 Hi, I'm Mitch Parker, Information Security Officer at IU Health in Indianapolis, Indiana. And today's topic is going to be advancing medical device security, how collaboration with screen providers, manufacturers and pen testers is advancing what's possible with security. And with us today, we have an incredibly distinguished panel of people we've been able to find who I'd like to have introduce themselves right now. We're going to start with Florence Hudson. Very good. Thank you so much, Mitch, for having me join you. And hey, Defconn crowd, heeks and all, Engoons. So I'm Florence Hudson, and I'm founder and CEO of FDHINT, which is an international consulting firm for advanced technology, diversity and inclusion. I also work for the NSF Cybersecurity Center of Excellence in Indiana University. I lead the cybersecurity research transition to practice program. And I'm also executive director for the Northeast Big Data Innovation Hub at Columbia University, leading translational data science opportunities in the Northeast U.S. Oh, and I should say, I'm also working group chair for IEEE UL P2933 for those who aren't acronym queens and kings. It stands for Institute for Electronic Engineers and Underwriters Laboratories, working group on creating a standard around clinical, innovative things, data and device interoperability with TIPS, which stands for Trust, Identity, Privacy, Protection, Safety and Security. And Mitch is one of our co-vice chairs. So thank you very much for having me, Mitch. Thank you. Florence, I'll take it over to Rob Suarez. Hi. Hi, Defconn. This is my name is Rob Suarez, and I'm the Chief Information Security Officer for BD at Specton Dickinson, and we're a global medical technology company offering some of the most advanced products across the continuum of care. It's my job at BD to make sure that we are protecting those products that we're delivering a secure product and also the environment in which they reside in, which is typically a hospital, but increasingly a patient bedside at home as well. And so I'm very excited to talk to my fellow panelists today about medical device cyber security. There's a passion of mine, and I've had the honor actually of working alongside Mitch and Michael as well on several industry initiatives. And so again, looking forward to the discussion today. Thank you. And last but not least, Mr. Michael McNeil. Hi, Defconn. This is Michael McNeil. I'm the Senior Vice President and Global Chief Information Security Officer at McKesson, and just recently got to the organization. But as Rob has just stated, have had a number of years collaborating with the team here. And my days go back into Phillips as well as into Metronic from a medical device perspective over the past 10 years. Really looking forward to this particular session. And again, have collaborated with these guys in a number of different industry and forums. And again, I think you'll find our conversations today to be pretty enlightening because it takes that ecosystem and for us to come together to really execute here. Thank you so much, Michael. So I'm going to launch right into the first question here. First question is, what are the biggest concerns that each of you see related to medical device security these days? So I'll start if I might. So what I mentioned when we were first opening up, I talked about tips, tips for the Internet of Things. This is a framework we've been creating with IEEE for four years now. As I mentioned, it stands for trust and identity, privacy, protection, safety, and security. I'm worried about all those things. I'm worried about the trust and identity of the devices, the device to device communication, the device to human, the doctor to the device to the human, the human to everything. So I'm concerned about trust and identity, how we're going to maintain that and make sure we're vigilant about it. I'm concerned about privacy of data, whether you're in your home country or another country and what the different regulations are and how we're going to manage it. I'm concerned about protection and safety, how we're going to keep the human safe, how we're going to keep the device safe, the infrastructure, the financial side of the institution. If your device is hacked, everybody finds out, like some of the FDA and DHS and U.S. CERT recalls, and I'm concerned about the cyber security. So we have a lot to do as the leaders in this space for IT and for cyber security and for medical devices. So I look forward to continuing the collaboration we're doing through groups like this and also like the MIEE working group where we have over 250 humans from 22 countries and six continents who are worried about this too, including device manufacturers and providers and payers and regulators and everybody as we know Mitch. So I'm worried about all that stuff. What about the rest of you? Are you worried? So I'll go next on that one. Thank you, Florence. For me, it's actually very similar to what you'll find was reported out. I believe it was 2017 and what was the healthcare industry cyber security task force report. In fact, on that task force, I got to serve alongside Michael McNeill and several other individuals across the industry and produce a report that outlined observation and recommendations for improving cybersecurity across the industry in healthcare. And there was a specific section that was dedicated just for medical device cybersecurity. And I got to tell you, that was three years ago. A lot of those findings still apply to this day. And one that pops out to me immediately is that, you know, medical devices are in hospital settings for 15 to 20 years. But new cybersecurity threats emerge daily. And, you know, every hospital and every patient environment is unique. So there's no one