 Welcome deaf con to the do no harm panel. If you're joining us for the first time, this is a panel looking at the complexities of the hacker community and healthcare. We're joined by an amazing panel of people who will introduce themselves shortly. But before I begin, I want to introduce our other moderator replicant. Hey guys, replicant or Jeff here. Very happy and honored to be back with you today. For those of us who are joining asynchronously and watching this virtually we hope you're doing well. We're sorry to not see you in person but understand that that's the best choice at this time. And look forward to that problem where we can all get together in person, happy and healthy. My name is Jeff, as mentioned, I'm an anesthesiologist by training, and I work with quality. I'm doing some security research on the side down here at UC San Diego. A man who needs no introduction but do us a favor and for those who may not be aware of the glory that is Josh Corman. Give us a quick intro and a little bit about what you do and then all of our subjects and panelists can also say hi. Sure. Well, I'm Josh Corman. I'm one of the founders of I am the cavalry about eight years ago, August 1. And, but very important disclose right now because of some work I did on a congressional healthcare task force ended in 2017. When the pandemic started director crabs at the time asked me to come serve the country for a year as part of the cares act. So I am the chief strategist for the pandemic response the sysico a task force that syssa the cybersecurity infrastructure security agency. So if you want to spot the Fed guilty is charged, at least for a temporary emergency hire. So I'm here my official capacity. But if we touch upon things that happened before the pandemic, I may be wearing a different hat. Awesome. Gab will you introduce yourself. Yes, I can do that. So I am a cloud security engineer currently working in healthcare, doing a lot in the insurance space and as far and in the regulation space as well. I also do some medical device research and my background is actually in genetic science and neuroscience so kind of have that crossover actually got into information security through medical devices so this is a near and dear subject to me. Awesome. Stephanie. I'm Stephanie Domas. I'm currently the director of strategic security and communications at Intel and so I'm right now really focused on the critical role that hardware and firmware plays in the role of security but more importantly to this conversation. And as I spent the, about seven years previous to that focus specifically on medical device cybersecurity so did a lot of consulting with medical device manufacturers healthcare providers, really digging into the bits of bites of how do you design and build and maintain more secure medical devices. Wonderful and last but not least Jessica. Sure, I am Jessica Wilderson. I'm a senior cyber policy. My God, advisor. We go back and forth between advisor and analyst at the FDA the food and drug administration. So my job is medical device cybersecurity pretty much all day, every day. But from the government angle so I guess I am the other said in the room, forgive the awkward camera angle I am technically on vacation right now, but you all are so important I decided how to do this panel for you. I'm going to go to the panel today with an understanding that there's a big elephant in the room, which is, if this talk is about hacking healthcare and all the complexity of this there's been a pretty serious issue going on for over a year. The elephant in the room being of course coven. And we wanted to underscore that before we began just to discuss a couple things one, but there's some renewed urgency in the need to address the resiliency of healthcare you know we've seen a lot of years we've been seeing them for a long time. Now with the pandemic as a backdrop is now more important than ever for us to really address this key issue, as well as to learn more about what we failed in what we can do better. How us as hackers can really contribute towards this mission of improving the safety of health care, not just the United States but all the way across the world. So to open up the first question to the panel we wanted to talk about hackers and the amazing research that they do into medical devices and critical hospital infrastructure. It seems like not a year goes by, where we don't see some amazing research being done hacking infusion pumps or insulin pumps tax on hl seven and other types of healthcare specific issues. They tend to come out into the media and we've seen my first question to the panel is, no, we haven't seen a lot of that this last year. Why, I'll take a stab. I have been involved in witness to some coordinated vulnerability disclosures over the last year. Perhaps they're just not as public or revealed at conferences or perhaps are happening a more collegial behind the scenes way with a little less sensationalism. The vulnerabilities are certainly there and the talent pool is certainly there but maybe others also figured there was a lot on the plates of medical industry at the moment and are exercising some discretion, but there's probably other reasons as well. Wonderful. So thank you Josh for your answer to my question, which was that we seem to be seeing some research is just not very public yet I wanted to reach out to the rest of the panel Stephanie Jessica gap, you know your thoughts on what's going to happen here in the next year so with the medical device research we really haven't been seeing over the pandemic. So I'll jump in the building on what Josh said there, there is activity happening and so I think part of the reason you're not seen as many sort of headlines around it is because of the maturity of those coordinated vulnerability disclosure processes, which is an excellent thing. Another piece of it is also around the maturity of sort of the media and knowledge in the space. So I think we're starting to reach a point where vulnerabilities being responsibly disclosed by manufacturers is business as usual. So instead of every time one of these disclosures got posted by medical device manufacturer instead of their bean sensational headlines around it that's becoming business as usual. There are still vulnerabilities getting posted they're being released by medical device manufacturers but they're not getting picked up in those sensational news cycles which I think is a great testament to just the maturation in the industry that it's actually a good thing that these are being disclosed and it's not worth sort of the scare tactics that we had seen maybe earlier on in the space. I mean as part. Okay, good I was I was actually unmuted I thought I was going to have an issue but I would argue that from the FDA says I mean this is this is my job I do vulnerability response for medical devices and so let me assure you there is no shortages of medical device vulnerabilities because if they did I would have a much easier job than I do. I like Stephanie and like Josh are saying the industry has really come a long way in terms of maturity and you know not just the industry not just the researchers. The FDA has also matured of you know