 I just dropped it in the private chat and we're not streaming we host DEFCON music and it takes a hot second to switch away from it. There we go and you guys are live. Welcome DEFCON safe mode. We're here at the DEFCON 28 safe mode do no harm a healthcare security conversation Q&A. If you haven't had an opportunity to check out our pre-recorded video it's on the media server and it's also on YouTube. We'll go for about an hour talking about some various topics that we'll probably touch on again tonight. Your opportunity here is to ask us questions in the Discord text channel and then see us live on Twitch. If you have any questions or anything go ahead and feel free to put them in there and we'll get them in no particular order. All right I'm going to kick it off and let everyone introduce themselves briefly and then we're going to go ahead and get to the first question. I'll start with myself and I'm Kowati. Replicant here hope everyone is safe and healthy. Hi my name is Ash Left. I'm an embedded software developer from Starfish Medical. I have no idea what order we're going in so I'm Jessica Wilkerson. I'm from the FDA and I'm a cyber policy advisor. Hey I'm Vidya. I am from Medcorp. We are a cyber security solution targeting medical devices and VL turned to you. I'm a goon. I am a patient, a hacker and a researcher and that's a lot of love of me. Back to you Kowati. Awesome so I'm accepting some fantastic questions tonight. We're going to go ahead and kick off the first one with a user called Razzie's which has a multi-part question but I think the the heart of it is at the end here and it's a question to everybody. Please don't be shy. Do we have the resources to adequately detect and respond to attacks against internet connected medical devices? So right now in the status quo can we even detect these attacks as they're happening specifically on the devices? Who wants to take it first? So I'll take a first pass. I think I think while there are several solutions that exist in the IoT space their application to healthcare is what creates this problematic scenario where we're relatively inadequately equipped to sufficiently respond right now. I think we think about what's the worst thing that could happen when you put security on a thermostat and we don't really think about well what's the worst that can happen when something happens to a medical device that's attached to a patient and so being cognizant that while there is a potential to detect us from a technical perspective there are ramifications for implementing that for real patient safety and actual patient care. I totally have to agree there and it becomes even more complicated when we talk about implantable so to do any detection on those devices is very hard and not very robust at the moment but the problem is as well as Lydia said the implementation of traditional cybersecurity tools in the healthcare space is problematic due to the fact that this is not your traditional cybersecurity space. Each hospital or healthcare institution places their own challenges. So it's almost about having something that caters to your hospital in your healthcare institution. Yeah I just want to chime in here for a second and say yeah I don't think many hospitals especially rural critical access hospitals under resource hospitals have robust detection methods. You'll be surprised how many of them lack intrusion detection systems or have good endpoint security you'd be surprised how many of them get regularly penetration tested or go through that entire process and just to plug again HHS and the FDA the 2017 Health and Human Services Task Force report estimated that a good majority of hospitals in the United States lack a single full-time security professional on staff. So with that's like a perfect storm to have a lot of attacks probably go undetected. The other little part of that I just want to just reflect on what V said I completely agree the home space is this complete black box. A lot of people who get medical devices especially in the era of COVID are given home monitoring equipment or they get an implantable and it has an accompanying base station and when they're discharged from the hospital they say go plug this into your router at home and there's really not a lot of work done to secure their home environments and we don't know much about that space it could be fine or it could be a nightmare I think what we lack is the ability to collect that information and then share it with people. I think that's a perfect point to raise around ownership right like who is actually responsible for securing this is it really reasonable to ask someone to go home and secure their home network not knowing their their technical skillset or whether that's really part of getting care right and then you think about hospitals like is their core competency really going to become to get cybersecurity and to the point of not even having resources we have to really think about how how we can think about where the ownership really needs to originate and what is most efficient and effective. One thing that I would say on that I think is like the cooking government person on this panel is I do have to plug all of the work that is happening at some of the the national level policy issues because I promise we are aware that these things are are issues and they are being worked on and so there are a lot of the industry bodies industry bodies government bodies and then bodies where the two come together that have documentation and just general conversations about this on a recurring basis so I know as little respect as everybody can have for the myriad best practices guides and other things that you know white papers that the government puts out that sometimes just sit on shelves and never get used but these are things that have been looked at and things like the medical device sectors joint security plan they've been looked at in for a health care delivery organization something called the hiccup and I if you paid me money right now I could not actually tell you what that acronym stands for but it's like the health care version hospital version of their best practices guide and in the hiccup in particular I want to say it is or maybe it's the JSP one of the two they actually have like it's separated out into what large organizations can do and then what small and medium sized organizations can do and they they do different things for