 Hey there biohacking village. Thanks for this opportunity to speak today. My name's Quadi and the name of my talk today is there and back again a healthcare cybersecurity policy tale. We're going to go ahead and get started. A little bit about myself before I began. First and foremost, I'm a hacker so I grew up in the hacker space. I go to hacker conferences I really identify with the hacker mindset and I use a lot of the same skills and tools as hackers to do my day job. Which is actually being an emergency medicine doctor so most of the time when I'm at work I'm in the emergency department taking care of all sorts of sick patients that come to me whether or not they'd be having heart attacks or strokes or having severe infections like sepsis or or last year and a half or so and having COVID infections. Really combining those two worlds was something that I've had the tremendous honor of being able to do so I am both a hacker and a doctor combine those together. I really guides my research. So I do some active research on medical device vulnerabilities possible infrastructure vulnerabilities and the point of that really being. I care a lot about patient privacy and security but I care more about their health and safety and that cyber attacks including ransomware attacks are impacting my patients health and I want to study that. I'm also unapologetically a geek sorry not sorry you're going to see a lot of geeky meme references in my presentation and I'm sorry you're gonna have to deal with that. My Twitter account is at CDM FMD hit me up if you have questions. So, when contemplating what to speak about today, I had a lot of different things I can go over I could talk about some new research that came out I could talk about some new aspect of the problem that people might not understand from a clinical workflow situation. But really the more and more I thought about it. The more I felt kind of hopeless. And it's that the problem has not changed much since we started talking about this right hospitals are still under attack. In fact, the ransomware attacks of the last several years are increasing in frequency sophistication disruptive potential. That's not going away. There's been a lot of medical devices you know there has been a lot of work done by the FDA I see maybe a shimmering glimmer of hope in the future for really improving the medical device cyber security posture but with that being said there's still a lot of operational issues a lot of problems with legacy medical devices and as a consequence, what we have is pretty much the same damn conversation that we've been having for last 10 years on this and what what I wanted to do with this talk is to say, well, we've admired this problem. So long we've danced around some potential solutions most of those we say are called to action you know do something about it but what are we talking about would be required to actually make this problem, even a little bit better at a scale that would matter. So I hope today to talk a little bit about maybe moving in a little bit of a different direction realizing that, although it's very important for hackers in the community get involved we're only so we can only do so much. And truly we need to be talking about really big solutions to try to move this needle. So, I think to reframe the problem is that we're continued, we're continually having these issues and not having a much improvement, we're pissed off, and we're tired. And that's a dangerous combination to have people not care about this problem, as much as they should, and you can ask a lot of people in the space I think they feel the same way and they work so hard to try to move the needle, and it doesn't really work. So, the other thing to say is well hold on a second, is this even a fixable problem, and I think that the answer is personal. You know you can't fix cybersecurity vulnerabilities. That's not the nature of the problem. There are going to be a navigable flaws in hardware and software that are going to allow for vulnerabilities and exploitation of those vulnerabilities to change the function of a system to where it wasn't intended. And it's discussion that, you know, we need to finally push this boulder to the top of the mountain, and then we'll fix this issue we can move on as one that is just not in base in reality. Instead what we should be understanding is that we have particularly vulnerable set of circumstances right now that we need to fix, and then we need to establish sound policy and a good foundation to not fix this issue of healthcare cybersecurity devices but to instead be able to reduce the risk to an acceptable level, so that we can take care of patients, patients to get the care that they need, you know in a hospital in their clinic wherever it may be. And the risk of a large cyber attack disrupting that and impacting their safety or their data is greatly reduced. So what is that going to actually require it's not going to be a fix we're not going to finally do some legislative action or finally some hackers are going to stand up and it's going to be fixed it's going to be something we're dealing with a very long time. And if we actually take a little bit of an outward gaze of it. We could fix a vast majority of the problems we have now of course there will be new ones, but then we have to really look at a global approach and understand how we tackle this issue not just in the United States but across the globe. It's also a very, very hard problem so a little bit of a continuation of the work is often we're tired, but I think if anything it shouldn't