Do No Harm - LIVE
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 84 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/54197 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Figurate numberField (computer science)BitHeegaard splittingVolume (thermodynamics)MereologyFile formatSpacetimeQuicksortMultiplication signRow (database)Data conversionInformationMultilaterationIterationRight anglePoint (geometry)Meeting/Interview
03:33
Connected spaceMobile appInformation securityPoint cloudPhysical systemNatural languageSpacetimeVideo gameInformation technology consultingCapability Maturity ModelRoundness (object)Regulator geneRight angleCybersexHacker (term)SoftwareCharacteristic polynomialSelf-organizationReplication (computing)BitPerspective (visual)MereologyCentralizer and normalizerObject (grammar)AreaLevel (video gaming)Office suiteDifferent (Kate Ryan album)Meeting/Interview
07:52
Multiplication signView (database)BitType theoryCASE <Informatik>Information securityOcean currentQuicksortSpacetimeRevision control2 (number)Term (mathematics)Data managementRegulator geneMilitary baseForm (programming)Equaliser (mathematics)Social classPerspective (visual)Public key certificateChemical equationArithmetic meanFlow separationVector potentialCybersexRight angleGame theory3 (number)Lecture/ConferenceMeeting/Interview
11:10
Multiplication signVulnerability (computing)Bit rateRight angleThread (computing)System callServer (computing)Execution unitCurveBitWindowSoftwareTouchscreenComputer wormPhysical systemPasswordTrojanisches Pferd <Informatik>State of matterBootingCASE <Informatik>Insertion lossConsistencyCovering spaceVideo gameComputer virusPatch (Unix)MathematicsLine (geometry)Computer programmingMalwareLie groupNumberMetropolitan area network1 (number)Musical ensembleCuboidType theoryContext awarenessIncidence algebraInformation securityUniversal product codeOperating systemExistenceRemote procedure callDrop (liquid)Lecture/ConferenceMeeting/Interview
17:10
Right angleArithmetic meanBitRule of inferenceMultiplication signDegree (graph theory)Product (business)Physical system1 (number)AdditionService (economics)Type theoryINTEGRALCondition numberPhysicalismRow (database)Office suiteCausalityPosition operatorLine (geometry)TelecommunicationCASE <Informatik>CybersexMusical ensembleThread (computing)Revision control2 (number)Power (physics)Data conversionComputerGoodness of fitInformation securityNeuroinformatikHTTP cookieVideo gameDifferent (Kate Ryan album)Lecture/ConferenceMeeting/Interview
21:56
Type theoryData conversionInformation securityQuicksortMereologyMathematicsDependent and independent variablesStress (mechanics)Physical systemMaxima and minimaMalwareChannel capacityMaterialization (paranormal)Multiplication signVirtual machineLecture/Conference
23:46
Workstation <Musikinstrument>Task (computing)ResultantMoment (mathematics)Capability Maturity ModelNormal (geometry)SoftwareInformation securityCybersexHacker (term)Process (computing)Multiplication signRoutingCASE <Informatik>ChainFormal verificationSelf-organizationSoftware testingWhiteboardPatch (Unix)BitPerspective (visual)Monster groupArithmetic meanSpacetimeRule of inferenceBand matrixFilm editingRemote procedure callWaveStandard deviationGoodness of fitInternetworkingLecture/ConferenceMeeting/Interview
26:10
LaptopInformation securityInternet service providerCybersexGroup actionGUI widgetSoftwareQuicksortSpacetimeRow (database)Expert systemComputing platformSystem callRight angleProgramming paradigmOnline helpReal-time operating systemMultiplication signSelf-organizationProcess (computing)Musical ensembleCommensurability (mathematics)CASE <Informatik>Arithmetic meanState of matterLocal ringForcing (mathematics)Type theoryFocus (optics)Product (business)Point (geometry)Goodness of fitBoss CorporationPower (physics)Hacker (term)Regulator geneFamilySignal processingPhysical systemComputer virusVector potentialLecture/ConferenceMeeting/Interview
28:25
Information securityDifferent (Kate Ryan album)ÜberdruckMaxima and minimaVirtual machineLocal ringPressureMereologyEndliche ModelltheorieData conversionGroup actionSystem administratorState of matterDiscrete groupRepresentation (politics)WhiteboardHacker (term)Complex (psychology)SpacetimeTerm (mathematics)FamilyTouch typingMathematicsLaptopMusical ensembleTelemedizinArithmetic meanType theoryCryptographyMultiplication signOffice suiteLevel (video gaming)Dependent and independent variablesElectric generatorTraffic reportingSoftware bugVulnerability (computing)Expert systemSuite (music)Reverse engineeringCoordinate systemArmLine (geometry)Sound effectLecture/ConferenceMeeting/Interview
32:23
InformationDrop (liquid)View (database)Message passingComputer programmingComputing platformType theoryNP-hardComputer hardwareSoftwareHacker (term)Physical systemWindow1 (number)ChainLevel (video gaming)Patch (Unix)Phase transitionBinary multiplierMultiplication signBitInformation securityCybersexLimit (category theory)WebsiteDecision theoryInstance (computer science)Control flowCapability Maturity ModelVideo gamePerspective (visual)Point (geometry)Sinc functionThresholding (image processing)Software developerNumberCycle (graph theory)Closed setMusical ensembleRight angleAuditory maskingPlastikkarteTrailFamilyCountingData centerLink (knot theory)Lecture/ConferenceMeeting/Interview
36:06
Vulnerability (computing)Traffic reportingProduct (business)Information securityCASE <Informatik>State of matterBitLine (geometry)Integrated development environmentCybersexTime zoneInsertion lossDependent and independent variablesRight angleVector potentialVideo gameDefault (computer science)HookingDecision theoryBit rateCountingMortality rateContext awarenessCorrelation and dependenceInflection pointPower (physics)Public key certificateFood energyData miningLevel (video gaming)HypermediaMechanism designDifferent (Kate Ryan album)Type theoryGame controllerMultiplication signCondition numberNumberPrice indexObservational studyPhysical systemChannel capacityData structureSpacetimeStructural loadSelf-organizationStudent's t-testVideoconferencingPairwise comparisonSource codeWater vaporVariable (mathematics)Group actionInterrupt <Informatik>Similarity (geometry)