both or recommend different things for both so this is an ongoing conversation that is happening at that national level but we we certainly don't claim to have all of those answers another thing that I think is important is we're moving into a thing where we want to do early detection and monitoring but most of the instances where there has been hospital breaches we've been left on the back foot right we needed to become aware of the breach before we could actually act on the breach so I don't think there is that early utilities within health care at the moment I can use an example of a health care attack in South Africa itself they only became aware of it once the systems were encrypted and once you know the damage has been done so often we have to rely on the cyber criminals to make us aware of their you know presence in our networks it would be awesome if we could detect it early and stop it I mean that is the golden standard that is the dream but I don't think we're there yet I think the real dream is is being proactive about this right and getting the security on the device so it doesn't even get to the point of there being a vulnerability that has to be detected if we if we can just reduce the end of things that need to be detected there's there's a better probability of actually coming up with it but but is that going to actually be you know something that we're going to get because I mean these devices last for long so inevitably there is going to be vulnerabilities always it's it's it's going to be there because as time progresses research is done and libraries become vulnerable or hard to become vulnerable also it's it's about the threat landscape right we're talking about risk here and just like everything in life there's nothing there's no such thing as risk free we can't just have a device that has security or doesn't there's always pros and cons we can't think of every possible thing so it's always it's it's this combination right of you know building the devices and making them as secure as we can in a reasonable amount of time with the resources we have and then once they're out into you know the healthcare ecosystem or the consumer ecosystem in the case of you know medical devices that maybe have to be on a home network there's so many pieces to that threat landscape right I like I'm not sure how we can fully secure it like there's no there's no perfectly secure network right I also want to throw one other wrinkle into this which is that there's actually some systemic systematic issues when it comes to healthcare usually in hospitals or what's traditionally been the paradigm is that the network is owned by IT and that's where all the security folks live and they're able to detect kind of the attacks that they're used to and they can control some of it but as soon as it comes to the medical device side of it they kind of wash their hands or are told don't go there that's bioengineering and they handle all the medical devices and so what you often have is a dearth of cyber security knowledge in the bioengineering space by no fault of their own they have a lot of other things they're fantastic people but what we have as a result of that is this something we call the discovery dilemma where if you don't have people thinking about these issues and you have malfunctioning medical devices you are unlikely to find a problem even if there was some random malware that spread over your network it affected some of your medical devices and as a consequence they stopped working unless you are thinking about that as a potential etiology of your problem you're not going to go and look the the one and two steps further to figure out if that was the issue so we talked a little bit before this panel started about the discipline of forensics you know I've asked many bioengineering organizations and groups in hospitals across the country and asked how many of them do that type of forensic work on malfunctioning devices that are just really out of the ordinary and none of them said that they did something we have to change so it's because the structure of these healthcare systems in such a way where there's a bright line between who handles medical devices and who handles the network and because those two groups don't commingle and have equitable cyber security knowledge where we might have this problem where this might be a very common thing but just we're not detecting it so I don't know if you want to move on to the next question here but one thing that I would point out on that that I've certainly experienced especially over the last couple of months is we have experienced I would say less and less medical device specific vulnerabilities where it's like the pacemaker has a vulnerability or the MRI has a vulnerability what we're now seeing are like higher level protocol vulnerabilities swen tooth was a great example there was the all of the the whole run of bluetooth vulnerabilities there was the ripple 20 there was the track which I think it was was the one part or track I tcpip was one part of ripple 20 or whatever it was but anyway these are things that are not medical device specific but well we're starting to see and it goes to the detection point and then I wanted to hit on something that that video had said um the the almost the nice thing that's happening about the fact that we have general it vulnerabilities that are now making their way into the medical device space or becoming relevant to the medical device space is other sectors are detecting them for us so even though there's maybe a little bit of a lag in detection and I don't know identification capability within the sector itself because that expertise may exist in other sectors and because we're all relying on the same software the software that's in a medical device is the same that's in a consumer product we're ending up still be notified and still being able to notify others because it's happening in other sectors but the other thing you know video had a had a good point about like we need to we need to lessen essentially the attack space and certainly acknowledging the fact that um being ash are both right like things are always going to be vulnerable another thing that we've noticed is that we have an increasing number of manufacturers who will tell them about vulnerabilities and especially with the bluetooth ones we have certain manufacturers who are like uh yeah but like the way we