what we've seen and what we've gone through and what we've experienced and so our response I think also influences the way that a lot of these sometimes get reported and I am actually very happy to report them in a lot of ways like we'll get a vulnerability we have the internal expertise within FDA to do our own analysis of patient safety risks. And then you know we just sort of give it to the teams we give it to the reviewers to say, you know go forth and work with the medical device manufacturer and get the same six and then they do it and it's just like Stephanie said it's just business as usual. And from the engineering perspective, I think, additionally, they're just being pulled in so many directions right now. I think there's different things happening across the entire industry, and not just in the healthcare space. So, I know that like my team and the work that I do we have just so many different projects involving different types of technology and different things across the industry. It's been a little bit harder to try and focus on the medical devices specifically. Let me just pull back things a little bit in general and say that at the last, do you know harm, which was all virtual on discord. I think we were still kind of a little bit in the acute shock period of everything that was going on with respect to the pandemic right after 18 months into this, we have really seen Christian clinically how much of an impact has had on how we currently practice medicine how we're likely to do so in the future. I'm curious just to kind of set the stage for some of the questions running into later. What are some of the sort of lessons or changes in perspective that you have all had as a result of being able to kind of sit with this for a little bit longer and decompress. Obviously, you know we're close to being out of it but now that we're a little bit removed from that acute crisis period. Where have you sort of changed and how do you look at the space as a whole and the major pain points and problems that you're thinking about and what sort of surprised you about that entire process. I mean want to go last on this one. So you do want to go last. Yeah. All right. Well, so I mean I think you know it's interesting for for FCA and coming at this from the healthcare federal government angle. We all went on remote work I think in like March, but of course healthcare, you cannot work remote healthcare. I think jumping Christian you probably know that better than anybody like the patients still have to go to hospital people still have to see doctors. They still have to carry on and healthcare is so incredibly highly digitized that, you know, we, we already knew that we have this reliance on on digital technologies and Josh I don't know what your your over dependents on you have this phrase that you use which you can repeat when you speak you know we are we knew we were dependent right like that was that wasn't the secret. I think the extent to which we were dependent in the ease with which critical functionality can be disrupted on accident on purpose. For whatever reason, just really underscored the criticality of figuring out cybersecurity and healthcare to to a significant degree than we have right now we you know we have come incredibly far from when Josh you set up on the cavalry Stephanie when you were in MedSec and all of that. But you know we still have an incredible way to go and I think the pandemic was a little bit humbling in that sense of revealing, you know that we had a lot of this work still ahead of us. For me just speaking about kind of the trends they saw in the industry you know for the first half of it I would say we were exponentially increasing our cyber risk in the healthcare space by just moving devices around pop up clinics, you know standing up like beds and I mean so the cybersecurity risk was growing exponentially yet from a consulting point like consultant perspective I can tell you that there was no spare cycles for tackling that risk at the time there was a lot of technical debt taken very early on in the pandemic around cybersecurity because everyone's top functionality was just get it working right we just have to make it work. And so the last six months or so I would say is when I've started to see that technical debt. Being cashed in you're starting to see people get their heads above water in the healthcare space and try to now. Rebeam that technical debt and get rid of it so it's been interesting seeing that cycle of now people are finally coming back up for air and trying to kind of tackle the spaghetti monster that was made for very good reasons. Just an interesting observation we're not out of the woods yet the technical that's still there, but we are starting to chisel away at it. So, I'll try to be brief on some of these things. So we're back to that we had a congressional task force for healthcare and she cyber security as part of the system 2015 law, we started in 2016 and finished Mother's Day weekend 2017 when want to cry affected 40% of the UK's healthcare delivery. So we knew a bunch of seems and cracks in the US ability to provide medical care, we knew many of them we flagged several some got started like the S bomb work and other good reforms. But the pandemic just took all those seems and cracks and really just overstressed and strained and sprained and broke many more. So, we were hoping that ransom crews would not would realize they to live in the world and they to would be a victim to degraded and delayed patient care but instead as we feared there was an elevated volume and variety of deliberate disruption to healthcare delivery nursing homes and supply chains early in the pandemic. Building on some of the great things said prior people did have to stand up spaghetti monsters I love that phrase. I didn't necessity to do their jobs or to respond to the various stages of the pandemic. So they had their old attack surface and now a new one often using unsupported technologies that couldn't be batched in emergency even if they wanted to. Worse because a lot of the elective surgeries that are the top revenue generators for a lot of these institutions couldn't happen. People were laying off and furloughing it staff and it security staff last summer. And while they did somehow claw back some of that tech debt. We know from that same task force that our estimate at the time was 85% of the hospitals in the US don't have a single cybersecurity person on staff. We've been giving cyber hygiene advice and do implement zero trust platitudes or implement multifactor authentication when they don't have any money. So, but agree to which a lot of these healthcare institutions were what I now call target rich and cyber poor on living below Wendy Nathan security poverty line really has gotten worse during pandemic as well so don't want to be all doom and gloom, but the effects are pretty severe. Some of the analysis that you know we had a, I don't know the final count of cares act hires we hired data scientists infectious disease specialists physicians like Dr. Ruben Pasternak that I know you to work with. And went through this fusion center we started looking at what are the impacts of the pandemic and