40:16
MathematicsInformationBitGame controllerCrosswindReflection (mathematics)CybersexCountingMereologyComputer simulationMedizinische InformatikPoint (geometry)Real numberKnotMultiplication signEvent horizonSet (mathematics)Axiom of choiceCASE <Informatik>Type theoryCuboidCross-correlationInformation securityVirtual realityMusical ensemblePhysical systemIntegrated development environmentLecture/ConferenceMeeting/Interview
42:05
AreaPosition operatorMultiplication signFile formatTask (computing)Matching (graph theory)Forcing (mathematics)Web pageTraffic reportingType theoryInformationMathematicsInternet service providerService (economics)Thresholding (image processing)EmailMusical ensembleBitSoftwareSet (mathematics)Online helpVirtual machineIncidence algebraProcess (computing)Point (geometry)Scaling (geometry)Physical systemInformation securitySelf-organizationDifferent (Kate Ryan album)Right angleThumbnailCybersexDrop (liquid)PurchasingPatch (Unix)Bit rateCausalityRootMathematical analysisContext awarenessLoginGoodness of fitBlock (periodic table)Local ringMeeting/Interview
45:13
Scaling (geometry)Information securityNormal (geometry)Decision theoryCybersexPurchasingPatch (Unix)Endliche ModelltheorieComputer programmingDifferent (Kate Ryan album)SoftwareRight angleConnectivity (graph theory)Point (geometry)BitUniqueness quantificationFunctional (mathematics)SpacetimeVideo gamePerspective (visual)1 (number)NumberProcess (computing)Multiplication signSimilarity (geometry)MappingNP-hardDigitizingDistanceTrailComputer clusterLecture/ConferenceMeeting/Interview
47:58
VideoconferencingHacker (term)Type theoryGame controllerBitGame theoryMoment (mathematics)MereologyNumberPosition operatorVector potentialInformation securityRight angleData recoveryLecture/Conference
49:16
Row (database)Inverter (logic gate)Entire functionMultiplication signCASE <Informatik>State of matterRight angleNetwork topologyInformation security1 (number)Physical systemWindowReflection (mathematics)Vulnerability (computing)Rule of inferenceSelf-organizationShared memoryVolume (thermodynamics)ExistenceLecture/ConferenceMeeting/Interview
53:06
Patch (Unix)Vulnerability (computing)Right angleMaterialization (paranormal)SoftwareMechanism designIdentifiabilityQuicksortRegulator geneGroup actionInformation securitySoftware frameworkSpacetimeStandard deviationOrder (biology)Process (computing)Electronic mailing listChainSystem callMathematics1 (number)File formatConsistencyNumberCycle (graph theory)National Institute of Standards and TechnologyCybersexTraffic reportingPoint (geometry)Multiplication signLevel (video gaming)GodLecture/ConferenceMeeting/Interview
57:40
Electronic mailing listMaterialization (paranormal)Right angleVulnerability (computing)Information securityDiscounts and allowancesComputer hardwareSoftwareService (economics)Point (geometry)Extreme programmingProduct (business)Self-organizationData conversionMusical ensembleLecture/ConferenceMeeting/Interview
01:00:15
WhiteboardOpen setMoment (mathematics)Hacker (term)Lecture/ConferenceMeeting/Interview
01:01:49
Film editingState of matterSelf-organizationCASE <Informatik>Power (physics)Multiplication signFocus (optics)Online helpHacker (term)Expert systemSystem administratorDifferent (Kate Ryan album)SoftwareLocal ringType theorySet (mathematics)Information securityRepresentation (politics)Data conversionGroup actionCybersexGUI widgetQuicksortSpacetimeWhiteboardVulnerability (computing)Physical systemMereologyOperator (mathematics)CryptographyDependent and independent variablesOpen setProcess (computing)Signal processingGoodness of fitReal-time operating systemForcing (mathematics)Computer programmingSoftware bugLevel (video gaming)Right angleSuite (music)Drop (liquid)Lecture/ConferenceMeeting/Interview
01:08:38
BitRight angleComputer hardwareSoftwareProduct (business)Hacker (term)Lecture/Conference
01:10:06
Cycle (graph theory)Information security1 (number)Operating systemDecision theoryInstance (computer science)Capability Maturity ModelVideo gameMeeting/InterviewLecture/Conference
01:11:34
Information securityMechanism designType theoryDependent and independent variablesHookingVector potentialContext awarenessLecture/ConferenceMeeting/Interview
01:13:30
Type theoryInformation securityPhysical systemBitLecture/ConferenceMeeting/Interview
01:14:35
Line (geometry)VideoconferencingMedizinische InformatikDecision theoryMathematicsPosition operatorCASE <Informatik>BitPhysical systemObservational studyType theoryMeasurementGame controllerInformation securityMeeting/Interview
01:16:41
Drop (liquid)Information securityBit rateCrosswindMultiplication signCausalityEvent horizonRootMereologyContext awarenessCybersexMathematical analysisKnotFile formatComputer simulationType theorySet (mathematics)InformationLecture/ConferenceMeeting/Interview
01:19:44
MereologyInformation securityDecision theoryPurchasingCybersexLecture/ConferenceMeeting/Interview
01:21:49
Functional (mathematics)Information securitySimilarity (geometry)BitMassRoundness (object)Computer programmingLecture/ConferenceMeeting/Interview
Transcript: English(auto-generated)
00:00
It's a little too quiet out there. Can we please raise up the volume a little bit out there? This is Def Con. Y'all acting like there's a pandemic out there or something. All right, we're gonna kick off this early evening party panel talk here
00:23
about the most happy topic on the planet, which is what the dumpster fire is going on with healthcare, right? But before we begin with that, I just wanted to say we all really appreciate you coming out here. I'm gonna introduce myself quickly, then Replicant at the end is gonna talk a little bit. We'll get to introducing the rest of our panel,
00:41
which is who you truly came here for. Please give it up in the middle here. And then we're gonna get to some topics. We'll talk a little bit about the format. Cool. All right, my name's Quaddy.