architected our system like our device doesn't trust the bluetooth that's built into the device so all of these bluetooth vulnerabilities don't impact us um and I think that that's the sort of what video is getting at is like we can build systems that are not impacted by certain types of vulnerabilities we just have to actually put in the work to do that but and I think sorry but um actually I had this conversation right security the the way that you change security and manufacturing ash was right we said it needs to be cheap and it needs to be easy and it needs to be accessible and it should be the easiest thing to do it shouldn't be the hardest thing to do that shouldn't be the most expensive thing to do and when I refer to expensive I don't necessarily um mean um in terms of cost it could be time it could be design it could be research it could be cpu it could be battery life right but the thing is at this point I don't think you know at that end of the pipeline that is very easily accessible for the smaller companies that is I'm not talking about your big companies but your smaller ones that are doing some innovative work all right we have a new question uh from judo and I think that this is going to be one we can all kind of chime in on uh it's I think well down to what are the steps that industry and I'm going to add regulators in the space are taking to formalize stricter risk and controls around device development that we use in patients uh they assume that a larger device manufacturer formalized basic security features just like the payment brands have done and set standards for the rest of the industry so um I think there's a lot that's already been done I just want to quickly reflect on that to say you know the conversations that we were having 10 years in the space we're asking for this and I feel like so much has changed between now and then where we we do have a lot more standards and I think that the industry has been moving forward in a lot of ways now we can still talk about some of the criticisms but what I really think is a lot of people that have been paying close attention will say yes we saw the promise problem legacy devices but we you know I said it in the video we don't have this year to my knowledge and there's still some time left um a story of a device manufacturer threatening to sue a security researcher for example or um something like that uh like want to cry happen in 2017 so um can everyone reflect on kind of what the industry has been doing and we can take it back a few years and give examples of some of the landmark documents that and guidance that has come from the industry as well as the regulation space well I can kick us off as the regulator um so I you know I think uh I was not at FDA let me purpose this by saying when some of these documents came out but um the two in 2014 I want to say there was uh you know one of the first drafts of a cyber security guidance particularly cyber security guidance came out at FDA uh a few years later there was the post market cyber security guidance and then in 2018 the most recent one um you know there was the the the new post market drafting this was the one that that talked about coordinated disclosure it talked about cyber security bill of materials it talked about a lot of um the advancements that had been made in the sector over the past couple of years from the time that the guidance had been most recently updated um and actually let me just really quickly for those of you who don't know guidance is essentially how FDA tells industry the best way to meet the regulations because if you try and read FDA's regulations they're pretty bare bones it's really much like you must do risk assessments but then like that that's the end of the sentence and it doesn't have any other detail so the guidance allows FDA to elaborate a little bit more on what precisely that means in given context um and so you know credit to to Suzanne Schwartz and Dr. South Carmody who um who's had worked on a lot of this when he was still with the agency uh you know they actually like fought the good fight and got cyber security specific guidance out from the FDA to industry and um I think you know obviously I'm biased here but that was just a hugely forward I think in many ways for um or not only us but for the industry yeah I think um to that point I think there the the conversation that's come from all of that initiative right you you have you have this relationship that I think didn't exist before even if we go back four or five years like there wasn't such a collaboration or willingness to have manufacturers work with security researchers work with security vendors right it was more of okay who can get what off of eBay what can we prove doesn't work and then try to try to get the best headline that we can get out of it and I think the if you listen to the the recorded version of this there's a lot of hope that we all have for for where this conversation is going and that there are going to be solutions coming out of this I think on on all sides that are actually sustainable and efficient so I can add a positive story so three years ago I had my first f1 came as a patient had some concerns about my own device it was as I would say beautifully broken and wonderfully flawed and I made Suzanne Schwartz at that one but except for that before coming to DEF CON I actually reached out to my manufacturer and had a discussion with them when I was met with legal you know it was like running into a wall it was a cold unloving situation three years later I'm working with that said manufacturer on things that I bought to them three years ago it took us since December to find the footing where you know the discussion is not incriminating it's not me pointing a thing that's not them pointing a thing that's finding a unison's and what they bring to the table what I bring to the table and working together but except for that I mean we had conversations I've been on the patient I don't know what the word is that you guys that Jessica that gave patients the opportunity to give their their experiences right so generally in three years that I've been involved in this we've made leaps and bounds is that necessarily enough yet no I don't think we should lose momentum I think we should kick ass and keep going I think we should push the envelope I think we should have the hard conversations and I don't think we should stop now yeah