encourage us to be renewed in our enthusiasm to try to try to make this problem at least a little bit better. The first things I wanted to bring up, you know quite frankly is that we have very little data. This is a problem. You know we can't make meaningful decisions and really get to the heart of an issue if we can't even measure how big the problem is. You know there are many possibilities in this one that the data if we had it would show that cybersecurity risks to patient safety and care quality are overblown. And that all of this energy and time and technology and money that we put into trying to make this problem better could actually be better spent by giving it to cancer research for example. That's one possibility. The other possibility is that there's much patient harm going on right there's to the degree that we don't even understand. There may be drastic impacts of patient safety and care quality to where this isn't really meaningful thing to focus on, and to work to improve. The truth probably lies somewhere in between. But again, if we can't even collect the basic data. We can't even measure the magnitude of the problem. It's unreasonable for us to expect to have decent solution. What is that going to mean for us moving forward well we're going to have to collect that data. There are a lot of problems with that. First of all, when I went to go write a paper I went to go see if there was a centralized repository or a database of ransomware healthcare attacks. I went to see really how prevalent this was, and most of what I was getting our industry reports, there are companies that have a vested interest in selling products and services around ransomware protection and or response and mitigation whatever it may be, and that they use their methodology to try to extract the magnitude of the issue and it's better than nothing for sure, but what I would suggest we need is a more rigorous approach to collecting this data more academic and scientifically validated process why when we collect, even something as basic as how many hospitals are getting hit with ransomware and what are the impact and magnitude of that of those attacks. What I'm saying I'm going to kind of throw a wrench into here is discussion of whether or not there should be mandatory reporting. This is not a easy thing to suggest or is so obvious a solution to our problems instead it's just a first step into discussing, you know, would something like if you're infected with ransomware at a hospital you have to report to a centralized agency. For example, when you were hit when you fully recovered what you were hit with and perhaps if you paid the ransom and how much those basic demographic type of things aren't present, and I think what we should be focusing on is, how can we encourage an environment where any of this isn't disincentive and disincentivized what do I mean by that, because ransomware attacks involve often protected health information. Many hospitals immediately after being hit by ransomware do not discuss the specifics of the ransomware they're trying to recover, they're trying to negotiate potentially a ransom payment, they're trying to show up their systems. And they are also afraid of a violation of HIPAA and a big fine. Those are all kind of a perfect storm for hospitals and other health organizations to not want to have to talk about this. So how do we destigmatize this, as well as allow an environment where reporting isn't seen as such a negative thing and said the value of the data is so important that it's self evident that people should report then if that doesn't work. And so we have to compel organizations in a give and take way to report that, for instance, discussions of safe harbor or anonymization of data to a meaningful way with hospitals to get assurances that they won't be identified with they report that particular information. But even something as basic as that would go a long way for us to record and then measure the impact of cyber attacks and healthcare. The great is that it's very clear that, in addition to having a lack of just very basic information we do not have a research infrastructure in place to study this what do I mean by this heart disease cancer diabetes these are horrible horrible pathophysiological conditions that result in lots of morbidity and mortality for human beings across this entire planet. So our organization government organizations that fund research into these types of diseases for the purpose of alleviating human suffering in depth what does that mean they invest in researchers to actually study these phenomena these particular diseases. Well my second call here and perhaps not too much of a controversial one is really that these types of agencies the national suit of health the National Science Foundation should prioritize funding into this not just by giving dollars and sense, but also to encourage researchers across the United States and globally to actually make this an area of study. If you go and look at the research you go go into PubMed and start looking into the patient care implications of cyber attacks, you're going to find a handful of papers if that that's amazing to me we see this on the front page of magazines, almost every single day newspapers magazines on the internet almost every single day healthcare ransomware healthcare cyber attacks medical device vulnerabilities but yet our infrastructure our scientists at the heart of being able to study a problem like this aren't focusing on it. And I think that's a missed opportunity. So my call is is then to develop a funding stream