01:01
Welcome to the Do No Harm panel. We're gonna talk a little bit as an introduction about this because this is not the first time we've done this and perhaps of all the other times we've had this panel, this year may be the most important. And so what the hell are we talking about up here? And it's the fact that we're all gonna die.
01:21
And somewhere between now and when you die, you're gonna probably interact with a hospital. You're gonna talk with doctors and nurses. You're gonna have medicines and whatnot. And believe it or not, ends up that healthcare nowadays is pretty damn connected and it's all running vulnerable shit. And for the most part, it's been a raging dumpster fire for as long as I've been around, pretty much.
01:45
That is what this is about. If you're interested about learning about other stuff, there's another really awesome talk going on, but we'd encourage you here. And then also we'll have some opportunity to answer questions. Jeff, go ahead and take it. Sure. So for those who may not have come to one of these before, this is actually the fifth year that we've been doing this.
02:02
And I just want to give a quick shout out because this entire idea started as a conversation between inebriated people in the hotel room of a one Mr. Bo Woods, who's sitting here in the middle with us. And those of us who are adjacent who are exploring this space, we're like, hey, it's all, we're all here at Def Con. Let's actually sit down and see if we can figure some of this stuff out ourselves.
02:21
So that has morphed into something that we have been honored and privileged to be able to do at Def Con now for the last couple of years. And what we really wanted to try to do with each and every iteration, but especially now, is give you guys the chance to have conversations with people who are superstars in the fields that we're talking about here. Ask your questions, figure out how you can get involved and really face to face with some pretty incredible people.
02:40
So what we're going to do is we're going to have a little bit of a conversation between us, probably aim for about 45 to 60 minutes on that. And then we'd like to open it up for general questions from the audience. But then at some point, we're all just going to kind of split off and move to different parts of the room and would love to pick your brains, hear from you, and sort of talk about some of these issues in a little bit more personal space. Before we introduce our panel,
03:00
the last thing that I do want to say is that we had two folks that are affiliated with the federal government who were unable to make it here in person because of travel restrictions. Anybody really interested in hearing from two incredible people should check out our recorded talk, but it's basically Josh Corman from CISA and Jessica Wookerson from the FDA. And so we wish they were here. I think we're going to hear from Josh a little bit later, but that's the one caveat.
03:22
Starting down with Quadi, give a little bit more information about who you are, what you're up to, and then we'll go through our panel and introduce ourselves. Hey, I'm Quadi. I am actually an ER doc, so if you meet me at work, you're having the worst day of your life. I hope not to meet you in the emergency department, but maybe somewhere else like at a bar.
03:43
And when I'm not working in the emergency department, I do cybersecurity research on medical devices, healthcare impacts of cyber attacks based like ransomware. How does ransomware harm patients? And then again, I'm sorry, right before we get to Bo who's the next one, we wanted to also say a giant shout out to DEF CON.
04:00
Fifth year this has been here. We really appreciate this. You guys being out here, got a hell of a thing to put together. Thank you, DEF CON from all of us that do no harm. All right, go ahead and introduce yourself, Bo. All right. Hi, my name is Bo Woods. I do a lot of different things. I actually started my career in healthcare.
04:22
I worked at a hospital for about three years in IT and in infosec. And one of the, I don't know, interesting characteristics that I found is like a lot of healthcare networks are a little bit like archeology. You find all kinds of things that you thought were dead
04:44
living in hospitals on the networks where they probably really shouldn't be. More recently, I've been a part of an initiative called I am the cavalry, which is a global grassroots initiative. A bunch of hackers got together and said,
05:01
our dependence on connected technology is growing faster than our ability to secure it in areas impacting human life, public safety. And no matter how high and deep we got into federal government and industry, we found that the cavalry wasn't coming. We realized we were the adults in the room and that scared the hell out of you, as it should scare anyone to have some dude with a random blue Mohawk
05:24
who is the adult in the room. But we have managed to turn that into some really good impact, including I worked at the FDA for a year on building a new pathway to market for software as a medical device.
05:41
So like the app on your watch that tells you if you're having atrial fibrillation. Also drafted up something called the Hippocratic Oath for connected medical devices, which we may talk a little bit about in a bit. And has led me to do a lot more with healthcare and industry, including starting the device lab at the biohacking village,
06:02
which if you haven't gone and checked that out yet this year, you really should. It's a ton of fun and they're doing some really good things over there. So I could probably talk all night, but I won't. All right. My name is Gabrielle. I started kind of like Bo in my career in science and healthcare.
06:22
Started out doing pharmaceutical and medical device regulation. Moved into cybersecurity kind of through all of that. And now I currently work as a cloud security engineer in healthcare and also do medical device research and genetic science consulting on the side.
