 Kevin Foo corrects that directs the Archimedes Research Center for Medical Device Security and the Security and Privacy Research Group at the University of Michigan where he's also an associate professor. He writes a blog on medical device security and safety. Thank you, Kevin. It's all yours. All right. Thank you for the introduction. So interesting to follow that panel. Actually on mobile devices, I had recently discovered that my mobile device had been collecting all of my walking and stair activity and I hadn't even remembered that I enabled that. So I was really impressed. I had a fitness tracker and I hadn't actually bought one. So what I'd like to talk about today and it's going to be a very short 10 or 15 minutes is a little bit about this discussion of medical device hacking but maybe not in the sense that you're used to seeing if you get most of your information from the non-research literature, shall we say. With my required disclosures clause, you can go see where my potential biases are. There you go. That's where I get most of my research support. But let me tell you a little bit of the context here. So several years ago, I was part of a big team and co-ed a team that analyzed the security of a wirelessly controlled pacemaker defibrillator and that has been bubbling up for probably about eight years now. The most recent thing that's resulted is FDA issuing some new guidance on the cybersecurity and the design of modern medical devices. But I want to talk with you a little bit about what I see as the real problems when it comes to hacking and medical devices and it might not be what you think. I'll just begin with a little disclaimer. It's very easy to find problems. In fact, that's what I do. That's what my students do. My own opinion is that patients are much safer with medical devices than without even when there are security problems because they're more predisposed to risk. But that said, of course, you would like to see improved security when it's possible. So let me just briefly talk about one example that my laboratory is most widely known for. And that is several years ago, we showed how to wirelessly induce the conditions for a fatal heart rhythm. Let me see if I have it on me. I do happen to have a defibrillator. It was donated by a patient. So actually, you're welcome to pass this around. And I have the electrodes that are woven through a sacrificed blood vessel to do both sensing in the heart and also sending shocks. This one, I believe, is designed to send small shocks. I can pass this around. It's been de-dangered. Just don't lick it. But it will not give you a shock. But you'll see a lot of reporting about hacking into implantable medical devices. It is an important element. But what I like to tell is a slightly different story that I think is more important to patient safety and better outcomes. And in particular, it's about malware. We're not talking about targeted attacks. We're not talking about nation-states at this point. We're talking about malicious computer software that accidentally breaks into medical devices, not even realizing it's a medical device and then causing that device to either malfunction or be unable to deliver patient care. So these are really, really basic problems. But let me warm you up to the little demonstration I'm going to show. So several years ago, I go around and I talk with quite a few SISOs from hospitals, so Chief Information Security Officers. And I was really fascinated by a chart one of the SISOs gave me. He wrote that in his hospital. He broke down the different operating system in his hospital. And I like to add up numbers and call the speaker on the carpet when they get their numbers wrong. I said, hey, your numbers are wrong. You added up Windows XP incorrectly. You have 0, version 1, 15, version 2, and 3, version 3. That doesn't add up to 600. Something's wrong with your data. And he said, no, Kevin, you don't understand. We have 600 version 0 Windows XP boxes in our hospital. That is susceptible to every piece of malware ever written for Windows XP. So it doesn't take a PhD to understand at this point that, well, that kind of exposure means hospitals are going to be more susceptible to conventional malware. And that's why today, some of the malware that we haven't seen for 10 years, you'll still find inside hospitals just because they're using such old software. And the reason for that old software is very complicated. It has a lot to do with manufacturing culture, as well as regulatory issues. And there's no one solution. But the fact is, there's quite a bit of old software out there. And hospitals want to see that software working for a very long time. So let me tell you, as a result of that, what are some of the typical problems one will find in the clinical environment? Everything from the small family practice up to the large hospital. So actually, one story I picked up from the VA, the Veterans Administration, the field security office was telling me about a vendor who was coming in to upgrade software on medical devices. Seems kind of benign. It's good to update the software, hooray, kudos for them. The problem is the contractor also used a USB drive and unbeknownst to the contractor spread malware to the hospital medical devices as they were doing the upgrade. So again, this is not rocket science. This is, yeah, we're not practicing sort of good hand washing technique when it comes to our data. We're accidentally spreading malware through very simple processes. And guess what? You could have the best firewalls in the world in your hospital, and it doesn't matter if your vendor plugs the malware into the device. I'll give you a quick example of, in my laboratory, I have a pharmaceutical compounder. This is a special device that creates custom liquid drugs for IV delivery. And we got a report from the Food and Drug Administration that this device had become infected with a computer virus. And it turns out that not only had this device been infected, but during repair, the malware accidentally was spread to the other devices under repair by those performing the service. There have also been cases of product assembly lines where malware has accidentally gotten in during the assembly process. Fortunately, all the cases I'm aware of were caught before it was shipped. But let me just tell you about one example of one that wasn't caught. So I like to go around the internet downloading software and just running it and see what happens. So, well, if you laugh, but I'm sure you're doing this all the time, right? You click on things. So I went to go download an update to a ventilator. This is a device to assist with breathing. And