I I would agree I think that the the landscape is shifting really quickly when I started working on medical devices which was over five years ago already the technology has changed so much even in the last 15 years if you think about you know smartphones and you know 20 years ago I don't think most of us would have predicted that ubiquitousness of it and the impact that it would have on our daily lives and so you know historically medical devices were electromechanical and you know as medical device manufacturers we come we have a system about approaching things from a risk and from a safety perspective like how do we make sure that people are safe and a lot of medical devices didn't have software in them and then we started putting software in and then we started connecting that software to the internet and then all of a sudden the risk just blew open because now we can we have we have iot devices we have clinical iot devices we have medical iot devices we have implantable iot devices and so everything has been changing so fast and I think you know getting regulatory and and getting standards in place um takes time and you know especially from a software perspective how many standards exist like we have so many standards in software that are competing standards if everyone would just follow my standard it would all be fine but then there's 20 other people who also have a standard that they want everyone to follow and so it's you know it's tough it's like the wild wild west for software right and um so I've seen like a lot of these different groups coming together you know um obviously FDA is a part of it but you know you know most of our customers they want to serve American markets so we actually talk about FDA a lot every single day but there is the rest of the world that isn't governed by the FDA and so there's a lot of different bodies working together and yeah I see it as hopeful I know IEEE is working on international standards for clinical iot and medical devices and interoperability and yeah I think people are working on it but I don't think we're there yet certainly I actually have to jump on that because if I think if I don't one of my bosses is going to find me at home but um to the point about international regulation there is a body called the international medical device regulators forum and speaking of you can never get government to do anything in any reasonable amount of time that's just sort of a default law of the universe but that group which is a group of it's like a nested group of regulators so you would have thought that this would have taken significantly longer than it did but um they actually just came out with a cybersecurity guidance document and so um you know that's that's another thing that's been really valuable for us uh and and I would actually encourage everybody to go look at it it's got a really fun definition of legacy that uh you know you all might have thoughts on so anyway I am dear up guidance the only thing to add is that we're never going to be done right so as much as we've progressed I and absolutely take a moment to recognize the accomplishments here there's certainly a path that we need to continue pursuing in order to even maintain a baseline of security across the board I think what I want to see and this this would make me like as a patient super happy is if we had uh in the manufacturing we had security standards for secure manufacturing because it's one thing having a cyber security framework right or a guidance in terms of that but it's a different thing and having a standard for you know how we are going to securely manufacture these devices because often they're none you know hardware is the constraint because when we talk medical devices we are designing you know firmware to run on hardware um so I think we need to you know completely start at the beginning um when they conceptualize the requirements is that we need to build security in there right it shouldn't be this you know after the fact kind of like let's put it on the end and you know hope for the rest and that's you know normally done because we didn't consider it in the beginning and it hasn't been in that best you know that practice but there are companies doing that and that is changing um but you know it's also been an industry that's been around for a very very long time and that's got some bad behavior and bad things that it's been doing but it's also got good things right I mean how many lives have medical devices saved I mean we're always focusing on the negative I mean I wouldn't be yeah I would have died at 19 I'm now much older I'm not going to tell you my age but you know so I mean so V are you saying are you saying push left is that the summary of what you're saying yes I think you and I said let's push all the way left right let's not do this at the end um I've worked with the developers and the engineers right you know everyone thinks like security is the answer you want to change this shit get them to start doing with security in mind and you know you're not going to deal with future problems I literally have found that security and forensics forms part of hardware engineering and forms part of software development and firmware design you know it just there's this synergy when we start working as a team and as a collective instead of you know silos and I know these people that are going to argue the silos are good because everyone needs to focus on the independent thing but when we bring different minds together that's when we start seeing things come together in a different way and I think that's going to be the answer is working together instead of against each other and you know that multidisciplinary approach because we're not all experts I mean I shouldn't be doing any hardware design it will break you know that's from my spirituality but I can tell you from a security in a logging perspective or forensics perspective what could work um so I think we need to get that multidisciplinary approach all right um Iona go ahead and get our next question kicked off by Ken in the DEFCON Discord it says there's been a lot of progress in the last five years I think we've all talked about the optimism that we've had you know guarded optimism but there's so problems with smaller device manufacturers there's problems with smaller hospitals how do we motivate them how do we get them to do the right thing and I think Ash on the recorded