06:41
Hi, everyone. I'm Stephanie. And I started out in the Office of Security Research space, focused predominantly on embedded systems. And then about seven years ago, I decided there was this really big need in the healthcare space for security savvy people to kind of come in and help elevate the maturity. And so I've spent the last seven years as a consultant in the security for medical device space.
07:03
So I've worked with medical device manufacturers on just about every stage of securing medical devices, also with hospitals and healthcare delivery organizations on how do they manage the risk of the medical devices that they have, and then even regulators to help them understand what should they be looking at from a cybersecurity perspective before they clear a device for sale,
07:20
both here in the United States and abroad. And my name is Replicant. I am an amateur computer hacker and a professional central nervous system hacker. So as an anesthesiologist, I toss your brain while people poke you with sharp objects. And I work with QATI on the academic side of things to take a look at medical device security,
07:41
infrastructure security, and how that's a patient safety outcomes-based issue. So let's just give a big round of applause for everybody other than me. What a great panel. And this is usually a little bit more of an intimate affair in a much smaller room. So it's really cool to see everybody out here.
08:03
At the risk of perhaps boring some people who are very familiar with this concept, I want us to take the liberty of asking some of our panelists to sort of give a very general 30,000-foot view sketch of some of the topics we're talking about, just in case you wandered in here because there's nothing else to do and you are hearing about this type of security for the first time.
08:21
So Stephanie, we're going to ask you to give a little bit of an overview about what's been going on with medical devices and then Bo to talk a little bit about the infrastructure and policy issues. Yeah, so I'll actually take just 10 seconds to explain to everyone just what actually is a medical device. So it's a term that gets thrown around a lot but it actually has a legal meaning and so I'm not going to get too boring but just understand that anything in the healthcare space
08:43
that helps treat or diagnose a medical condition is considered a medical device. So something like a tongue depressor, that big popsicle stick that they put in your mouth, that is actually a medical device. And so it ranges from the non-digital all the way through the digital that you're probably thinking of with things like pacemakers and insulin pumps.
09:00
And so understanding all of those are regulated as medical devices but the potential for patient harm that that device can cause against a patient is what dictates basically what severity of a medical device it is or what class it is. So not all medical devices are treated equally. A class 3 medical device like a pacemaker is held to a much higher bar from a regulatory perspective.
09:23
And so understand when we talk about cybersecurity for medical devices, that bar, it's all risk management based game, right? There's no compliance, there's no certification in medical device cybersecurity. It's all risk management based. It is you putting together the story as a manufacturer of here's what I did for cybersecurity,
09:41
here's how I perceived the risk in my medical device and then taking that to a regulator and saying, here, I think I've controlled enough of the risks in this device that you should let me sell it here in this country. And so this journey really started back in 2014. So the first regulatory guidance around cybersecurity for medical devices came out from the FDA in 2014.
10:02
And it was around what we call pre-market cybersecurity. So all the things you needed to do for cybersecurity as a medical device manufacturer to get your device ready to sell. The post-market cybersecurity guidance came out a few years after that and then that overviewed everything you needed to do after that medical device was approved for sale here in the United States
10:21
than what you needed to do for that. The FDA has gone back and they're working on a revision for that pre-market guidance, but it's currently out in draft form. So if you want to see sort of where is the FDA going with the requirements that they're now putting in medical devices, you can read the current draft version of the pre-market guidance that's out.
10:41
And the FDA has been a really, they've been awesome in this space. They have absolutely been partnering with the security research community, the medical device manufacturers, and they're trying to really grow grow cybersecurity medical devices without stifling innovation. It's a really, really tough balancing act to make sure that we continue to raise that bar in cybersecurity, but you can't stop innovation in medical devices.
11:03
And so that delicate balance, and sorry, I won't pontificate forever. No, that was awesome. And then of course, we've just had a smattering last like 15 years of vulnerable medical devices that caught some attention, right? So we had the pacemaker AICD's devices implanted inside your body
11:22
that can shock your heart when your heart rhythm starts getting strange, right? Those have been vulnerable and demonstrated to be potentially deadly if attacked. Infusion pumps that control the rate of medication going into patients, those are also been shown to be vulnerable like in 2015. And insulin pumps, I mean, there's a whole host of devices. And it seems like the common thread was a researcher wanted to learn more about it.
11:45
They bought a device off of eBay or got it somewhere else. And in a short time, they found that something really potentially concerning about patient safety. Awesome. So we're going to go now. It's not just about medical devices. We're going to talk today also about like hospital infrastructure.
12:01
One of the concepts we're going to talk about is, you know, how can a vulnerability if exploited impact a person's life, right? Their ability to be diagnosed with a particular disease or get the treatment that they need. And all that stuff that supports that care is all that infrastructure. And so Bo's going to talk a little bit about just an introduction to healthcare
12:22
infrastructure and its vulnerabilities as well. I'm curious. I know every time we do this, after we step down from the podium and go out into the crowd, always there's like five or six people who come up to me like, man, I work in a hospital. That was so cool. You're talking about the things that I live and breathe every day.
12:42
So just by show of hands, if you want to raise your hand, who works in or has worked in a hospital dealing with tech stuff? Okay, that's a good number. How many have had loved ones in the hospital or have been in a context in a setting where you were impacted by ransomware
13:06
or some other type of security incident at a hospital? Raise your hand. Okay, a few people. One of my first days working security at a hospital,
13:21
we had a network worm that went around and it hit a bunch of servers. Didn't think too much of it. We were able to pop in with remote desktop or whatever, push some policies out to get rid of it. It wasn't too big of a deal for too long. It probably took us half a day to clean up, which is not terrible.