the ransoms on the nation's ability to provide medical care we track 55 things called national critical functions NCFs. These are the things that affect national security national economic security and national health and public safety. The one that's been in the red zone and the purple zone for the most the pandemic is called provide medical care. And this is what two of you do professionally every day. We looked at severe strains throughout the pandemic initially noticing a new problem because the pandemic which was cascading failures. It used to be that if you had a ransom or an outage or some power problem, you would merely divert ambulances the next nearby facility, and that's kind of predicated on the next nearby facility being able to receive anybody. So when everyone's at a saturated level, or in the red zone themselves a failure in any single hospitals tended to have cascading stressors or failovers in nearby facilities. So, Christian I heard in your amazing testimony to house energy and commerce similar sentiments. So we started studying that as well. Then we started looking at something very poorly covered in the media but the CDC tracks something really important every year, every month called excess deaths. And this is the difference between expected deaths and actual deaths by condition by month by state at the national level. And when the US hit that February milestone of 500,000 lost Americans to COVID we also hit a different milestone of 150,000 lost Americans to non COVID conditions that are otherwise treatable very treatable. The number one aid demographic that was 25 to 44 year olds. So young folks that could have been saved, but for excessive loads on our healthcare delivery across the country. So these are things like time sensitive things like heart attacks, strokes, cancer, where time matters minutes matter hours matter days or weeks so Christian and others on this panel in the past we often cite the New England Journal of Medicine article it says 4.4 minutes. So a marathon can be the difference between life and death and increase mortality rates for heart attacks. We know with strokes, the difference in life and death could be one, three or four hours. So what did four weeks of interruption in the state of Vermont do with the UVM Medical Center and 118 facilities in upstate New York Vermont and New Hampshire. So again where minutes matter, we know that delayed integrated patient care effects outcomes, including mortality rates. You know we were deeply concerned about this and almost done some of these truth bombs but when we looked with data scientists for the first time this fusion center we started to say is a relationship between capacity levels and mortality rates and for access deaths. And we're starting to share this with the public data but without getting into the inflection points we did see a strong and positive correlation between something like ICU bed count and excess mortality excess deaths to four and six weeks later. So we got a kind of a leading indicator that we could tell if a hospital or region, a state was going to incur excess deaths if they were starting to reach too high of a capacity level. And then asked the really tough question and I think do you know harm cares about which is, can cyber disruption precipitate or accelerate or cause that harm to worsen. And of course we know a fire is hot and water is wet so of course, any degraded and delayed patient care from any source can do this. But we did start asking uncomfortable questions and look at the state's hardest hit by that concerted effort to disrupt health care during the month of October and November. And adjusting for all the rare, all other variables in a state like Vermont. It was very clear that electronically disrupted hospitals achieved that excess death red zone much faster than their peer group. So again if minutes and hours of the difference in life and death, and you're in a geography that can't get to the next nearby facility. So stop asking, can cyber attacks lead to loss of life. We've answered the question. There's enough statistical evidence now to show this. And some of these will be easier and smaller inflection points post pandemic when we can go back to fuller capacity and slack in the system, but some of the system dynamic revealed shows that if you don't have next best alternative proximal care within a certain radius, then that cyber disruption will cause adverse events to patient care. So it's easy to see your testimony Christian, say very similar things but you know it's a somber set of recognitions but we can at least move past debating if there's an impact from a lack of cyber resilience and now start talking about what the hell do we do about it. I want to make sure that we link arms with CDC and HHS and FDA and others as we go back to Congress and leaders post pandemic because we have a lot of work to do, and many of these can't institute multimillion dollar cybersecurity measures so what is to be done I think part of the answer is going to come from the creativity of the hacker community here. Yeah, so we're going to we're going to circle back to a number of points there but I wanted to ask that, you know, in the spirit of this theme of what have you seen or what have you learned over this period you're you're a cloud security expert. Have you seen different organizations whether healthcare or non health care attempt to address in the technical debt by by moving a lot of operations to the cloud. So what do you sort of foresee as the implications of that with respect to the attack surface and in how we're thinking about these problems like ransomware, another focus attacks. Yeah, so there was a huge terrible I think kind of near the beginning of the pandemic where a lot of companies to where one of them moved to the cloud, and it's only gotten, I guess, bigger, the movement's only gotten bigger. It's, it's kind of accelerated that move for a lot of companies that were planning it. It does increase the service because people don't understand the cloud environment completely sometimes. I think there's a lot of education to be had between, you know, in the relationship between the cloud provider and what their responsibility is versus what your responsibility is as the person who is putting data in the cloud and that's where we see a lot of the breakdowns is not understanding that it's the customer responsibility to secure the data, and not the cloud service provider they're just securing the platform of the data is on so things like that I think are going to continue to be a problem I know we're seeing a lot more big breaches as far as cloud environments go lots of just even open buckets on the internet low hanging fruit stuff like that so Yeah, I think it's going to continue to get worse before it gets better. And Jessica I'm interested to hear a little bit about how you and FDA at large have sort of changed your thinking a little bit because we have sort of moved from this conception of the importance of individual vulnerabilities and contains devices which is still, you know, obviously very but now everything living in an ecosystem understanding some of the effects of just the degraded infrastructure