for research and encourage researchers across the globe to actually study this. The paper that we published discussing how cyber attacks are like disasters for a hospital hospitals prepare for certain disasters as part of being a hospital. If they are a hospital tornado alley. They have a plan for what happens if a large tornadoes around the more of a tornado actually hits the hospital. If they're in earthquake zone they have the same. These types of hazards to the hospital and their ability to take care of patients and do business should take into consideration cyber attacks and many of them do. It's become so prevalent now that many forward thinking hospitals are preparing for cyber attacks like disasters. This is a relatively new concept. And why am I bringing this up I talked about this in other forms before of course it makes sense cyber attacks can be so debilitating to a healthcare organization that of course they can look like disasters but the point of it is. Now we're learning something new. Cyber disasters impacting a particular hospital hit with ransomware for example, is one thing what happens to the care of patients at that facility, where they don't have an electronic health record, or they don't have medical devices such as CT scanners whatever it may actually be. There's the impact of patient care at that specific hospital or hospitals that are hit. But now we know something new. It's truly this concept of this healthcare ecosystem. Unfortunately, 2020 was such a horrible thing. 2021 shaping up to not be much better, but we learned something here, which I think is important to point out. It's very obvious. When you think about it said hospitals and other healthcare organizations will talk about a slide in a minute about what this healthcare ecosystem is like, they form symbiotic relationships and so what happens to one affects the other. This makes sense. Let's talk about that in the concept of a ransomware attack. If you have a metropolitan area taking care of five million people. There's going to be a finite number of hospitals and other healthcare facilities in that region, right. Well, not every hospital is equipped to take care of every type of patient we have trauma centers we have stroke centers we have cardiac arrest and heart attack centers that focus on particularly sick patients that specialize in their care. And furthermore, there's a finite number of hospitals to take care of all the patients but we don't have redundancies meaning we don't have backup hospitals of things go down. What we learned with a recent ransomware attack was that five hospitals in a geographic location went down. And then all the adjacent hospitals to that system that went down, I could pick up the slack. They saw huge influxes of patients to the emergency department. They saw huge increases in the amount of ambulances that had to come to their facilities. They saw increased numbers of strokes and heart attacks. What does that mean, it means that even if you're aren't hit by ransomware, because of the healthcare ecosystem, you can still be impacted. The only way from that is that air can suffer across a geographic area when one healthcare system of many goes down. We could realize that we're only as protected as our least defended communities meaning one hospital might invest a lot in cybersecurity one may not, but it matters that they all do, because what happens that one will affect the other as wise will be one It's not just hospitals. You know, we had this miracle, you know, I'm not religious I mean like a spiritual or religious miracle but I mean, we had this amazing thing happen where the, where coven happened, and we were very quickly able to develop a vaccine for that's amazing required a lot of science research infrastructure drug development and logistics to actually make that happen in the short amount of time that it did. And that was to respond to a crisis and what I think it shows is that of course that makes sense that there are so many pieces of this healthcare ecosystem, all of which are running vulnerable connected infrastructure and something happens that one part of the ecosystem is going to affect the other if the researchers doing COVID research and developing that vaccine were hit with ransomware even a delay of weeks to months in that regard, would have resulted in millions more dead. And likewise with things like PPE production, etc. It's a very complex and intricate web. And what we should realize is that we really have a bigger problem than just biting off medical device cybersecurity or just talking about hospital infrastructure and ransomware resiliency truly to surely make a resilient and thinkable healthcare system we have to raise the bar for everybody. This is the concept of the cyber haves and have nots. I've worked in all of these hospital types of hospitals. I've worked in hospitals that are very poor that have no resources they don't have two nickels to wrap together. They have the latest connected medical devices. They have old antiquated electronic health records. They have very vulnerable infrastructure and I've worked at other facilities that had marble floors, and we're very well resourced and and could take it and have the expertise to do a decent job of cybersecurity. These hospitals can be across the street from each other sometimes, or in the case of rural hospitals or critical access hospitals sometimes there's only one hospital near you and the next one can be 500 miles away. What we really have are cyber haves and have nots in healthcare. And what we need to realize is that we