13:41
The next day I went in and I got a call from a physician in the natal intensive care unit. And the natal intensive care unit, if you don't know, it's where some of the most vulnerable patients in a hospital are. It's premature babies and the patients who they struggle just to take their first breath.
14:01
And they're a little bit behind the curve to start with. And the physician who called me up was like, hey, our fetal heart monitors are going up and down. And every time they go offline and come back on, they have this Windows screen.
14:21
And it's happening about every 15 minutes or so. I wonder, I know you're not the medical device person, but can you help us out with this? I said, hey, sure, I'll give it a shot. So I knew that we had the network worm the day before, Windows screen. So I started going through a quick diagnostic. And it turns out that these fetal heart monitors,
14:40
which are systems that basically track the premature baby's biorhythm so that the nurses can sit and watch it, so that it can feed into the medical care that the doctors give. They were infected with this banking Trojan that was meant to steal grandma's bank password.
15:03
But instead it was causing in these devices a reboot every 15 minutes. And so it'd lose patient state. And what happens in that case is you have to have a lot more patient care delivered manually by doctors and nurses who are really competent, but it takes a toll. So you need extra doctors and nurses coming in.
15:23
The consistency will dip if it's not automated because humans are more fallible than computer programs. And so basically these vulnerable patients were at a loss. So I called up the manufacturer.
15:40
The manufacturer said, oh, you know, sorry, that sounds like a malicious software issue. We don't cover that. I said, okay, well, give me the password. I can get into it. I know how to get rid of this. It's not a problem. They're like, oh, we can't give you the password. It's a medical device. You can change something. Like, wait a minute. So there's a virus. There's unwanted known malicious code on this.
16:02
And I want to put known productive code, the patch that the manufacturer issued and the software manufacturer for the operating system. And you won't let me do that because that's a change, but malicious software is not a big enough change for you to have a problem with it. They're like, well, that's whatever.
16:24
They used a line, which is a lie, that it's a medical device and therefore we can't change it without getting reauthorized by the FDA. Totally not true. And we can talk about that more probably in some of the after chat. So I reasoned that if this device got hit by a piece
16:46
of malware, a network worm, the vulnerability exists. I can exploit that vulnerability too. So I drafted a justification, went up to hospital leadership, got all the necessary approvals. They thought it through and started just using Metasploit
17:02
to pop the boxes, drop the patch, kill the malware, and get the doctors back to saving lives. Yay, Metasploit. Hacking for good, right? I mean, we want to use our hacking skills for something good, and this was a really productive use. I was able to put the doctors back in charge
17:20
of patient care rather than being dominated by malicious actors who ended up being in, I think, Morocco and Turkey at the time. So that was like my first introduction to security and my first introduction to healthcare security, and it's gotten a lot better since then, fortunately.
17:41
But that's the type of consequences that you have in healthcare that you don't have in a lot of other industries, right? So worked a lot in banking and retail and other places. A bank system gets hacked and probably not too many people are going to die from that. Hospital systems go down and the consequences are much different. They're materially different, not just in degree,
18:04
but in kind. In addition to that, you have medical record systems, which we probably have all been to a hospital or at least a doctor's office and had our patient records go into this computing system,
18:21
which allows doctors to track us. It allows us to do a lot more positive things with population health so that we can find causes of diseases, so that we can track people through their medical records and be able to treat them if they go from Dr. A in Sacramento to Dr. B in New York City.
18:40
So there's a lot of benefits, but yet these electronic health systems in some cases were prematurely connected. We incentivized putting these health records in a computerized system, but we didn't necessarily incentivize to the same degree, securing those systems. In hindsight, a lot of us in this room
19:01
look back at it as a mistake, and yet there's also scientifically rigorous data that shows that that has helped population health improve. In my more recent life in doing cyber policy, and I feel like I can say cyber in this crowd, because I live inside the beltway,
19:22
I live in DC and I work in talking to policymakers, so I promise I will drink later for saying that. But in thinking about some of these issues, man, I lost my thread,
19:40
talking about the cybers and drinking. Too much drinking already, though. Too much drinking already, possibly. Well, I am compliant with the three, two, one rule. I got four hours of sleep each of the last five or six nights, so I am ready to go, although I missed my second meal yesterday, and I need to get a second meal today, otherwise I'm going to be all out of compliance.
20:03
But in my role as cyber policy person, I've talked to a lot of people in high positions of power, and one of those was a former president of a European nation, and after having some of these conversations where before the conversation was all about data confidentiality,
20:22
we started talking about health records, and so the very shorthand version that he came up with was, I don't care as much if somebody can read my blood type, I care if they can change it in the system. That would cause a much bigger impact, and while we've spent over the past five years
20:41
about a trillion dollars globally on people product services, most of that has been focused on data confidentiality, and the capabilities that you use for data confidentiality are very different than the ones that you would use to protect the integrity and availability of human life. So I think hospitals and other places
21:03
where you deliver healthcare are really interesting places where we may not have the hands-on experience to deal with those types of infrastructure in the same way that they need to be handled, so less of a data-focused aspect and more of an impact of physical conditions,
21:24
and so the infrastructure in hospitals is very different than what we may think of, and so when we apply some of our general rules, we might have to think differently a little bit to make sure that we don't inadvertently cause harm to human life. Christian, you've got a great line.