talk you had you know talked about how that's a big part of medical device development are the kind of these smaller boutique consultant shops like your own yeah I wish I had a I think that's a fantastic question I have that question every day um how do we how do we motivate them how do we make the how do we get there right because we've got constraints on lots of sides and you know at the end of the day you know most of the people who are working on this we are really passionate about the the end patients especially you know some of the smaller shops like everyone that I work with actually cares about the patients um and a lot of our clients are doctors who have an idea for some medical device that they think will save lives and they only have so much budget so yeah how do we motivate them I think I think everyone is motivated um or at least for for some of the smaller ones um we are motivated how to actually get there how to implement how to how to communicate to clients and even to other engineers about what the risks are with software because sometimes again we're so used to see thinking about things as you know um electromechanical device you know we think about safety is like the lock on the door you know people who aren't in software all the time people who don't come from a security background they don't think about all the creative ways they just kind of think well this is secure we put a lock on it um you know it's like I put my phone into a little like box and then I put a lock on it how could it not be secure well because I can connect to your phone through wifi and then exploit it somehow right like so it's not actually immediately obvious to a lot of people so then when you're trying to you know try to set up a project and talking about budget and how much time we allocate and you know what what sort of security things do we care about and you know everything is pulled in all these directions so I I don't have an answer for how to balance all of those perfectly I think we're trying to do that every single day um but I think it's a really great question and I think we should keep asking it um yeah that's what I have to say I think the phones are a great analogy sorry just two seconds here right I think the the fact that you bring up this notion of okay people understand security on a phone and they say hey I am comfortable that my iPhone is going to do this and I know B&I had this conversation but how do we translate that into the expectation that a medical device will be secured and of itself independent of how it's going to connect to whatever the clinical care is and I think part of it is we have to be fair to all these clinical innovations that are really trying to bring something to the patient experience and change it for the better and and not try to force them to become cybersecurity experts that there has to be a way for us to to enable them to get there without having to become pros at cybersecurity I will say though and I have to say it sorry everyone I just I think I disappeared for a moment my computer decided it didn't want to be part of this panel anymore um so that there is there is pre-market guidance and the current version is is not nearly as detailed as I think you know some of the things that we're working on now but um you know to get on the market medical devices have to go through the FDA in most cases you I'm not going into the class system none of us need that but um you know if they're if they're gonna have software and other things like that chances are they have to get pre-market approval to even go on the market and and so to a certain extent they have to demonstrate through FDA whatever the device is however small the manufacturer is that they have provided reasonable assurance of safety and effectiveness and we check for for cybersecurity concerns I mean I think I made some clever comment about Matt being my elementary school best friend but like Matt is the lead um for a lot of the cybersecurity reviewers at FDA and like we're like I said in the recording like we're getting better at that every day but this is something where you know FDA is rightfully by statute by law the gatekeeper of what can and can't be put on the market and and so I think you know for better or worse you can you can argue whether or not it's good or bad that we're doing what we're doing um the smaller manufacturers still have to go through us um so there is still going to be that part of it I also just want to say we had talked multiple times about how you have to make security um the easy thing to do and for some of these rural access hospitals smaller organizations are just not going to be able to do the job right and so I think a collaboration we said this a couple times there shouldn't be a competitive advantage in cybersecurity when it comes to hospitals right so you shouldn't see a billboard as you drive down the street that says you know when you have your heart attack come to hospital a because we didn't get hacked last year like hospital b did right so that shouldn't be like that and I think luckily there's been a lot of momentum towards collaboration information sharing um uh through a lot of these organizations and bodies we've already talked about but you know what was an alien concept to hospitals five years ago is probably not that crazy now which is hey if we get hit with ransomware you know we're going to go through our protocol of instant response then guess what I'm going to call the CISO at competitor hospital b and let them know this happened to us and did you see anything collaborate uh what normally was a very uh we're not going to share we're not going to talk we're not going to collaborate in the space has clearly gone out the window uh for some of the more forward thinking organizations now let's take that information for example all the great work that larger organizations have done like Mayo at looking at particularly secure devices compared to others share that information with other rural hospitals so they don't have to go and reproduce all that work from scratch and they're doing that uh being able to share in that space is so so key so it's not reinvent the wheel at every single hospital let's not try to build gigantic teams that do vulnerability testing penetration testing on every medical device and reproduce that work time and time again instead it's a community we got to recognize that it doesn't