size fit all approach. And, you know, at BD, we're working closely with healthcare providers on understanding medical device cybersecurity as it exists out in a clinical setting out in the real world. And we're also working, we're really committed to transparency. And, you know, and for example, you know, providing coordinated vulnerability disclosures on medical device vulnerabilities. But, you know, unfortunately, it's just not enough. There's a, there's really a long time span to medical devices in these environments. And so, increasing transparency absolutely helps. But we also need to build stronger relationships and stronger collaborations across, you know, for instance, you really describe across the continuum of stakeholders that we have when it comes to just using a medical device and managing it when it's in use. Yeah. And from my perspective to build on what Rob has just stated, you know, he's hit the nail on the head and we've been having these kind of conversations and discussions, you know, even before the 2017 and earlier when we, you know, go back a few years on this particular topic. The, you know, I think people have heard me, you know, talking the past and it really doesn't, you know, it's kind of interesting. It doesn't change. It just, you know, kind of perpetuates itself. So as Rob just talked about, you know, legacy devices as we call them and in the, you know, in the ecosystem and how we manage that, you know, that to me ties right into what I've always said is, you know, sort of the three deadly sins that I've kind of communicated over time. You know, because you have these types of devices, you need to make sure that you can patch and update them in a timely manner. So one of the deadly sins, if I can patch and update a device, I'm not going to be able to maintain the security of that solution out in the marketplace. When I look at the types of devices and a number of them when they were designed and developed and they're in these environments, if they got hard coded credentials, those are the keys to the kingdom. If I open the keys up and I let anybody come in front, backside doors, any way that you have, then you have access and you're going to be able to align. And then for us, when it comes to the type of information, you know, again, as I would say that Florence had talked about in terms of thinking of the type of data and the type of, you know, the information that needs to be held secure. If you don't do encryption and, you know, de-identify and make sure that that's not available to cause the kinds of harm, you know, to individuals to the solution itself, you know, you get to those deadly sins. So the sins are there and, you know, we're doing a much better job, I believe, in having an awareness around the design and how we need to build that into our solution set. But it's how do you manage, you know, that, you know, that legacy, you know, that sitting out there in the current environment, you know, and as we've also said, sort of in the past, you know, because of the nature of the marketplace, you know, it's like, you know, prying those systems out of their cold dead hands, you know, in some of these, these, you know, these hospitals and other types of entities, because they don't have obviously, you know, with Mitch, the wherewithal, you know, to just immediately turn around, you know, your capital and your inventory for some of these types of solutions. Yeah. So I totally agree. It's the products we have today. It's the new products and how we create design in plans so that you design in a defense and depth level of security at the hardware, firmware, software and service level. I suggest we go all the way down to the IP of the design of the chip, you know, we need to go all the way down and all the way up. And we also need, I know in the standards work we're doing, we're saying that we need to be able to look forward too. I'm, I'm an old rocket scientist or experienced, my girlfriends say not to use the term old, but I'm an experienced rocket scientist. I used to work on future missions around Jupiter. Did we know exactly what we were doing? No, but we had a planet, you know, and you look forward, you say, what's going to happen? So in the standards work that we're doing, we're agreeing that it has to be a standard that is extensible into the future. You know, so what we're also doing is envisioning, well, how can we use it, you know, artificial intelligence and machine learning better? What about when it's a hologram and the doctor's like, oh my gosh, she's right here. You look a little jaundiced. I'm like, how do you know that? You know, I'm in my pajamas. How did that just happen? Right? So when we're in XR, AR, VR, how's all this stuff going to play? And then if you want to get excited about protocols, think of what, you know, communications protocol, that's going to be all about. That's going to get into your EHR, or how they're going to read, you know, from your, from your devices. So we're also trying to think of what could happen. So being an aerospace engineer and designing, you know, not just spacecraft, but also planes and jets, you have your heads down display, right? Your altimeter. And then you have your heads up display. We need both. I am in full agreement with you and can tell you the biggest challenge I saw with all these years of working for healthcare and hospitals. I've been in the provider space for about a dozen years as a CISO and biggest challenge I've always found has actually been paying for it all because a lot of, a lot of hospitals out there, especially with COVID have significant financial challenges these days. And right now, I mean, every hospital has a problem paying before January or February of this year. You still would have had about, I'd say