21:41
I may butcher it, but it's something like, as we seek to treat existing pathologies, we should be careful not to inadvertently create new ones. That sounds much smarter than I actually am. Yeah, he read that on a fortune cookie. Yeah, so I'll take that one. All right, Jeff. So yeah, so I want to ask the panel a question,
22:00
and I want to start with Gab first, but basically we have these types of conversations every year, and one of the most interesting things is what is the change in our thinking from year to year, and obviously we are 18 months now into a global pandemic, which is a sentence I never thought I'd say in med school, but Gab, you have a very unique and interesting role as part of our response, so what have you learned in the past 12 to 18 months
22:22
that has really sort of changed your preconceived notions about what we need to be thinking about when we talk about the security in healthcare? I think we've seen a really big stress on our health system, and we've seen a lot of hospitals at or beyond their capacity, and it's made people realize that yes,
22:40
we need to figure out what's going on, what we can do to kind of keep this from happening again, and I think we've also seen situations where that max capacity that the hospitals did reach was exploited in some ways. If a hospital is at max capacity, and suddenly they are hit by a ransomware or malware taken down,
23:03
that's a huge problem. That's so many patients that have issues, and I know there's been quite a few breaches in the last year it seems like healthcare breaches have been in the news a lot more than maybe previous years because of the fact that COVID has everything
23:21
in the spotlight, but I mean there have been times that the cardiac cath lab went down. They couldn't use any of the materials, machines that they needed to in those labs or use the ICU as intended, and it's just become a lot more of a visible issue I think.
23:47
Yeah, and so I'll add on to that. One of the things in working with hospitals at the beginning of the pandemic or before it happened, there was this really growing maturity in how are we handling medical device cyber security. There was these really amazing internet plans
24:01
about we're going to do micro segmentation. It's going to be amazing. We're going to put all these medical devices, and as soon as the pandemic started, just crumple that, throw it in the garbage. We're pulling old medical devices out of closets. We're pulling them out of old academic institutes. We're setting up clinics in parking lots, and for good reasons, right?
24:20
But I mean all those network rules, all the segmentation, just gone, right? So you ended up with this really big spaghetti monster of networking of medical devices now inside of hospitals because they just had to get stuff to work quickly, and on the regulatory side, there was actually relaxing of regulatory requirements for medical device manufacturers
24:41
to put out updates to medical devices that enabled remote patient care. So a medical device that previously a clinician had to walk into the room and do something to, if a manufacturer was able to put out a software update that removed the need for the clinician to walk into that room and instead maybe task it from a nurse's station, there was actually relaxing of the regulatory rigor needed
25:03
for the manufacturer to put out that update because they wanted those things to come out quickly. So I support that they did that, but understanding that that also happened as a result. So some of the software updates that were coming out at the time to enable remote care to some of these medical devices did not go through the normal rigor process.
25:23
And in some cases they did, right? Some manufacturers still did their normal business as usual, but some would have taken that route that was relaxed rigor on what was actually needed from a testing and verification perspective of those patches. So you're just now starting to in the healthcare space, I feel like you're just now starting to see these IT clinicians come out and up and able to breathe
25:44
and actually say, okay, I need to clean out the spaghetti monster that I made. And so you're now starting to see that bandwidth come back where they're looking back at, okay, how do I resegment these networks? How do I get these legacy medical devices in a secure network versus just the like, let's just put it all together and make it work.
26:00
So I think we're starting to see now that wave of let's kind of clean up that technical debt that we acquired early on in the pandemic. And so we're starting to clean that up. I just wanna get anyone in the audience to raise your hand. If you saw a doctor or a nurse practitioner or some other provider on your phone or on your laptop during this pandemic, raise your hand.
26:21
All right, keep your hand up if you thought that was rad. All right, keep your hand up if you think that that person was behind, like them connecting to the network and viewing your medical record or using the telehealth platform that they did could hold itself up to like the lowest of skid. Oh, there's like no one up there.
26:43
Exactly, to continue what Stephanie said was that like I'm an ER doc, when the pandemic hit, I put my hacker brain to the side and I thought like we're gonna be, I remember my boss saying, pack a bag that has to be,
27:01
you have to live with two weeks of stuff. You may not see your family. You might have to live at the hospital. We don't know how bad this pandemic's gonna get. And so my hacker brain was like, all this work that we had done to try to secure these devices and all the fear that I had about this had to go on the side and COVID took the front. And we were, that exactly was the paradigm we had, which was how can I treat patients at home
27:22
when they have, the only thing I have is a phone for them to call me with. And so it was an explosion of access, almost no regard for commensurate security. And I don't think that, I think that was the right call, right? We were worried about bodies in the streets at that point.
27:40
I mean, luckily we, not at least here in the United States, we saw that very often. But I think what it showed to us also was that it is so fragile. It is amazing what actually supports healthcare and how fragile a technology that we are so dependent on is in use all the way around the world.
28:03
And if it took this awful pandemic for the people paying attention to realize that, you know, it's a virus now, but our dependence and the potential for consequence to human life could very easily be replicated with a pretty large attack, a pretty large ransomware attack, for example.
28:22
Bo, I want to ask you as somebody more on the policy side, I definitely echo what Quadi was saying. Like when we were in the thick of it and we were intubating patients in the ICU and running low on ventilators, you know, we were looking for a machine that could deliver positive pressure to a patient with diseased lungs. And that's the bare minimum. There were so many inventive solutions,
28:42
partly from the makers and the hackerspace who were able to jerry-rig things. Has your thinking at all changed with respect to the threat model? Because we had all of this exposure to medical devices and the security wasn't really as much of an issue as we are now seeing with more infrastructure-based attacks. I mean, for the last five years, we've been worried about a discrete individualized medical device
29:01
and now we're starting to appreciate the problem differently. Can you talk about your thoughts on that? Yeah, that's a complex question. I'll give a slightly off-topic answer because something that Christian said really triggered me to think about the positive outcomes
29:22
that we could see, and especially in public policy, so the positive outcomes. So for those people who raised your hands because you could see a doctor on your phone or on your laptop, that only happened because of a policy change where telehealth, telemedicine is now reimbursable by insurance. I think that's absolutely amazing.