need to raise the bar for everybody, because one affects the other, and it's just the right thing to do. So how do we do that. How do we accomplish something like that given that that's a pretty tall order. Well, perhaps the second thing I want to talk about today is to say, I've really seen recently that we need to engage us at a national policy level. And that we could continue to try to solve this at the micro level and that will be a big important thing we're going to need hospitals to step up individually of course we're going to need medical device manufacturers continue to do that clinics etc. We need the private sector to help accomplish that but I think I'm thinking more and more. I'm convinced that we're going to need some real national legislation on this and what would that look like. And how would we be able to do this in a way that's actually effective and not counterproductive. What I thought about that and some other people have been talking about using this mechanism to do such a thing. I wanted to bring it to everyone's attention here and to discuss what something like this might look like. Many people are talking about and what it reminds me of is something called the 2009 high tech as part of a large investment in America there's a big spending bill and part of this was this high tech act. Part it was designed to improve electronic health record adoption among health care. It did many other things but just the at the heart of it that was one of the biggest things it tried to do so what do you what do you mean in 2009 we had a bill that said hospital should be off of paper records and be electronic health records the answers yes and after that many hospitals and health care systems were still on paper in even in 2009. And so many people are shocked to find that like well I don't go every hospital I engage in now is on electronic health record well it probably was because of this 2009 high tech act and there were people and there were hospitals before that electronic health record sometimes over a decade, but it took this legislation to really catalyze the change. There are reportedly though there were three stages to the legislation and basically stage one was data capture and sharing stage two was advanced clinical processes and stage three was to try to leverage all that technology to improve health care the thought was, is that electronic health records are much better than paper. They're more efficient. We can save money by sharing records. There were lots of reasons why the United States would care about making sure our hospitals were on electronic health records. It did a good job in doing that now there were a lot of failures and we're going to talk a little bit about that in a minute but one of the things that it succeeded in was at least offering carrots, you know this concept of carrots or sticks you want to incentivize people versus penalize them as a way to catalyze change. What they did was they would increase the amount of money that the federal government would give them for certain Medicare funding for patients so for example, you have Medicare you go see a hospital and if they met stage one. They were self certified that they met this level of electronic health record use that satisfied stage one while then when they send a bill to the federal government for your health care. The government would give them a little bit extra because they met this particular standards that was the parent. If you go to electronic health record you meet these types of standards under stage one or stage two or stage three as time went on. They're going to give you a little bit more money. Well that was thought to be a way to incentivize the hospitals and do that they get these incentive payments and they could use that to pay back the investment they made in the electronic health record. And what would realize is that we can't keep giving money out for everybody for for the type of stuff for in perpetuity so it transitioned from a carrot to a stick and where, where and as the years moved on you get less and less money and in fact at one point it flipped and said you will give you less money, taking care of Medicare patients, unless you're on electronic health record and that was successful in a lot of ways of making hospitals and health care organizations go towards electronic health records. Failures. Some people cite the involvement of vendors in this by looting the recommendations some cited failures in clearly defining interoperability requirements and long story short, despite its failures, it was successful in catalyzing change the question is, can we use this model. It's a way to improve healthcare cyber security in some type of legislative action. So the thought is, is this something that could pass you know could you get the house and the Senate to agree on a bill and could you get the president to sign something that would improve meaningfully the cybersecurity of health care. And could you do so by using this type of stages meaningful use type model. None of this, to my knowledge is very public, or exactly what would eventually end up in a bill yet I think is still being figured out. But the thought would be something like staged approaches you know we can't take a rule critical access hospital that has basically no cybersecurity protections and expect them to have a high level protections in a year without substantial internal money, as well as expertise which we've talked about time and time again we just really don't have a lot of healthcare cyber security expertise so you can do that overnight. But