follow the same competition that you normally would where you're not sharing this is a different world this is about patient safety now we all have to be on the same page yeah but I mean I'm going to say something that's going to be very unpopular right if you take a medical device um functional requirement is not security functional requirement is keeping someone alive or healthcare right we need to understand that because we are super imposing security onto these devices then that's not their main functionality yes as they advance they are connected and they need to be secured but I don't think we should solely focus on having such secure devices that might just never see the you know market they might never save their life you know that one patient's life that they can change I think we should never lose sight of what the purpose of these devices are when we try and attempt you know the security implementations onto them awesome all right we're going to go to the next uh question here uh this is from from uh synapses questions about where the industry is going uh insofar as what are the new uh and perhaps we can even talk about the pre-market guidance in this regard like what types of requirements are we going to be putting into into some of these new devices as they go for approval uh to push that forward to perhaps of course always respect that these devices are security or sorry that was not a slip I promise their medical device is meant to help patients they have to be secure are we going to be deploying things like stack protection ASLR DP and other things like modern like language changes that have better uh security kind of baked in from the start are we seeing trends in this space towards utilizing more secure tools and development of these medical devices so that they are less prone to some of the scary vulnerabilities we've seen in legacy devices so I think uh you called me out there a little bit with the cyber security guidance so um yes uh you know I think I had made the comment earlier that the FDA the actual regulation parts FDA's regulations are pretty high level I really would be amused if any of you were like that motivated to go look at literally the code for federal regulations to go look at our regulations they're very dry um and then you have guidance and then you have what companies are actually doing to meet the guidance or to meet the regulations and I think from the FDA standpoint it would help no one if we picked like the one way of doing security to rule them all and then told all the manufacturers that they had to do that one thing so instead essentially what we've we have been communicating to them and we continue to work with manufacturers on continue to work with our own internal processes on is essentially saying like you need to have a secure architecture we're not going to tell you what the architecture looks like but you need to it needs to be secure and you need to be able to produce the documentation to us that proves and validates that it's secure um you need to have security controls that are the same thing you need to be able to not only have them you need to prove that they work um and so and then but but then at that point it's sort of like and it's now the ball is in your courts manufacturers you tell us what your security controls are you tell us what your secure architecture is um because I think like going down into the the slr level and things like that you know to to these and ashes and and vidyas and some of the other points that have been raised each individual medical device is very unique you know the the things that you're going to do to secure a drug infusion pump are not going to be the things that you're going to do to secure an MRI and so we do need to have that flexibility built into the regulations built into the guidance so that um you know we can we can allow the the manufacturers to figure out you know what is the best most efficient way to secure the device to these point that we don't you know impose such um rigid constraints on it that you know certain certain devices just can never meet them you know maybe they can do something else so that's what I would say didn't mean to call you out just think it's such a great segue all right who's up on that question so I mean you had mentioned ash like how much things are changing and do you see trends towards more kind of baking in these controls from the start and do you see exciting trends emerging um I mean I think I agree with what Jessica said I think um I I'm not sure you know I come from uh software and engineering development background and I'm learning more and more about security but uh so traditional security controls I don't have a huge history with that but I think every device is really different and from security perspective or from a safety perspective um we make sure that the device is secure so that it provides safety so that patient outcomes are are successful are positive right um every device is different I think that more people are learning more people are like me there's more engineers who care about the security part and you know obviously with FDA and guidances and um with regulatory we have to meet standards um that's absolutely correct how we choose to meet those standards is up to each manufacturer so you know we have an internal process of how we approach that the end of the day um you know it's it's literally different every time we make a device so we're we're different too because we uh our consulting firm so we make a lot of different devices we have no we have none of our own in-house products that we are continually sort of like building um so every every device is unique and it has a unique solution has unique architecture and as technology is changing as Wi-Fi is in everything now more and more and more uh yeah I mean we're using different approaches yes we have to make more uh we have to have a bigger focus on security because of that but um but I think it's just we're just following the trends uh with technology itself yeah the only thing I'd add there is I think there are um there are a variety of ways to approach it and we have to absolutely keep patient care at the the center of it to make sure we don't introduce new problems by trying to solve the security problem um but I I think there's there's a fundamental expectation now that there's security built into this and it's not something that can be built on