29:42
Like, why have we not had the ability for home healthcare? Why have we had to go into a doctor's office? Yeah, thank you. Why have we had to go into a doctor's office, take time out of our day or whatever? Why can't we just get on these phones? The technology in the vaccines
30:02
that most of us have now taken, everybody in this room has been vaccinated. Not everybody has been vaccinated with the same technology, but like MRNA vaccines are absolutely astounding in what the capabilities are. And it kind of took a pandemic for us to unleash some of these things that we've been hypothesizing about for a while
30:22
and trying to do. I remember I had a conversation with a physiotherapist who, you know, physiotherapy is like very hands-on. You have to touch people, move their arms down and manipulate their body so that their body can recover in a way that helps them get by.
30:41
And they were doing remote physiotherapy sessions and the person's partner was actually the one who was doing the physical touch. Like, think about what that means in terms of a patient. Instead of having a stranger touch you or be there with you, it's your loved one, whether it's a family member or a friend or whatever.
31:02
I would like to, well, I want to focus on the happy side of it and the fortunate side of it for a minute because a lot of times we just look at the downsides. But I think there's a lot of amazing capabilities that can come out of it. And Jeff, to your question, how does my threat model change? I'm seeing and trying to see,
31:22
it takes conscious effort because we're wired differently than a lot of other people. I want to see the benefits, the silver linings and look at what can come out of this that we could then use to create the next generation of patient care and the next generation of more convenient,
31:41
more effective medicine and health that we can deliver to people around the world. Okay, we're going to ride that amazing, uplifting sentiment to the top of the roller coaster and we're going to go right back down, okay? And I think that is, we'll start off by saying, you know, the vaccine was amazing
32:02
and we have an expert on this panel to discuss that. But I mean, Gab, how close were we to like one ransomware attack to having six months delay in the vaccine? Like that is terrifying shit. Think about how many people would die. And I'm kind of curious because you have some insight.
32:22
Yeah, definitely. It was bad. There were a lot of attempted attacks to either glean some vaccine information from what we had or just to kind of see what we were up to. And that would have upended everything. I mean, we were working really hard to kind of get everything out
32:41
as fast as we could. The trials, some of them are running concurrently, phase two, three, four. A lot of the sites performing the trials, I mean, I can tell you that the review of those was really scary and kind of quick. It was run through really quick.
33:01
And yeah, just anything that would have toppled that house of cards that was barely being held together would have been horrifying and it would have pretty much stopped everything completely in its tracks and taken down whatever work we had already had.
33:20
And it doesn't sound, I guess, that bad since we're past that point, but there's no reason it couldn't happen again. So at the risk of asking you to toot your own horn, Bo, I mean, you and Josh, who's not here with us tonight, but you were hired at CISA specifically for the purpose of protecting this type of research infrastructure
33:40
and vaccine delivery. What did the feds do right in this situation for once? He's gonna have to pass on that, sorry. Hard pass. But we just want to reiterate, you know, what Gab is talking about, so much of the research infrastructure, the collection of data,
34:01
the clinical trials, the technology to develop the vaccine, to then manufacture the vaccine. If you really take a 40,000 foot view of that, you can know as a hacker how many very vulnerable links in that chain there were, and if only one broke, if one data center containing the critical stage,
34:22
or sorry, phase two clinical data was in, was inoperable, inaccessible, that they'd have to redo all of that, and it could put us months behind. And it's not just the citizens of the United States that have suffered, but that vaccine coming to market even days or weeks later
34:40
would have resulted in thousands of deaths. It's amazing that we didn't think about this stuff ahead of time, or maybe we did, and I just wanted to give a shout out to the hacker community and say this, you know, I grew up a hacker, I really think we are the ones that are screaming, this stuff is on fire, it's not just smoke,
35:00
it's on fire and we need to fix it, and we've been saying this for a long time, and I think, I hope after this, they're gonna take us a little bit more seriously, and really being able to fix this to some more appreciable amount, so next time something like this happens, it's not nearly as bad. So that's really like, give yourself a pat on the back, okay?
35:29
All right, I'm gonna play a clip of Josh Corman, given about a four minute, so he was supposed to be on this panel, he couldn't be on this panel, I'm gonna go over this podium,
35:40
I'm gonna play a four minute clip, I want you guys to pay attention, and just to give you a tiny bit of a primer, this is a discussion about patient's lives, so I often get asked, show me the body count, right? I'm so, like, you talk to me in the, until you're blue in the face quality, about how bad this is in healthcare, but show me someone who's died,
36:01
and you know, this is kind of the primer, you know, can someone be injured by this? So by the way, Beau, my question was a test, and you passed it. NCF's, these are the things that affect national security, national economic security, and national health and public safety. The one that's been in the red zone,
36:21
in the purple zone, for the most of the pandemic, is called provide medical care, and this is what two of you do, professionally, every day. We looked at severe strains throughout the pandemic, initially noticing a new problem, because the pandemic, which was cascading failures, so it used to be that, if you had a ransom, or an outage,
36:41
or some power, problem, you would merely divert ambulances to the next nearby facility, and that's kind of predicated on the next nearby facility, being able to receive anybody. So when everyone's at a saturated level, or in the red zone themselves, a failure in any single hospitals, tended to have cascading stressors, or fail-overs in nearby facilities.