and how that can adversely affect patient care I mean FDA is is obviously focused on patient safety. Medical devices are your preview but how do you start thinking about things like ransomware within that context, combining it into a situation where you may have medical devices that are supported by cloud infrastructure. And sort of how that branches to to include the entire ecosystem and not just an individual device or an individual patient. Yeah, so that's going to follow up on this original I had already unmuted and everything of gap point on on the you know sort of the rush to the cloud and what that means and the different responsibilities that the different parties have, and to serve synthesize the follow up I had to that and then the questions you asked for FDA. There are there are medical devices right you can pick up something and it is a medical device. There are also medical devices that are systems, and it's you know that you may have the device that will actually deliver the care, but the calculations as to how much of a dose to give a patient, or how long for the medical device to run or whatever else it is. That's taking place somewhere else that's taking place on a different computer that's taking place in the cloud that's taking place whatever. So for us for the FDA, that whole thing is the medical device. The medical device is the thing. The medical device is also the entire system that is necessary to deliver the care. And we have we saw this happen earlier this year this was one of the first times at least that we've had it confirmed and really hit the news, where the connection in the cloud service availability of a medical device manufacturer led to the unavailability of care for patients for an extended period of time. And the devices themselves are fine there was nothing wrong with the devices the devices weren't ransomware there was no malware on the devices, they worked perfectly well. The calculations to figure out how much the treatment that the patient needed happened in the cloud. So because the cloud was available the devices didn't work. So for us, you know, one this was a little bit of not a not a new thing like we had always conceptualized that this could be a problem that we're going to have to deal with. But it really it took a little bit of a perspective switch to go from Oh, we have to look at whether or not the device itself is being hacked, whatever you want to, you know, whatever hacked means, whether or there's malware or ransomware or whatever else is on the device to maybe the system is just unavailable because the system is multiple parts spread over multiple locations and one of those locations is not available. And so, for us, and now for a lot of the medical device manufacturers that we work with this is something that we're asking them about we're simply saying, What is your plan. So mostly do you have one is the implied question there and sometimes that that's not even the answer to that is not always yes. What is your plan for it the cloud or for remote service or the connectivity, the way, can you still deliver care. And so that's been that's been that's been an interesting perspective and paradigm shift or maturity or evolution if you want to call it that. So the other kind of thinking from the healthcare provider space that the interesting impact I saw from this increased adoption of the cloud was sort of pre pandemic it was really common that when you went to a hospital and you had a medical device that had a cloud component. One of the early questions that would happen is, is there an on prem version of this to hospitals were really uncomfortable with systems medical devices that had the ability or under normal use to send patient information outside of their hospital to hospitals really wanted that on prem solution and manufacturers had a lot of pressure that they wanted to innovate with the cloud, but there was that demand for on prem solution. And so I saw real opening up of that risk tolerance from the hospital space where now, you know, towards, we get halfway through this pandemic, that doesn't start to be the start of the conversation the hospitals are now just assuming that there's an off prem component to these systems and they're doing their cyber due diligence right they're asking the right questions about those components but that acceptance of a system that is not just on prem has increased dramatically. And so that's been a very interesting change without adoption is that there was kind of a force acceptance for hospitals update their risk tolerance for systems that weren't just on prem. Those are all great insights and I will say just being adjacent to this space, I would confirm all of that and also that the conversations evolving not just to let's not have an on prem solution we're okay with the cloud solution or remote solution. But that that could potentially be an answer for some of their internal cybersecurity concerns, meaning, as Jeff, as Josh mentioned, you know, the task force reported that nearly 85% of hospitals and estimation lacked a full time security professional. And so this is not a problem that is being solved very quickly. And so they're left with this question it's almost like a selling point from some manufacturers to say, Well, we have a cloud solution in which we can secure this data better than you could potentially do at your own institution. Therefore, it's almost being seen as like a security upsell. And I will say that this is also very commonly cited as a reason to go to cloud hosting for the electronic health record you know as we talk about the ecosystem and so much technology required to take care of patients. One of the most important elements of that's a medical devices, but another really important part of that is the electronic health record. And I jokingly called the operating system of health care you can't do anything in the hospital without the electronic health record you can admit a patient, you can order drugs or treatments or test results you can even review that notes without the electronic health record as we see now I pushed to really host all of that content in cloud services, usually by medical by electronic health record vendors, and it is part of their selling process to say this is more secure. In fact, they cite it as a reason for why you should invest it because if your hospitals ransomed, then you can still access your electronic health records through some web portal and no one's ever talking about that consolidation of services into one focal point that if attacked and ransom, for example, would lead to the failure of electronic health record not for one hospital or five hospitals but for hundreds, or potentially thousands of institutions across the country at once and that's not anything anyone's talking about so thank you all for bringing that to light. Christian, can I can I just really quickly there's another thing that really gets me about this and I think that we saw this with some of the ransomware talks on hospitals today like to the point of like oh like just put your electronic health record in the cloud then if you get ransomware, you can still access it what it on what computer on what