afterwards where we're seeing the narrative more and more that it has to be part of the initial requirements discussion it has to be part of how the device is going to connect how it's going to be patched if we don't think about it from the onset of these fundamental architecture decisions I think we'll we'll continue to have this problem of trying to to solve the quick regulation question that came back and and try to get it through so it so it can get to the hospitals no definitely I don't think we can get to a granular level that we can start dictating architecture because again those things depend on the type of device and and the requirements that you need the device to fulfill um but I am looking forward to better guidances and yes I was that boring person that went and read that because I wanted to understand our pre-market post-market book but um after some discussions with Jessica and Suzanne I'm excited to see the new ones coming out in the more um robust nature of them because we are moving towards a place where we are going to be enforcing better manufacturing so let's add transition to our next question into a little bit outside the medical device space and really more into the hospital uh Ken brings up another question about who's who's keeping the hospitals um in line meaning uh the joint commission is uh and there's a couple other bodies are the ones that accredit hospitals so when you go buy a hospital and they can be a hospital some type of regulatory body has to make sure that they are uh to meet certain standards the joint commission is probably the most famous one of those and so a lot of what we talk about on the hospital side actually would never be FDA jurisdiction those are medical devices and their approval this is the joint commission's probably space or other organizations that accredit hospitals so the question that Ken poses is you know has the joint commission jumped in here and how do we make sure that hospitals do what they're supposed to do we've talked at length about how we can do better with medical devices but I think we need to start moving also into the space of like hospitals need to be held accountable in some cases and in accordance to what they're able to do but we need to move that needle as well because we've all heard stories of devices with certain security controls from the manufacturers that get turned off or aren't deployed appropriately or deployed on horribly secured networks at hospitals and so part of the responsibility has to be this multiple people right how do we get hospitals to do the right thing knowing that especially in times like COVID then it's not going to be the place they're going to be putting their resources in right they're worried about their ventilators in the ICU they're not necessarily worried about this problem right now is there a way that we can move forward and make sure hospitals do the right thing to be flippant but like do we I feel like there's there's such a burden here that we're trying to historically pass on two hospitals that that maybe was unfair right like yes hospitals if they're told and then a user guy that they need to have certain controls in place and they didn't sure there's there's something there that there's a flaw there on the plan but at the same time is it a fair expectation for a device vendor free device vendor to say okay we want you to have these 32 different controls in place times the hospital having a bunch of different vendors like I think there's a balance there so I think yes you have to enable hospitals to be more successful in having some of the basic security in place but I think it's also somewhat unfair to place the onus on them so much yeah I mean I think I could just share something you know we talk all the time about shared responsibility and I actually question thank you so much for pointing out that FDA does not actually regulate hospitals because I think sometimes people forget that we actually have a very small slice of the of the pie and we like to think we're very effective whether or not we are as I suppose up for for debate for from others but you know that's not something we have any control over but you know there there are multiple federal agencies and state-level agencies and actually that's part of the problem is the sheer number of regulators who are active in this space who may or may not have harmonized regulatory requirements that hospitals are expected to meet you know that's that's challenging enough as it is but I something that Vidya said I wanted to hit on because we were one of these you know public private partnership bodies that I'm a part of we are recently talking and one of the core sysos was like I have a spreadsheet of 400 different websites that I have to continually check to figure out what updates I need to make to all of the different devices that I have and it's not something where that you know they're not always getting active notification from the vendors as like you should go check one of these 400 websites and there's just it seems you know almost an infinite variety of procedures that each individual manufacturer can try and impose on on a given hospital and that just can add up so fast um so you know in this in that sense like there are certainly things that we can do better um I don't know necessarily that um punishment is is always the way to go with that I you know I don't know how many of you know about the the office civil rights wall of shame um but literally if you have a breach of more than 500 people or at least this was the way that it was a couple of years ago you go up on a portion of HHS's website with like your name and how many records were breached and how you got breached and etc etc um and it's not exactly the most helpful way to do it because you also get fined in that case um which is then that's that's resources that you have now lost that you then cannot put towards your security because you just had to pay it you know just somebody else and so um you know there's I think in this is these are conversations that happen at the federal government level all the time is like how do we how do we regulate holistically how do we regulate in such a way that um you know we are we are helping the industry move forward rather than um you know continuing to perpetuate some of the problems that we see I want to touch on you because this is something that is really near and dear to my