about half the hospitals in the United States, whereby I asked them to update good junketer clinical engineering equipment, they would have likely looked at me and said, when I can fix my roof, when I can fix my floor, and when I can pass the hole in the boiler, and what do you want? Do you want to move over your head or do you want some cure medical devices? And I've actually once had a clinical chair from the department sit me down and say, I'd like to update my devices, but I need to get different ones in here because I'm not able to do women's health proper. And it's to me that put a lot of items in perspective and I've always worked with my customers to make sure that we can get them on at least a good path to where they need to be using minimal cost solutions because to be very blunt, 15 to 20 years also because that's all they have money for. And that's sadly the situation used in the United States. And after things happen, after we have some leveling off with COVID, we're going to be in a much different place more like 2009 when it comes to the economy. But to get these good items in place, you need to have standards and that leads me to the second question, which is what should standards efforts are in play for medical device security that you're currently working. So again, over to you Florence, because of all the IEEE work. Absolutely. And I have to apologize. I have a robocaller who won't give up. So you're going to hear my phone in the background. So anyone else been through this? Hands up. So the standards efforts, we have a number of standards efforts in play. And we're trying to hold hands and work together. So at IEEE, we have this IEEE UL P2933, which is the project for clinical IOT data and device intraoperability with tips as we discussed. There are also efforts on blockchain for healthcare and how that plays in. There are efforts going on with ISO and IEC and open mobile health and communications interoperability. So we actually just had a really cool session last week where Mitch and I presented along with a number of our colleagues from around the world regarding addressing clinical IOT interoperability and security challenges globally. And so one of our colleagues representing underwriter's laboratories, after we each spoke about P2933, you know, this kind of IOT thing and then open mobile health and a few other things, he got up and said, okay, here's one page with like all this stuff on it. You know, we have a pyramid here, we have a triangle and we have all these other pieces. We have to figure out how we're going to work together. So if any of you out there are interested in getting involved in this, we're actually hoping to have a longitudinal plan here. We had Julian Goldman from Harvard and Mass General, who was on the panel, and Ida Sim from UCSF. We have Mitch, Nick, Ken Fuchs, Drager, Anura, Fernando from underwriters laboratories. And I always forget at least one. Oh, and Ken, I think that's most of it. And so we're all going to be getting together again in the fall and we're interested in anybody else who wants to join us. So Mitch, I don't know if we're giving out our email addresses or how you want to do that, but you know, we can. We'll find a way to make the P2933 web page completely accessible and get information over there. Get it out to people. So in the meantime, you can send me an email along with my robo caller at Florence at fdhint.com and I think I'm going to give them my email address so you're not so disruptive the next time. Hey, I just, Florence, I'm really excited to hear that IEEE is getting involved in this space. And, you know, it's exciting to hear that there's not enough that we can do actually to really formalize the process of medical device cybersecurity across the life cycle of these technologies. I would like to also recognize, you know, a lot of the work that the FDA has done in producing cybersecurity guidance documents over the last, oh my gosh, you know, many years. And so, you know, whether it's pre-market requirements for submissions and cybersecurity or it's post-market surveillance, right, and knowing how to do coordinated vulnerability disclosures, those guidance documents are very helpful. Also, very relevant today, you know, is cybersecurity for off the shelf software components. Again, you know, FDA has some good guidance documents on a good guidance document on that. Recently, and, you know, they've taken a very collaborative approach to cybersecurity and engaging very different stakeholders and a great example of that is, you know, FDA has engaged NTIA on creating a software bill of materials, standard and a set of deliverables around that as well. And it's all around how manufacturers can be more ready to identify vulnerabilities in third-party components and then extending that capability out to hospitals, you know, who have this technology in an operational environment. And, you know, the last thing, last two things here I'll mention is international medical device regulators forum. You know, it's not just the U.S. and FDA that's going through this problem. This is a global issue in medical device cybersecurity. And the international medical device regulators forum, INDRF, has come together to produce a cybersecurity guidance document that really sets to harmonize, provide harmonized guidance to regulators globally. So, you know, different countries and regions can set up their own guidance documents and map that to their own regulatory bodies. And the last one here I'll mention, I have to mention it because, boy, it was a lot of work, but the healthcare sector coordinating council and, you know, Michael also and Mitch, you know, were contributors to this effort as well, produced what's called the joint security plan, the Medtech joint