device in my am I going to pull up my personal phone and be like hold on I need to pull up your personal medical record what are you okay it's fine it's fine I'm like yeah all the end points are owned they're all ransomed and it's funny because one of the common backup strategies employed by hospitals is actually to have what they call a cold storage workstation so and a lot of hospitals that are well resourced these are not a lot of hospitals still don't even have this they plan for a downtime of their electronic health record like a fiber line gets cut or they lose access to the data center or whatever it's going to be there are computers that are supposed to be in most areas that are a day late in their medical records meaning that they are hosted somewhat locally they still have connectivity but they are thought to be you'll have at least last yesterday's electronic health record data and that's what people are citing as a potential mitigation to lack of availability medical records and I just think to myself those are the same end points that get owned and ransom your backup solution doesn't anticipate that so what I'm trying to get out here is that a lot of hospitals healthcare delivery organizations prepare for technical downtime in the context of the power goes out a fiber line gets cut a patch goes awry and they're down for 358 hours 24 hours at the most and guess what you can use all these other systems they do not plan for technical failure of a catastrophic nature such as ransomware where and there are no end points you can trust or they all might be ransom that your current technical backups simply will not work so great inside everyone and I really appreciate all that anything else before we move on to the next question on this. So one of the things we had talked about you know there's a lot that happened during the pandemic, and one of the things that I'm so happy you know I'm an ER doc so one of the things that really brought tears to my eyes thinking about which is how quickly we got vaccines out right that was an amazing feat, which was the science the development of the vaccine the research the data collection the statistics and then the subsequent production of it is a miracle, you know, an honest amazing thing that happened. We, we had heard of attacks on the vaccine pipeline development. You know, is it to my knowledge none of that impacted the time at which we got the vaccine but we can imagine the future, you know how many other vulnerable parts of healthcare we have we have hospitals, the medical devices, but we have a whole medical research world we have the vaccine development world can everyone kind of reflect a little bit about how the pipeline in which we bring the drugs out new vaccines itself is very vulnerable to these types of things and we should be talking more about it. And what do we do about it because clearly, there was already a failure during one of our committees, you know arguably most important points. Maybe I'll start the answer. Others can fill it in without getting into, you know, sensitive names. Many of you heard at least about operation warp speed where we gave money to accelerate the development and distribution of vaccines for the first time in our species on coronaviruses weren't even sure it would work so we had backup plans for therapeutics and diagnostics. But there were various stages of that relay race with different accidents and adversaries with different manifestations of harm. And it was pretty precarious and it's not as obvious as just do world class cybersecurity so the stages we looked at where the first stage was really R&D and clinical trials. And it was fill and finish and scaled production and scale production and fill and finish then it was cold chain cold storage distribution all the way through administration. In the first stage it was a lot of espionage, you know, like can we find out who's working on what and steal the recipes or intellectual property. In the second stage you started to see more financially motivated criminals that wanted to profit off disruption or ransoms or DDoS source other forms of extortion. And the last stage, Murphy was really the top at adversary of just logistical confusion and working it between the federal level and state level. But yeah, we in record time created effective vaccines and made enough of them for most people to get it the weak link in the whole chain without changing topics is that, while we beat biology faster than bureaucracy it was really tough to figure out who owns, you know, combating mysticism now information and information operations that so a lot of vaccine hesitancy across a number of categories and a number of demographics. So while we were racing to develop cures to achieve herd immunity and protect the American interest in the global interest. The weak link in the chain seem to be fighting misperceptions or misinformation sufficiently to get enough of this adoption so we're not yet done the pandemic work but I think each of those revealed that once you got past the really big R&D. The real challenge is that target rich cyber poor because some of these very rare manufacturers had three it people zero security people and no security budget, you could sneeze on them, and they would probably lead to the death of a lot of people. They're really harrowing job identifying engaging informing trying to protect them. While there was a lot of people throwing Molotov cocktails around. So, a lot of a successful attacks but hopefully not successful delay to what you've now seen produced. But it shatters your assumptions that people are doing good cybersecurity a lot of these players are brand new and haven't yet matured to the point where they can be resilient against even a script kitty. So I agree that misinformation is basically one of the worst weak points, but I did spend the majority of the pandemic kind of on the other side of the vaccine table. I was involved in one of the vaccine manufacturers studies in a genetic consultant capacity so my main concern as the study kind of progressed was the amount of information that was going to so many places and we didn't know what that places security looks like so. I mean I said I worked on had thousands of research sites that we were trying to recruit people out and each one of those research sites has their own security and we've got like the entire. You know information about the vaccine going to these sites hundreds of pages of information about the structure and the function and things like that and it made me really nervous, because you don't know what their security looks like you don't know if they're you know printing it out and like tossing them in the street or, you know, leaving us be drives with that stuff on it everywhere. And I think the information control is another one of our weak links that we might need to start to address in the future. Yes, I mean it's interesting. I think those are those points really well, you know that the wild variation in capability between everyone on the supply chain, but I almost go the opposite direction of my concern is that everyone is the same in that everybody is using the same hardware and everybody is using the same