heart is is hospitals and the one thing that I've realized is we've created this the shameful thing of finger pointing when a hospital gets breached right um when we make it this negative connotation that they don't want to come out and say hey we've been breached we need help we've made it impossible for them to turn to the security industry and ask for help because we shame them when they have been breached right when they are having to deal with medical care and then sophisticated attacks from cyber criminals you know and on top of that implementing different patches and different software updates with different systems and you know how they're going to connect um all these things up I think we are expecting them to take ownership and accountability for things that aren't theirs to do and then still we we punish them for not being able to do it it's very negative connotation to you know we need help um I uh I agree I don't think uh I don't think punishment is necessarily the right way but I think that they're they're not being punished the only hammer that really they pay attention to is HIPAA because it's tied to a fine and an embarrassment on a wall um there isn't really for example rural hospitals uh A's gets owned and there isn't a HIPAA breach no one knows about that and there is likely going to be little remediation efforts uh probably because they've been owned for years and they don't even know what I'm trying to say is that I don't think we should shame hospitals but the status quo is likely um is untenable for a long term because there is an increasing attack surface there's less resources being put into this and then on top of it there's just it's going to have to be looked at in some way because we can't have the most secure medical devices on the planet with phenomenal protections and then then put on networks that no one cares about um or that no one's doing a good job at securing because there isn't that pressure so how do you incentivize the hospitals do you say for example we're going to give you 0.25 percent more on your Medicaid reimbursement if you meet these cybersecurity requirements right are you going to say we're going to cut your reimbursement from uh from insurance claims or this if you don't meet these requirements it's a joint commission going to say hey we're not going to credit your hospital unless you meet these requirements these are types of questions we should be talking about whether or not it's a a carrot or a stick this is how we're going to have to figure it out but what I do know is you can look at many different health care organizations across the globe and know that that's just we can't keep going in that realm because the patient information is just too valuable and the risks of compromises to these networks are just too great for patient safety and then so we have to have that conversation sometime um again I don't want to shame anybody but there's we have to do better in all fronts of this because if you just secure one side our patients are still vulnerable on the other side it's really got to circle the wagons everyone's got to get on board I think I think to your point right I think cybersecurity in healthcare was defined as HIPAA for the longest period of time and nobody ever connected it to patient safety so I think that's that's why there is a disincentive but in absence of an incentive for a hospital to to really build security beyond just what the U of C are is going to find them for it's a change of of how they perceive security right cybersecurity is always the stick that's beating you that's saying you need to X Y and Z it's never the thing well if you don't do this this is what's going to happen and it's going to impact your patients I think we need to change the narrative and you know the way that we approach this is by getting the hospitals to believe that this is the best for their patients um this is not just something that that needs to be done because HIPAA says so or any other organization says so I don't know the joint commission and I'm gonna I'm gonna be honest with you I don't follow that because I'm not from the US um but I do feel that if you change the way security is perceived within a hospital and you make it more patient safety you will see people change the way that they approach the problem you're absolutely right and I think there's a balance there right we don't want people declining clinical care because they now understand the potential risk but I but I absolutely think you're right because here it should always be about the patient safety that we're trying to ensure collectively I mean COVID's kind of broken the perimeter right it's I mean they are ascending home monitors I mean which angle do you defend from you know where is our perimeter at the moment I think it's it's just we're gonna have to rebuild healthcare I think after COVID globally and that's an opportunity to do things different right we now have a way to move forward positively without having to reinvent the wheel because the wheel's kind of broken down now um so I see the positive in that as well and I'm excited for it personally all right everybody we're gonna have to wrap up here soon but I want to give everyone opportunity to just say where they're gonna go party after this Q&A so I'm gonna start off with Jeff where you're gonna party his internet is having a seizure he told me so I'm not sure if he'll be able to rip on he's gonna go party with me I bet somewhere yeah somewhere with that or somewhere didn't go to Starbucks and steal some internet ash where are you gonna go party after this Q&A I'm gonna open the new record player that I got that arrived in the mail today and set it up from here V where are you gonna go party after this it is six a m so I'm gonna go party at club duvet it is a very very very warm toasty club and that's where I'm gonna be spending the rest of my morning nice Vidya where are you gonna go party gonna hit up the beach all day every day all day every day and Jessica take us home I was gonna say I was going to club BED with DJ Pillow because that's exactly well on that note well on that note we want to say thank you to Def Con the CFP board for giving us another shot at this and everyone out there watching us on twitch to say thank you for attending our do no harm panel again stay connected with this this is really important work let's keep our patients safe and everyone take care