security plan, otherwise referred to as the JSP. And, you know, in this document, you know, anyone can find, it's not just, it's not standard. It's actually a plan, a way to put in motion a security program from design, development, all the way out to, you know, complaint handling for medical devices and what to do when these devices are out in the field and risk management, again, throughout the continuum of care. So, if you want to know how to do a risk assessment on medical devices, if you want to know, you know, when to do a penetration test, what types of design requirements are helpful for a medical device and cybersecurity, how to structure your organization. You know, those things you can find in the JSP today and working with MDIC, we're also developing an effort to actually benchmark against those different capabilities. So that way, if you're a small, multiple device manufacturer or a large one, you want to know where to go next and how to build out your program and what's good enough. And so this benchmarking initiative with MDIC will help us create that set of metrics and again, the benchmark itself so that we can share it openly across our industry stakeholders and collectively improve our programs, be able to speak to our executive leadership, too, as well to have to pay and make and commit to this investment in melted cybersecurity. That sounds really cool. Do they have guidance for manufacturers as well as providers? So, a healthcare sector coordinating council also has a, yes, guidance for healthcare providers, too. It's called HICUP, H-I-C-P. And then you have the joint security plan, which is focused on melted devices and healthcare IT solutions. And so, yes, they have guidance for both set to stakeholders. Right. And yeah, so as Rob stated, the IMDRF also, the way it was documented, it addresses, here's what's the pertinent areas for the manufacturer, the health delivery organization, the different stakeholders, even patients, as it pertain to the different topics that was put into that type of guidance. And again, that one was was global. A couple of others that I would just want to make sure that we have included when you talk about health delivery organizations, MITA has always championed and updated their, you know, MDS2 documentation, which is utilized for the procurement process with health delivery organizations. And that MDS2 is something that has been maintained as a part of the release schedule and with the inclusion of the SBOM as a component and a deliverable of that, it gives organizations like MITCH's the ability of being able to understand the ingredients of the product and the solutions that they are acquiring and how they need to develop and execute that. And then as Rob said, the AMI organization has taken on the ability of taking a look at some of those, you know, pre-market and post-market type of guidance documentation, and then they created their technical, you know, references in their TIR 57 and 97, which allows you to provide some of the how-to on those different stakeholders in the industry, how they need to execute against those particular technical references and standards. So I think that kind of, we gave you the alphabet soup and then some. Yeah. Absolutely. Those excuses now. Yeah, I can tell you that 2019 MDS2 form, thank you very much for that, Michael. That's been incredible in our organization. We've actually started using that a lot. The first vendor that actually gave us one was Philips. So very happy that- I'll put the old pets on the back for that. We're starting to get those in from our vendors and they've been helping us out with a lot of new purposes. So this is my next question here, is what are the most difficult medical device security issues to solve? Want to throw a real ringer in there? Okay, go ahead, Rob. Yeah. Yeah, I'll take a first stab at that. So I think one of the most difficult issues to solve, just to change it up here aside from, and it does relate to, you know, the issue of legacy malware devices is also that hostile environments may have hundreds of thousands of connected malware devices at one time and from thousands of different vendors. And so while I may not directly feel that pain, I feel for our customers at BED that our healthcare providers and have to manage this tremendous complexity. And what compounds this situation is that not every medical device manufacturer is doing things like patching of their medical devices or routine updates to their medical devices. And also that's why transparency is so important because these new threats emerge daily. And boy, I'm sure there's a lot of homework that healthcare providers have to do when a new security vulnerability pops up. And you don't find a timely and effective or meaningful communication from a medical device manufacturer to facilitate a response. So yeah, I think those are really, really important issues that we need to address. You know, one of the things I would add on where Rob is at, and again, I do agree that the level of connectivity and the complexity of the type of solutions is definitely, you know, a critical one. But let me be a little bit more provocative and throw something else out there. I think when you look at potentially, and again, you know, and this gets back to again, I think where Florence was at when we talk about taking it down to the chip level when I think when I look at the greed that exists in society around, you know, the revenue that either wants to be made or maintained, you know, on devices and then what that would be from your brand and impression. I think one of the best things that happened was the fact when, you know, the health sector coordinating council and HISAC and others have come together and petition organizations like Microsoft, especially