operating systems and everybody is using the same software. And because what we're seeing or what we've experienced is when we get vulnerabilities that pop up in windows or in, you know, whatever it is shared shared operating system shared applications you know that you've got solar winds you got to say you've got to set the other line. We were all seeing, you know, the how interconnected everybody isn't relying on the same software and hardware. Everybody within the supply chain is immediately hit you know the medical device manufacturers, the pharma companies, the HDOs, the federal government, we're all suddenly experiencing the same problem at the same time. And that obviously creates, you know, a huge problem of are we all prepared to respond to it, you know, if we're not prepared to respond to it what do we do. And you know it's I don't think it's a secret that there's a wild variation even in the federal government in terms of one the agencies themselves being able to secure themselves. So some of the sectors being more or less involved in the cybersecurity of their sectors so obviously here I am FBA has been very forward leaning in medical device cybersecurity for a long time. And some other sectors are really just starting to begin their their cybersecurity journey of working with their sectors in in trying to recognize that everything is digital, all manufacturing lines are digital nobody's hand making much of anything, you know, anymore these days that you've got robots making everything so you know if something goes down on the manufacturing line. The product is affected the manufacturing line is affected the supply chain downstream is affected. And so, you know the intricate and really delicate nature of all of our supply chain server cybersecurity perspective I think is really fascinating and also very frightening. Oh my goodness that perfectly segues into our next question which I'll first to start with Stephanie, and then we'll love to get everyone's opinion on this because it seems to be, to me, a very uncontroversial topic, but has become increasingly controversial I don't understand why the concept of software bill of materials, you know this thought that to combat these types of supply chain concerns we need increasing transparency about what constitutes the software and hardware that we use and so far as being able to identify when a device is found what what devices and what software will be vulnerable to that so there's this been, you know this concept of software bill of materials that a nutrition label if you will for what components are within a particular device or a software clearly seems to be compelling argument in medical devices for for exactly what you've mentioned, can everyone here quickly just reflect upon why you know what about software bill materials how will that address these concerns if it will, and how do we operationalize that because that seems to be a big focal point of some of the criticism. Perhaps start with Stephanie. And so it's an interesting one to bring up because it's, like you said it's a very polarizing topic when you talk to people. And I'm in the camp that the software bill materials is actually a really good thing. And, but playing the devil's advocate when I do hear people kind of take a more a harder stand against the software bill materials you know they're always citing things like is that not just you know giving up a blueprint basically to my device to the bad guys. I love the mindset that no the bad guys can figure that stuff out anyway but that is one of the common criticisms I hear about it. It's been interesting watching the last couple months of, I think a big sort of force multiplier in the space is the most recent I think it was May 15 that really just accelerated this idea of software bill materials and so I've seen a big shift from the thinking of, should we do it should we not do it and more to. Okay, how do we do it it on the surface sounds like a really simple thing but actually when you get down into how do you make one how do you have a how do you do it consistently how does everyone think the same language but then more importantly, I actually use it to your point how do you operationalize and get value from it. There are so many TVDs in that life cycle that it becomes, it becomes really interesting conversation but I think that most recent executive order has actually, I think taking some of those naysayers and said okay well you can still be a naysayer but this is happening. That's been good. The other piece I see as a kind of resistance to the idea of it and again the executive order kind of dwarfs all of this but this idea that it's almost fixating on the wrong piece of the puzzle. In a lot of regards to the reason you want finished product. One of the main materials is so that if you are a user or a consumer of that device and there's a new vulnerability and some commodity operating system to Jessica's point, you don't have to wait to hear from the manufacturer, you can kind of do your own due diligence and threat management to say, Oh wait I have 10 things that are affected by that. The other criticism I've heard is that the bigger underlying issue is that you there's a struggle right now to basically rely on the manufacturer to give you timely communications and that if the manufacturer was actually giving you timely communication. You shouldn't be the one having to do that level of threat management you shouldn't need the software built materials because you should be able to rely on getting timely and accurate information from the manufacturer so I, I sort of agree with what with those criticisms and then maybe the answer is more of how do we make that timeline more succinct, but I think the software build materials is a good place to start as kind of a common stakeholder. And let's try to solve this together and yes it would be great to get to the point where you don't have to manage software builds of materials because manufacturers are actively telling you the risk, but we're not there yet. The other thing is, and so I'm going to reveal my absolute adoration for us on here very quickly. But for a lot of the users that I work with on a daily basis is with the healthcare delivery organizations themselves to the actual hospitals the chief information security officers the chief information officers at these places. The manufacturers have actually tried to be like no no no no no don't worry. We'll just do it for you rely on us it's going to be fine and they're like no, you will give us this information because well and so let me let me back up so I love software build materials. I think it's fantastic. I actually glad I got to speak before Josh because I think otherwise he would have stolen my line which is that you can't protect what you don't know you have. And that's the whole thing about what software build materials is is about if I don't know what I'm running because software is not you know nobody is, you know, going up to this, you know, the big chunk of marble software and like chiseling out a new program. That's not how you make software these days, you build software out of other little pieces of software. And if you don't know what the