's just how it's going to happen. Everybody in this room knows that. So those kind of conversations need to be starting to happen with the clinical staff. Now that kind of piece can go into well how do you develop an educational structure within your organization as well as how do we develop a national educational structure? And those two pieces all three of us on the panel are actively working on and there's a number of people in the room that are working on how do you put out information in a digestible manner without increasing the anxiety while improving the context and awareness of your device and its potential impacts and situations. Awesome. So we're going to go a little bit faster through some of the next topics. Who here in the room would like to fly in a plane with a pilot who has never actually flown a real plane and let them take off and land? Please raise your hand. What's your sense of excitement? Yeah, how much to take it? We could discuss that. Let's see how much you would pay. Are we willing? Maybe $50 is not enough. Anyways, we're going to talk about simulation next. So we're going to have two different types of simulation. One is simulating attacks on medical devices. Probably best exemplified for their work at the partners lab, right? So how do we simulate these types of attacks? How do we put clinical risk in the criticality of these types of things and see how they translate to impacting patients? That's one type of simulation we're going to talk about. There's also this other simulation which falls into the pilot part of it. So aviation figured this out decades ago that they didn't want pilots flying in planes the first time while learning to fly planes. So they put them in these high fidelity simulators, right? Like basically video games to teach them how to take off, land, push all the buttons the right way, et cetera. We stole that in medicine and we teach doctors how to take care of really sick patients using simulation. So who here wants a doctor who looks like they're 25 taking care of them when they have their first heart attack? Anyone? Never having taken care of a heart attack before? You probably don't, right? So we teach those doctors how to take care of those sick patients using mannequins and dummies in fake emergency departments so that when they give the wrong drug or give too much of a drug or too little, we can correct them before they do it on a real patient. That sounds great, right? We did this for medical devices, right? So we took some real research out of this security researcher space and we wrote clinical simulations based on if this pacemaker vulnerability is real and it impacted the patients, this is how it would look. The patient would come in complaining that their pacemaker kept shocking them and perhaps they'd even go into a deadly heart rhythm as a result. Or maybe if the infusion pump they were hooked up to was compromised, it would give too much or too little medication and we let these doctors go through these cases not knowing what was going to happen. It's kind of like Dr. Dungeons and Dragons, right? They unroll this scenario. I bring all that up to say Dr. Schwartz, you saw some of these simulations in a couple of these conferences in the past. And what were some of the insights you saw? Did you see anything? Was it magical? Was it boring? What were some of the real importance to this that you saw that we could leverage to address the very issues this panel is talking about, which are generally clinicians and clinical staff don't know much about this and need to be better informed? Yeah, I have had now the opportunity, really the privilege to attend and to observe to such types of summits that went through these types of simulations and for each of the scenarios observing the clinicians kind of go through step by step their interventions they're kind of watching them think through and act at the same time and then do a debrief afterwards and listen to their aha moments was just extraordinarily insightful and impactful because each of them had said, you know, again, going into such a simulation not knowing what the scenario was going to be that the consideration of a exploit of an attack never would have entered their mind and it brings the understanding that this can occur into a frame of reference that resonates for the clinician, you know, in terms of what it is that they need to be thinking about in dealing with a emergency or scenario that's unfolding right before their eyes. And I think it was in some ways an awakening and an enlightenment for each of the clinicians that were involved in those scenarios and for me very much validating that in order to bring better awareness to cybersecurity for clinicians placing a clinician in an immersive type of learning environment in the way that we do teach and train medical students and house staff and so forth is one is a very, very effective method of doing so because the intent is not again to turn clinicians into cybersecurity subject matter experts but rather to give them the tools to be recognizing and to therefore be doing what they do best as a situation is presented to them. And it was again a very, very enlightening and informative exercise. So if may I add, so what is called high fidelity simulation is what this is usually called in the medical education world and a number of specialties now use these environments. I go through simulation training every few years as well and you know, boy it makes you sweat. And you know, so what's special about simulation? Well, you can simulate things that someone may never see clinically and you can control and contrive whatever you want so that it becomes not only that educational opportunity but it also becomes seared in your memory and then when there is an event there's a problem, people usually fall back on, you know, their most memorable events of, oh yes, there was a simulation on this and maybe this issue is related to cybersecurity, you know, would be the outcome of that. Also a big part of simulation is the team training aspect. It's learning what to do when devices fail, things fall apart and it's learning how to recognize that something is actually much worse than it first appeared to be because we've all had bad things happen. Could it be a fire in the kitchen or it could be a car accident and at some point things look okay and then they suddenly become terrible and we train clinicians to recognize that tipping point which is, you know, hard to do. You have to kind of step out of the experience and know how to bring in other help. So there's a lot of value at multiple levels for simulation and I think it's been really great to, you know, go down that pathway because of the potential for all sorts of good things to come out of it. And you're of course welcome, Dave, to comment on that. Or if you'd like to talk more about your simulating of hacking these devices because the last topic I'd like to hit after you talk about that is really how do we involve this community in here because they're hackers out there, right? We care about being involved in this. That's why they're out here. They are patients themselves or their parents or their kids are patients and they want to help but they don't fall under the traditional categories, right? They're not in academia. They don't care about writing papers. They want to hack. And there are a lot of barriers to hackers out there getting involved in this space. So please talk about your work in the lab and then also let's start talking about how we can broaden inclusion into this space which is really hard. You know, hackers can't get a hold of devices easily. They don't know who to talk to. There's a lot of problems and pushback and even threats from certain organizations being involved in that. So if we can move on to that for the last topic. All right, well I'll say one comment on the previous topic of when an area in these various