during this time of COVID to extend, you know, the patching and the updates for Windows 7 and to make that, you know, date in the hospital sector, you know, not, you know, you know, to extend it. So the more that we can do activities as a community like that to either extend the life or to be much more economical around how these, you know, products and solutions are being used. And again, my provocativeness, get away from the potential greed that, you know, might exist out there. I think that'll help us, you know, to try to address, you know, some of the issues that might exist, you know, in the ecosystem as one thought. Safe. Florence, you got something? Yeah, greed and jealousy are motivators, you know, that we can use in business to get people to do things. And so there's always, it's the human condition, I think. So if we could figure out how to leverage that, I think that would be good. So in the standards work that we do, you know, it's IEEE, it's at the individual level, it doesn't cost anything to join the working group. And what I tell people is, you know, this will be like a take home test if you get involved now, because you can help define it, you know, and then you could be the first ones to have it. And you could be at the leading edge when, you know, I was at Yale New Haven a couple years ago talking about this TIPS framework, and very bright as they are, the chief information and chief medical officers looked at me and said, so do you have a TIPS maturity model that you could hand us today that we could use tomorrow to look at all these hundreds of thousands of devices in our hospital and our patients? Like, whoa, I wish the answer to that was yes, but it's going to take a village, right? Ah, the biohacking village, look where we are, how handy is this? So maybe that's something, you know, we can end up working on together, and people can get involved in creating this TIPS maturity model, validating it, certifying it, you know, maybe that's, you know, what we can do is get other people jealous, like, ooh, ooh, you know, I want to go to the head of the class. That would be great. I agree with you, and I think, and again, there's other challenges as well. I'm going to be just as provocative as Michael right here and bring out another big one, which is the electronic medical record systems of record themselves. So we have to make sure that the systems of record that we eventually store all this information in, we have to make sure we keep them as updated and up to date and able to support these devices just as much as the devices themselves. There was actually an interesting paper I read from the late Michael Sinnoh and some other people that had put together this model for electronic medical record system implementation at a health system in New Jersey they were at. And what it came down to is that 25% of the cost was the EMR, 75% was the cost of the ancillary devices themselves. So I think we could stand to make sure that we have a good budgeting model that we make sure that we understand what devices work, what version of an EMR and be able to cost it all out. And we can solve that challenge with simply doing a lot of good financial work and making sure also that the system of record aka the EMR also stays updated, easier said than done. So talking about challenges for the future leads to question number four, which is how do you solve the challenges today with an anticipatory eye on what the next threats may focus on that right here? I'll start off again with Florence. So heads down display, heads up display. What is it you're trying to deal with today? And we have, we'll start with that. And we have to have the guts to look at what we haven't done yet. And we're all talking about standard this, you know, we haven't done this snow med and low ink and this and that and firing it till seven. Oh my God, this episode is so incredible because people are brilliant who created it, right? But it's not done. And it will probably never be done, right? Because there's a lot of hacking that, you know, continues to evolve as we know. The bad dudes and dudettes and robots are just as smart as the good ones, unfortunately. So what we have to do is not be afraid to look at what haven't we done yet. So as an example, so we're talking about trust and identity and security and devices. So what if we had, you know, what if we figured out a federated identity management system for devices with, you know, digital identifiers, decentralized identifiers, UDIs, and we try to do that globally? People go, Oh, we haven't done that yet. I'm like, exactly. That's exactly the point. So is that exactly what we need? Maybe not. But go wide and then decide, you know, how we start today and where we need to go. So we have the guts, we have to have the guts to say we haven't figured it all out yet, figure out what we can do today, and then build a step function, you know, a plan going forward. And, you know, you should, we should do some brainstorming, like I was about holograms and VR and AR and XR and UR and my R and all this other kind of stuff that's going to happen. And stuff that we don't even have terms for yet. They're going to be part of this. So I'd say that, you know, we have to start by being brave enough to understand what we already have from Amy and ISO and IEC and IEEE and all this other cool stuff and all the providers and all the manufacturers. Then look at what we haven't done yet. Have the guts to do that, figure it out and then create a step function toward the future. So that's my recommendation. Yeah, I love the comments from Florence and the direction. I've built a few homes because of having to relocate. And I always look at what your current environment is as an organization, as a team. And to her point, I