other little pieces of software are then when there's a problem with it you have no idea what's going on you're like well the device is freaking out don't know why could be one of the 50 components that this thing is made out of. So software build materials helps you address that problem, is it a perfect solution. No, is it a start. Yes. And the interesting thing for us so like the FDA is going to require me it's in guidance. The guidance is involuntary I can suddenly laughing because this is like we won't go here but guidance is voluntary but it's guidance and it's in guidance. The medical device manufacturers have to have it's cyber security bill of materials now but it's the same thing as software build materials. Um, but for us in the executive you know we're going to require the executive order said thou shalt do it for certain situations but for us that's not even what it's about anymore. It's getting into contract language, we're met with household delivery organizations are essentially going to medical device manufacturers insane. We're putting that you must give a software build materials in our contract. Therefore, if you don't one we're not going to buy your product and two if you don't do it it's pretty good contract so like forget what the government says your customers are now like yeah we're you got to work it over. So for me, you know it's been kind of fun and a little bit funny to watch a lot of the debate that's going on with software build materials to Stephanie point about like oh like should we do this or should we not do this I'm like well. I don't think that's the question anymore like either because your contract says you must or because a bunch of federal agencies say you must like you're going to have to do this so my recommendation to the extent that anybody is asking me. See your own destiny become very good at software build materials very fast because you're going to have to do it one way or the other. I mean, we don't we could have easily have an entire panel on SBOM so I won't repeat most of those but you know some of these common. There are a bunch of common sometime often good faith concerns about it. Many of them have fantastic answers at nta.gov slash SBOM there's an FAQ there's a myth busting type set of resources. And some of them are you know genuine concerns like won't this be a roadmap to the attacker and we have a phenomenal answer about why it's more often a roadmap to the defender and you know people keep saying that hospitals could never use this and it's going to it's going to be work they can't afford and they're on camera and on record begging for it so I think we should for people who hate FUD we should stop pervading it. So in my opinion there's usually great answers to them and they're usually documented, and then to the executive order maybe to pivot to the end of this part. Now what do we care about as hacker community what are our values because I love that the executive order started with a value statement that my favorite sentence is in the end. The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced. Doesn't say that ingredients list on food stops health problems or junk food didn't stop anything but it's part of a regime of transparency and trustworthiness. And for those who say software build materials isn't proven yet until we have 10 years of study. This is a practice stolen from Deming in the 40s for automotive then went into every manufacturing now it's in chemicals and food bombs are proven. It's about time we embrace them so software bomb isn't going to be identical. The growing pains are really going to come from that we have a lot of technical debt and people are afraid to reveal their technical debt but as we start identifying paying down some of that technical debt. We're going to wonder why we never had these before. That's, these are all fantastic things I'll also just say, you know one of the biggest concerns we have now common talking points around healthcare cybersecurity is this concern for legacy devices, and how, looking back we don't know what we want vulnerabilities exist we don't even have a good understanding or visibility and that well guess what today's cutting edge medical devices or legacy devices in five years right. And so getting ahead, or five or 10 my stuff. So Josh look up towards there. You're at some point them current generation medical devices will become legacy devices and knowing what's under their hood will help us in the future we have to start that now I wish we had started it. You know, 20 years ago and a lot of the concerns around legacy medical devices and what's vulnerable what isn't, and what we can worry about that lead to some of the most harrowing stories about cybersecurity vulnerabilities and medical devices would have been alleviated to some degree by software bill materials if we had done it sooner so you know really an important thing for us to get started sooner rather than later because the return on investment only gets better as these devices age. So, great. Anything else on software bill materials before Jeff takes us to our next question. Yeah, and I think we're actually running up against the hour here so this will probably be the final question. I think just just by the nature of how complex this entire topic is we can kind of easily trend towards some of the more inside baseball aspects of this so I think it's really important that we've hit on things like S bomb but I do kind of want to bring it back as we close to this idea Christian that you and I, and the others who started this kind of brought to the table which was we want somewhere that the average DEF CON attendee can come and learn about healthcare security, how they can get involved and so I kind of want to say, we do a lot of things like admiring the problem. Things like S bombs are definitely steps in the right direction towards solutions but for the average person with no real background in this. I kind of want to understand how the panel thinks that they may be able to help out because we actually do need everybody and anybody who's willing to contribute to some of these issues and so I want to break this into kind of two, two groups of people to ask the question and first I want to start with gap who has, you know, one of the most interesting career arcs with respect to all of the spaces she's in her journey has taken her in and up at this point, what her advice would be to somebody who's maybe insecurity maybe like hacking, how they can kind of combine interests and the desire to help with health care, and then sort of move through Stephanie but then end up with with Johnson Jessica you know, not everybody is going to be able to testify before Congress on some of these issues not everybody is going to be at some of these high level discussions but how can the average hacker get involved in the policy mechanisms how can they contribute to some of these initiatives and what your advice would be so long question there but let's start with gab say like somebody shows up at you know harm in person in Vegas and says hey this is awesome how can I get involved you know what's your advice for me. Yeah, so I was thinking back to because it was only a