when I clicked on the link to get the update, this is what a hospital biomedical engineer would do. This little dialog box popped up on my screen. It says, warning, visiting this site may harm your computer. The website you're visiting appears to contain malware. Again, this is not some nation state. This is not some insidious organized crime. This is just malware that's sitting on the internet that's somehow getting into our web browsers. Turns out for this particular case, the malware included, according to Google, this is Google keeps a whole bunch of analytics on this. There are 38 Trojan horses and three scripting exploits as sort of a bonus package for this ventilator firmware update. So this is sort of the low-hanging fruit. So you'll hear stories about hacking and plantable medical devices and a lot of that, most of that's true. But there's a whole lot of other things that are a little more simple and more prevalent. Let's see. I already told you the story about the compounder being infected with a virus. The more interesting thing is that sometimes you'll hear that, well, the operating system is not regularly updated or patched, period. And so that sort of leads to more susceptibility. You've got exposure plus susceptibility, you're going to get exploits. So what I want to show you a video of, let me give you a preview for what's actually going on. It's a little bit hard to see what's going to happen here. So the title is, what is it, hacking medical devices. We're going to hack the hackers right now. So I decided it was not fair that the hackers have so much to their advantage. It's really easy to break down an open door. So one of my students, one of my former students decided, you know, what if we took a power outlet and modified it, such that whatever you plug into the power outlet, we can tell if it's infected with malware based upon your power consumption patterns. And it was a kind of crazy idea, but that's what we do in research. And the weird thing was, it worked. So we called the system what's up doc. And it sits between the power, it's like a surge protector. It sits between the power outlet whenever you're trying to protect. Typically we look at medical devices, but you can think like, you know, internet of things. And the basic idea is that, hey, this way you don't have to modify any of the software inside the device, and yet you can still get some better threat indicators about, hey, what's going on? Do you have any threats going up against your device? So the video I'm going to show, I'll start that right now, the video I'm going to show is a picture of radiological imaging. This is running a piece of software called MIM. It's a commercial radiological imaging software package on a notebook computer. And on the left hand side, you can see a little blinking LED. That is our prototype that's basically a power outlet. Plugs into the wall and it's providing power to the computer. So the idea is that the clinician is doing their radiological imaging in the hospital, perhaps looking at the images. And the question is, how can we look for evidence and surveil for malware, even if we're not going to want to tamper with or change anything on the protected computer? On the left hand side here is sort of an advanced debugging interface, but that's sort of the analytics of what's going on. It's analyzing the power outlet at this point. So the actual, what's printed on the screen is not too important, but you can see, we're looking at an x-ray over there. And as we're moving around and looking at the x-ray, you'll see that the analytics, you're not getting any false positives at this point. It's not doing any alarm fatigue yet. But what we're about to do is infect this radiological imaging system with malware. And we're gonna do that using what's been reported to the FDA and that is typically a vendor sticking a USB drive in or a clinician who's copying electronic medical records because don't forget, you keep things offline to keep them secure and you use a USB drive sometimes to transfer things. So what we've got here is a cleverly disguised USB drive. It's got a picture of an insect on top of it. And we're about to plug it in innocuously, just like any clinician does every day. So we've plugged it in and you know what's gonna happen here. We're running Windows and it's very easy for a non-technical person, could be a physician, a nurse. Senior physicians are particularly susceptible, I've noticed. And it typically will trick you into running something. It installs it and it disappears. So you may have quickly seen a dialogue box appear, but the disk image disappeared. And what's actually been installed is a piece of malware called back off. Back off is the malware that broke into a whole bunch of systems like a Dairy Queen into their cash registers. And this piece of malware is pretty insidious because once it gets in, it covers its tracks into the untrained eye, you don't notice it causing any problems. But when malware gets into a medical device, it can slow it down. And when you slow down a medical device, the software isn't guaranteed to behave safely anymore. It might not deliver the results you expect. And sometimes it can also cause the device just to become unusable. A typical way you notice that you have malware nowadays is someone will say it seems to be running slow. So again, this is not hacking a pacemaker, but this is much more benign but more prevalent. Now what you can see going on here is that there's a little red bar on the right hand side that says, hmm, seems like something really odd's going on. Again, it's only looking at the power outlet. There's no network traffic, there's no wireless. It's just looking at the power consumption of the notebook computer and is able to raise an alarm. Now you can see it's already sent a text message saying, hey, you appear to have some malware on your device. You better go look more carefully. So that's a quick demonstration of just what's going on as the hackers are hacking the hackers to try to better protect these devices. And it's less about, there's sort of two issues today. I would say it's less about the unsidious hacker. It's more about conventional malware that's just causing problems. Now in the future, and of course the title of this event is Future Tense, but if the title were something like Future Perfect Tense, hopefully we will have better security protections in place in the future so that when the eventual deliberate threats come, we don't know when, but if you look at any industry, eventually they come, we'll be better prepared. So I think I'll leave it at that and I'll return the microphone. Thank you.