thought would be that you could do it in stages, and perhaps you list a bunch of controls you can say hey multi factor authentication is useful in in protecting some of these types of attacks or reducing your risk. In fact authentication will be on a list of certain controls that could be part of a stage one, satisfying a stage one. And then stage two, maybe a little bit more stringent, you move towards a better architecture for example, or you would adopt additional controls to continue to harden your infrastructure and then stage three of course, hopefully meeting a really meaningful defensive posture for hospitals as well as have built in the appropriate infrastructure each individual healthcare organization, so they can continue defending updating patching learning about the latest vulnerabilities and defending their enterprise essentially. So my thoughts, you know, about self attestation, you know, auditing hospitals and help you to the organizations that say yes we meet these certain benchmarks. And then if you get audited and you actually didn't, then perhaps you could suffer some tremendous fine. So should we use and set an incentivation incentives, should we use incentives like CMS monies, right. So, should we say you get more money from the government for every patient you take care of with Medicare, if you're particularly secured. So stage one, but what I want to bring out is that perhaps we use this type of legislation to also provide some type of safe harbor or protections for certain data breach implications and I know it's very controversial. But let me just hear me out for one second as a potential mechanism to incentivize hospitals to do this. One of the ways that the hospital was to meet a certain criteria of cyber safety or cybersecurity protections, and then they still get breached right they have a state actor, or a zero day hits them. And they have loss of patient records, the thought being, because they met certain benchmarks that were clearly defined by the law, should they still be liable for HIPAA finds under OCR, for example. One would say that that would be incentivizing of hospitals to do this if they could say, we met a certain standard, we had this particular type of attack, and we shouldn't be fine the same amount as if we had not invested in cybersecurity at all. And then perhaps to further incentivize hospitals to not pay fines but use that type of money to reinvest back into cybersecurity would potentially be another carrot to offer hospitals to do this because it's clear that such a endeavor as this would be tremendously expensive. I think it's clear that many people who would say the government should fund something like this would probably also say that we should have the same carrot eventually turns into a stick and that certain hospitals that don't meet standards eventually should have some disincentive for continuing to do that. So would you tie this bill into other types of additional efforts outside of this meaningful use framework. Yeah, you could, there's been Jeff Corman and others have discussed this concept of a cash for clunkers for old medical devices gives big legacy medical issue medical device issue. So just get those out of circulation the thought would be that you could subsidize the cost of buying new more secure medical devices and turn in your old ones could also be a part of such a legislative action or a legislative bill. And then I think it's clear and you probably heard me talk about this previously it's clear that we need to educate nurses doctors technicians other people in this space about healthcare cybersecurity, not only for a advocate from safety, but also for data protection you know their users of this technology, and they're often responsible for these breaches through fishing attack etc. There's a lot. There's a lot of things in here I think that will be encouraging a further dialogue and conversation you know there'll be many people on the spectrum. And the private sector can solve this uniquely to hospitals are overregulated why would you encourage something like this three. This isn't improving we need something else to spur action. I hope that this talk was a was received in a way to spur dialogue and then encourage you to engage with your representatives that is probably the biggest thing I could recommend at the end of this is that there's it's clear that we need to do something big and bold in my mind and doing that in a mindful and thoughtful way as to how it will impact actual health care delivery is important. All of you out there listening today have tremendous expertise and knowledge in this space that needs to be honest to craft a meaningful bill. I hope that if you have strong opinions on any part of this so and more that you make those make those known to your, your representatives in Congress and elsewhere. And then I hope that we as a community of anchors have meaningful policy conversations, because we possess unique technical insights that often representatives don't. So when they're drafting language and using particular explanations of what particular controls can be they can make mistakes and us as hackers are experts at gaming systems. We don't want that to be the case and something like this we want something meaningful. And with that I'm going to go ahead and say, send me any questions you have on Twitter. And if you have any thoughts about something you'd like in policy please send them my way, perhaps we could establish some type of form and dialogue where we can collect all that. Hit me up on Twitter. And again, thank you very much.