couple years ago that I actually made the career switch and just trying to think like what would I tell my former self to do and a lot of it was just I guess be a little bit more proactive as to the research and trying to understand the entire the big picture it's not just the software of the device or the hardware of the device. It also plays into how it's used that threat landscape. Even the policy side of things the just knowing you know what parameters it has to hear to what. What specifications it's supposed to meet things like that I think we're really helpful in kind of understanding that entire big picture of medical device research and just getting your hands on as much information as possible. And so, I'd follow that with, you know, if you're in the security space, and you're looking at the medical device space and thinking to yourself like I would just love to make an impact here right. So there's, I think one of the biggest ways for security people in the space to make an impact I mean, you know one you know help medical device manufacturers you know work for them they all have open job racks but if you're, if you're trying to just say you know how can I come in and make an impact in this space I think one of the really underserved areas I always see is standards and regulatory working groups, and I'll be the first to say it's not sexy. It's a boring a lot. It's super boring. I've sat through hours listening to arguments about where commas should be placed. But at the end of the day, those standards and those regulations that are coming out are guiding the future of the industry, and they absolutely need subject matter experts in security to sit and and sit through those arguments about where commas should be so that at the end of the day the technology recommendations the technology requirements inside of those guidance documents are actually ones that align with the unique needs of the medical device space and actually meet industry and security best practices so it is not sexy I will tell you it is boring but if you were sitting there thinking I have a lot of security knowledge and I want to make a big impact in the healthcare space. I would absolutely join working groups absolutely join standards and regulatory groups that are trying to push the industry forward. That is a huge area that you can have an impact. Roshan about you. I would say great answers. I think the quote she was trying to prop me with earlier is that I often say to policymakers through our over dependence on undependable things we've created the conditions such that the actions of any accident or adversary can have a profound impact on public safety national security, something along those lines so it's really about the relationship between how dependent we are and how dependable those things are so pivoting off that great recommendation that a ton of these medical device makers are hiring. These hackers aren't reporting to them they're working for them large and growing teams, there are 10,000 medical device makers creating the next wave of medical breakthroughs, and only about 100 of them are large, the rest of them are tiny. So they really do need help and advice and scalable ways to do threat modeling or build less brittle devices. The hospitals need a ton of help to and they just don't have the resources so I'm getting the point where I'm getting really disgusted with the notion of they should just do zero trust or they should just do MFA and they should just do best practices they just can't do just those things. So at least one of the ways I'd like to embrace the talent pool here at DEF CON is I pushed really hard for a few new things and the life software and support and service of national critical functions is dangerous. This is especially dangerous when it's exposed to the internet, the use of hard coded default maintenance passwords exposed on the internet. This will be happy to hear this but we have a document coming out to get your stuff off search. So, if you're exposed on something like showed in our census IO or the other tools to find connected devices, you know we want to start becoming more practical and pragmatic so that without huge budgets right now we can at least remove some of the most egregious surface. In our brand new director directories really some things we do, but we have to meet people where they on board. I don't know that help. But you know I don't think I've said this yet before I worked at FBA I worked for the Congress I worked for the Energy and Commerce Committee. And I was the tech English dictionary I was like the walking tech English dictionary when people were like, we don't know what these words mean we don't know what this concept is can you explain this and that was my job. And Congress needs that a lot. So for those of you who are like, maybe it would be interesting to get involved in the federal government one FBA always needs evil we you know if you like the idea of pulling apart medical devices and getting to determine whether or not they're secure and stuff. Come be a reviewer, come apply to be a reviewer at FBA and get to determine whether or not a medical device gets to go into the market because it has good or bad cyber security. You can also go to Congress, there's something called tech Congress, tech Congress.io. They bring in somewhere I think between like 10 and 20 fellows every year and place them in congressional offices you become that offices technical experts. And people have gone on to like do great things from the tech Congress fellowship and they've you know that a lot of them have stayed in Congress they've done. You know they've done just a lot of just amazing work and so on. If you think policy is something that you want to do you pick your agency, pick your agency and go pick your branch of government and go we we need all the help that we can get so you know throw in we're ready to ready. Well, thank you again to all of our panelists for joining I wish we had three or four hours to talk about stuff at which point I'm sure all of you guys would hate me. If we kept you here for this long. This is just one of many conversations we've had if you're interested more in this there are all of our prior to no harm panels that have been recorded are available on the defcon YouTube channel. And then for those of you who are going to be in person at defcon vaccinated and masked will be having a live in person do no harm this defcon as well. And with that, we want to say thank you to all of our panelists Jeff and I clap for you guys come on you got this. Thank you so much. We love you all and you all are brilliant we learn from all of you, every time we speak with you. Stay safe. Stay distanced, stay masked, and get vaccinated if you can. And with that, do no harms another one the bag Thank you everybody take care. We can't end this without giving mad props to the backing village, and it's a little bit anachronistic because I think it'll be over by the time that you're listening to this video but anybody else who wants any other resources or inspiration or just an incredible experience at that your future.com plans because they're incredible. Thanks everybody really appreciate it stay safe.