want to make sure that foundation is in place. And one of the biggest hurdles is to be able to consistently execute in a number of these organizations, you know, that foundational piece that she described, you know, in terms of making sure that we're doing consistently the activities and efforts that we should have in place right now. And so when you have, you know, multinational organizations, different business units, different variations of releases and schedules of products and devices, different mixes of, you know, solutions, whether or not they're, you know, capital related or implantables. And I mean, there's a myriad of things that exist out there. But you have to be pretty consistent with how am I developing that solution? How am I maintaining that? How am I updating that? How are we interacting and getting the right information at a consistent level, like those MDS-2s updated, you know, on that entire product portfolio? That's the basics in terms of the blocking and tackling, you know, that usually isn't the most sexy thing that you think of, and sometime is really overlooked. And so we really need to get that foundational, you know, areas in place across all of the elements of, you know, as we say in the ecosystem, you know, for devices and solutions. And even as Mitch just pointed out from his earlier statements around, you know, the electronic health and medical records, you know, Rob and I know that our counterparts in some of those entities, when we were on the cybersecurity task force, it was like pulling teeth to get them to want to even come to the table, you know, and having the discussions. And even when you have certain solutions where we are there was astonished to say, man, you had the ability to maintain the certain level of the release and not go back multiple, you know, inversions, but you did that to increase the, you know, to want to be supposedly, you know, in compliance and supporting your customers. But you were doing a total detriment to the industry by not aligning and forcing that you couldn't have stuff out there. But they were in a much easier position to maintain their devices at the most current levels and updates. And we were sitting there like, man, are you kidding? You know, because we don't have that luxury when it came to, you know, some of devices, especially for organizations that, you know, had implantables, you know, and pumps and other things of those natures. So don't hold back, Michael. It's DEF CON. So when I think about what we can do right now, I think about the current environment that we're in. And it, you know, touches on a little bit of what you've heard from others on this panel, actually, you know, we're in an environment where I think most of our organizations, if you work in healthcare, we're distracted, really distracted. If you're even just the general public, you're distracted, okay? COVID has taken a lot of the focus away from other things, like cybersecurity. If we're not careful in tying the story behind how cybersecurity is the underpinning to providing a resilient and thriving healthcare system, it's just essential. We can't have resilient and effective healthcare without securing it. They go hand in hand. And I say that because the other issue we're facing here is that, you know, most healthcare delivery organizations don't even have a single person dedicated to cybersecurity. And this is one of the findings of the healthcare industry cybersecurity taskforce report that went to Congress in 2017. So there's not enough people working in this space. We need to bring in more stakeholders from different backgrounds into the healthcare industry and into the cybersecurity industry to really, and even if it's not their title, but to build a community of practice around everyone's shared responsibility around cybersecurity. And the last thing I'll say from the stuff that we can control us, the cybersecurity professionals, I think especially, you know, Michael and Mitch and myself, we need to as healthcare and medical technology companies as healthcare providers, we need to look at our investment in security and ask ourselves this, are we protecting what society values most? And if you ask anyone, what is important to protect in healthcare to protect, they will tell you most likely even, you know, even if it's my mom, all right, she will tell you, it's probably going to be patient safety, patient health, right? And probably also patient privacy, you know, and so, you know, there's, so look at our investment today and figure out if there's changes that we need to take in our approach. And maybe touching on Florence's, you know, idea there to make it even more tangible around creating some sort of model for identity management in healthcare, you don't have to go too far. I mean, there's, for many years, the cybersecurity industry has been talking about what's called zero trust principles. And so, the idea behind zero trust principles are, you know, instead of trusting devices inside the network, you know, in this approach, it means trusting no one by default and operating as though the network had already been compromised. And so, this means incorporating different types of criteria for authenticating and authorizing users. And the fundamental technologies exist today. It's just changing your strategy as a cybersecurity professional to focus on the idea that you've already been compromised. And how do we strengthen authentication through multi-factor authentication, through conditional access for devices and users connecting to the network. And so, those types of technologies exist today. There is hope in, again, what's available to cybersecurity professionals today. But I would also go back and say, we need to expand our community of practice. So, if we get