simulations that has been very enlightening is learning who needs to be at the table. So when you're doing emergency preparedness and response activities and you're working through emergency situations it's important to figure out what your communication paths are. Who needs to be in what particular role? How do you all work together? You need to have people from the federal regulation level. You need to have people from your various groups within your hospital organization. You need to have medical device manufacturer groups. You have to have researchers at the table. And you have so all of these various pieces have come out in some of our simulation activities working through these kind of emergency disaster situations within our laboratory. As far as other kinds of more hacking oriented research and activities that we've done in the lab. So we use the medical device cybersecurity lab for a number of different pieces both on the operation side and the research side. Operationally we do penetration testing of our systems prior to deployment, prior to procurement. You work through your various systems and figure out how you can work then with your organization and with your medical device manufacturers to fill any potential gaps or figure out how can you have mitigated controls. As far as we also have work under a project with the Department of Homeland Security and this is an aspect where all of you in the room I highly encourage you to join us in this effort. So this is under the DHS impact program and if you Google impact it'll pop up and we have a project for a generation of medical device network traffic. And the reason for this is because as you have all experienced in this research community you can't get a hold of easily of medical devices. You may not be clinical experts and know the clinical workflows and there may be other legal barriers to be able to do research on these medical devices and because of that there's a lack in our field of networking systems and understanding of the medical network traffic in order to develop tools that we have tools in our regular IT networks. We have visibility. We have detection systems. We have artificial intelligence. All these different pieces on our IT networks we don't necessarily have access to that on our medical networks due to a number of different hurdles. We are doing under this grant generating medical network traffic under normal state scenarios, failure mode scenarios, attack scenarios. We're bringing this to the research community so that you can then get access to this traffic and be able to start developing tools to help improve the ecosystem as a whole. Yeah, that deserves a clap. Yeah, get the data. That's awesome. Build the tools. I just want to clarify when Dave said we don't we don't have we don't have those tools on medical networks. The we in this case he meant was the health care sector. Not we in our hospitals. Not partners. Yeah. So, right. So the very nature of how medical devices are connected in hospitals is they're typically on separate and proprietary networks for a host of things that relate to the fact that they were not necessarily designed to plug in to your backbone. They don't go into the technical details. But the bottom line is that they're typically isolated and separate. And that's why this is a data set that's been hard to get access to. Another reason is that medical devices are expensive and one needs a license to buy them unless you buy the money bay in which case you just need money. So and then as Dave said setting them up requires a certain level of clinical engineering knowledge. Part of the reason we set up the lab the way we did that's allowing us to share the data through the DHS impact program part of the way we set it up was to answer a question of what does a laboratory sandbox need to be prepared for a cybersecurity event a significant one hopefully not cyber Armageddon or whatever it's called. But you know these things could happen and we as a nation and as a community have to be prepared. So part of that work over the last year and a half or so has been a project sponsored by the FDA in partnership with MITRE to build a medical device cybersecurity sandbox to understand what do we need what kind of tools how do we simulate different hospital environments and different network architectures different implementations and configurations of equipment manufacturers may dictate that for a device to work correctly or a hospital may have to dictate a configuration requirement based upon their available technology or clinical workflow physical layout they may have antiquated equipment networking equipment they may have state-of-the-art equipment and so we've been studying that for some time and built out the cybersecurity sandbox as part of this cybersecurity preparedness initiative and you can see how there's really good synergy between these initiatives whether it's DHS science and technology S&T program wanting to share more core data with the with the cybersecurity community whether it's the FDA in Suzanne's office thinking about how do we prepare as a healthcare sector so that the community could rapidly engage hopefully ahead of time not in response but proactively to these events do you have anything Suzanne? I would just simply add that I think that both types of scenarios that we were talking about whether it is the clinical simulation for providers or whether we're talking about again the test bed or sandbox they both demonstrate the power of simulation for preparedness and we always talk about the importance of you know preparing exercising exercising exercising exercise to failure not to futility it's the idea of before something bad happens let's play this out and understand exactly what our weaknesses are what are the things that we need to sure up and then reiterate on that and continue to learn through that process simulation is a really powerful tool to do that. Phenomenal. Alright so we're approaching the end here I just wanted to again thank our team panelists and leave perhaps a challenge to the audience and everyone here we've talked a lot about simulation as a powerful tool let's practice let's tabletop these things both to educate the doctors and nurses to in-care patients to talk about involving hackers into this space but really I feel like simulation is a tool that can be applied across this community right and that's really something I'd love to see go in a different direction we'll continue to do clinical simulations we'll continue to do the technical simulations but what we really need is involving more of the community outside the walls of a hospital you know tapping into the tremendous resources of all the hackers here and allowing them to experience what this would actually be like because what we want to do is leverage the expertise out in the room all those hackers to do meaningful work to help secure patients and we talked about all the difficulties of how to do that and all the intricacies and how much you have to know to do that let's reduce those barriers if you will to allow more hackers into the community and I guess I want to say thank you as well to everyone that's involved in the We Heart Hackers Initiative the Biohacking Village next door please sit down and take a stab at the CTF, check out the vulnerable devices and also join the community this is something that's really important medical devices take care of our brothers our sisters our moms our friends there are a lot of nuances in this community we should be banning together to solve a lot of these challenges and avoid the pitfalls that have happened in other industries that result in either outcomes we don't like delays to fixing this issue and then also it's just a cool space to be in who here is having fun here at DEF CON you came to the simulation panel didn't even know what it was we had some fun can we give it up for our panelists please