all geeky-weeky, which we could do with each other, fire this, and HL7 that, and we're so cool, and to see that, and, you know, trust zone and hardware with the trust, they'd be like, whoa, I was sitting next. I got upgraded for free one day on a plane when I was flying planes. And I was sitting next to a guy who runs a hospital, a doctor. And I was telling him what we're doing. He said, well, you know what, I'm glad you're working on that, because my job is to keep that patient on the table alive. That's what I focus on all day. So, in our, in our working group, our IEEE P9, 2933, and UL Working Group, actually, it's all about, we always talk about it, protecting the humans, keeping the humans alive. That's why we're doing this. That's exactly why, you know, my background, my mother died the day I was born. It was a medical error, you know, whole stuff here. So, I carry this with me. How do you keep the humans alive? And that's what we're focused on. And if you actually read our project authorization request at IEEE, it says to improve health outcomes. We're not doing this for us geeky-weekies. We're doing it to improve health outcomes and to keep the humans alive. And eventually what I would love to see, and we actually had a meeting in my last firm and with Microsoft a few years ago, we were talking about creating like a cybersecurity learning hub for humans, you know, normal people. And we said, oh, cradle to grave. And we said, ah, that's kind of rude. Let's say pre-K to AARP. And we're going to teach them what tips is. You know, so when I was a little girl, remember I'm a geek. I was a rocket scientist. So I used to look for the little UL tag on my electric cords. Any of you guys, I did. I always looked for them because that meant safety, right? And so what we want to do is teach them why they should ask for this. So someday, I don't know if it's two, three or five years from now, some little five-year-old is going to be at the doctor and they're going to try to give her an insulin pump and she's going to say, does that have tips? And she doesn't need to know what it stands for. We do. We're the geeks. We need to understand that it's trust and identity and federated identity management. And when the doctor, you know, goes into the little device next to grandma's bed that goes into her and plant a pacemaker, you check the credentials of that doctor every single time. You make sure they're still, you know, related to whatever their provider is. You make sure they still are credential. You make sure it's really the doctor and you have to figure out how to do it. So that's our vision is that we really want this to protect the humans and make the humans aware of it. Just like I looked for that little UL tag, which not everybody did, I know, but, you know, how do we teach them? And then make sure that the manufacturers are delivering that because then you have demand. You have push and pull from the citizens, from the patients, right? And then the providers and the payers should care about this. It reduces their liability. You know, I used to work on smart buildings years ago when we were first creating the smart building strategy when I was a VP at IBM. And I remember, you know, we were talking to these building management system companies and one of them said, Oh, you know what? Security is like number 11 on my list of top 10 things to worry about and their device was hacked nine months later and the whole leadership team was out. And now it's part of their brand promise. Oh, imagine that, right? So we need to make that a requirement. You know, we need people to be incented to do that and to have the citizens and patients asking for it. Absolutely. Florence and also one other thing that my organization's had a big challenge with has also been privacy because one of the areas we've got to worry about is not only do we have, we're collecting all this data on people and we have numerous data points on all of the people we're collecting from these devices and we need to make sure that we're protecting that. So important question I have here is what about privacy? How are we incorporating this into our products? How are we incorporating it into our data governance plans? So lead off here, I believe this can be our final question for the three of you. So start off with Michael. Sure. I think that the, you know, privacy takes on, you know, from a legal perspective, you want to understand, you know, the requirements by the different geographies, by the different jurisdictions, by, you know, what the hospitals and the, you know, the different entities have in terms of managing that type of information. But to me, Mitch, it's nothing more than another component of your requirements. So if you design privacy as you would security by design in your development process, you take into account what are those sets of requirements and you have to harmonize for, you know, some of us, you know, like, you know, Rob and I and others out there that deal in multi, you know, geographies, you know, multi types of regulatory and compliance environments and you have to develop what your baseline is. And then once you develop that baseline and you include those sets of requirements, I would look at the steward of, you know, the CISOs, you know, and it's three of us on the call to be able to make sure that we're executing against that. We go to our legal teams and the privacy organization, really for that foundation to make sure that we're interpreting those requirements and we're executing those requirements, you know, effectively with the tools and the solutions that we then deploy out in the marketplace. And so I have always had, you know, kind of a mix of the privacy and the data protection elements kind of be able to be co-mingled within, you know, the team operationally. If you do it right, you want the CISOs side of the house to be managing that and you want your legal and your compliance arms to be able to help you develop and, you know, and document what those requirements need to be, you know, from a privacy perspective, in my opinion. So I gotta tell you, I don't think I could describe it any better than Michael or I should say Professor McNeil. It's so well said, really. I can't do better than that. I mean, you know, to address privacy requirements alongside security requirements, I absolutely agree. As security professionals, like, you know, bring your privacy friend along with you and absolutely write that, you know, there's things that, you know, we think of in security that sometimes are counterintuitive to privacy. And then also, you know, vice versa, actually. And so I do like, again, what Michael said around, you know, bringing your legal professionals, especially, you know, when you're addressing privacy requirements, the complexity is, as he mentioned, this is different across every single country. And you do have to, you know, establish as a company, a common foundation based off of values, based off of values and principles, you know, as a company, what do we stand for? What is it that we want to do when it comes to this civil rights issue, you know, of privacy? And sometimes that means we want to do everything that we can. And we are going to establish, you know, the strictest, you know, governance of privacy across all of our technologies and product platforms, you know, that is, again, a decision that companies need to make. And I gotta tell you, I don't think there's many customers that would complain, you know, about, about a company creating a position and a very robust and comprehensive position on privacy across their different technologies for customers. So. Agreed. So I'll make a couple of comments. I'm sorry. I didn't agree with you. So what do you think? Oh, you know, Mia, I always think something. So there are a couple of things. One is on the privacy side. It's one of our subgroups. It's part of tips, you know, choice identity, privacy, right in the middle of protection, safety and security. And we have a woman from the European Union who's leading that subgroup, which is great, because she actually found the privacy rules by country in Europe. Not surprising, right? So what we're doing is making sure that we're going deep on those, identifying the patterns, and then figuring out what are the little things we have to worry about here if we're creating a standard that's international. So if I'm wearing an implanted device, I'm in the U.S., I'm in the U.K., I'm in Russia, I'm in China, I'm in South Africa. Am I going to be safe? You know, is my data going to be private? What does that mean? What are the implications? So we're already baking that in to the plan. The other thing is that I was at an event at my alma mater at Princeton and Sonya Sotomayor was there. She's a Supreme Court Justice in the U.S. for those of you who don't know her. She's brilliant. And so I asked her, what do you think about privacy and security and the Internet of Things, all these devices all over the place? I said, I'm working on security. She said, that's good, because I'm working on privacy, because I don't think the citizens realize the human rights that they're giving up. Very interesting. So she's on it. And she's already written a couple of things on it, if you want to look at what she's done. And then the other thing I just want to mention very quickly, we were talking about, you know, what's our goal here? I spoke at an event at academic medical center conference a few years ago, and then about a year or so ago, a gentleman reached out to me and said, oh, I wrote a book and I found your presentation, and I refer to you in my book. I was like, oh, I'm so honored. What's the name of your book? The Doctor Will Kill You Now. And he talked about the security and privacy issues, and this guy who like, you know, lives in his mother's basement and then moves to another state. It's not bad living in your mother's basement. I have that going on too, but moves to another state, fakes a PA license, gets into a doctor's office, gets into the system, actually turns off the power in the hospital so someone on event dies. Then he gets into somebody's personal medical record, changes his blood type, they're given a transfusion and they die, and then his next target is a children's hospital. So if anybody is looking at, so why should I worry about the security and privacy stuff? That's a good book. It's only 15 bucks. And the guy who wrote it is an MD, and he used to lead the IEEE chapter in Rochester, New York years ago. So he, you know, he's on both sides. He's an electrical engineer, computer scientist, more doubly, and then, and then he's also a doctor. So we all have to work on this. This is serious. It's just going to get worse. A lot more things are connected. There are attack surfaces all over the place. We need a defense and depth strategy, and it's for privacy and security and protection and safety. And impressed by the depth of knowledge everyone brings here. And I speak from the provider perspective here. I'm very happy to be working with you all, especially from the standards perspective as well. I think we have a good foundation. We just all need to continue to keep working together. And you have my commitment. And for all of you in the medical device industry know you have my organization's commitment as well. So thank you so much for all taking the time today. This is incredibly appreciated. And I hope all of you out there appreciate this today as well. So thank you all so much for taking the time. And this is the group here signing off.