37:02
So Christian, I heard in your amazing testimony, to House Energy and Commerce, similar sentiments, so we started studying that as well. Then we started looking at something very poorly covered in the media, but the CDC tracks something really important every year, every month, called excess deaths, and this is the difference
37:21
between expected deaths, and actual deaths, by condition, by month, by state, and at the national level, and when the U.S. hit that February milestone of 500,000 lost Americans to COVID, we also hit a different milestone of 150,000 lost Americans to non-COVID conditions that are otherwise treatable, very treatable. The number one aid demographic of that
37:42
was 25 to 44-year-olds, so young folks that could have been saved, but for excessive loads on our healthcare delivery across the country. So these are things like, time-sensitive things, like heart attacks, strokes, cancer, where time matters, minutes matter, hours matter, days or weeks.
38:01
So Christian and others on this panel in the past, we often cite the New England Journal of Medicine article, it says 4.4 minutes during a marathon, could be the difference between life and death, and increased mortality rates for heart attacks. We know with strokes, the difference between life and death could be one, three, or four hours. So what did four weeks of interruption
38:20
in the state of Vermont do with the UVM Medical Center and 118 facilities in upstate New York, Vermont, and New Hampshire? So again, where minutes matter, and we know that delayed integrated patient care affects outcomes, including mortality rates, you know, we were deeply concerned about this, and almost done some of these truth bombs,
38:41
but when we looked with data scientists for the first time, this fusion center, we started to say, is there a relationship between capacity levels and mortality rates and for excess deaths? And we're starting to share this with the public data, but without getting into the inflection points, we did see a strong and positive correlation between something like ICU bed count
39:01
and excess mortality, excess deaths two, four, and six weeks later. So we got a kind of a leading indicator that we could tell if a hospital or region, a state was going to incur excess deaths if they were starting to reach too high of a capacity level, and then asked the really tough question, and I think do no harm cares about, which is can cyber disruption
39:24
precipitate or accelerate or cause that harm to worsen? And of course, we know fire is hot and water is wet. So of course, any degraded and delayed patient care from any source can do this. But we did start asking uncomfortable questions and looking at the state's hardest hit by that concerted effort to disrupt health care
39:41
during the month of October and November. And adjusting for all all other variables in a state like Vermont, it was very clear that electronically disrupted hospitals achieved that excess death red zone much faster than their peer group. So again, if minutes
40:00
and hours are the difference between life and death, and you're in a geography that can't get to the next nearby facility, we should stop asking can cyber attacks lead to loss of life? We've answered the question. There's enough statistical evidence now to show this. Wow, that was
40:21
makes you feel happy inside, doesn't it? This is what we're talking about is it's really important to protect patient health information. It's really, really important to realize that in medical conditions where minutes matter,
40:40
the hospital infrastructure if under attack, and you could get worse care. I wanted to play that clip at the request of Josh, this panel, just to discuss briefly kind of your reflections of that, because for the longest time we've gotten so much criticism and some of you out there in the crowd may have this. Show me the body count. You know, is this a turning point?
41:01
Are we seeing more and more data? Can we now more reliably conclude that patient harm is real when a hospital gets ransomed? And what the what the hell do we do about it? I'm not just that. I'm gonna lay that out there. I mean, I think if you can
41:21
listen to what Josh said and still think that there isn't a correlation immediately and that there isn't a body count, then you're not listening. What can we do about it? That's really hard. If you work at a hospital
41:40
or you have worked at a hospital. Then you already know that in some cases the choice between, you know, buying another blinky box or hiring a sizzo. The trade-off for that is maybe you then can't buy an MRI machine or you can't hire
42:00
another physician or nurse or other type of clinician. Those are really hard trade-offs to make. So when we sometimes, you know, sit back and for those of you who haven't worked in healthcare and think, well, you know, just patch stuff or just get somebody
42:22
who knows what they're doing. If you're a clinical access or a critical access facility that there's, you know, no other hospital for 100 miles, let's say, you got eight beds, you got five or six doctors, a handful of nurses. Which nurse is going to be
42:41
your IT person? Probably none of them. But they're in the position where you can't really hire somebody in that local area because if you have IT talent, a lot of times you go to the bigger city because there's a salary there that you can't match locally. And a lot of these places are really struggling.
43:00
If you look at the 20, I think it came out in 2017, the HHS Healthcare Cybersecurity Task Force Report, they looked at a lot of really important, profound truths and surfaced those and put them into a nice, you know, page one graphic that are,
43:20
here are the problems in healthcare. But they went beyond that and they said, here are some of the things we can do about it. Everything from public policy steps to some things individuals could do, to things hospitals could do, you know, carrots and sticks, incentives and punishments. But I think there's there's some good blueprints in there, including, you know, for instance, can we have
43:44
managed service providers that cater to the needs of these hospital workflows so that, you know, if you have an anti-spam filter and you get a bunch of emails from labs that might trip a threshold,
44:01
you don't block the emails that are coming in from labs where it's critical treatment information coming in, right? How can we create some of the incentives that would allow for those managed service providers to do that so that you can scale up security protections or scale them down to the size that fits
44:20
some of these small organizations that are really cash strapped? How can you do several other things? So I'd encourage you to go take a look at that. These government reports are a little bit dry, but go check it out. And has anybody ever like called your hospital to like volunteer? Hey, do you guys need some help?
44:41
I have a certain skill set and expertise. I'd like to see if I can help you. That might also be a step you could take or temporarily trade in a high price job for one that's maybe a little bit lower salary but in one of these healthcare areas
45:01
where you can make a huge difference to somebody. I'm getting a thumbs up there. I take it that at least one or two people in the audience have done something like that. So it is doable. Yeah, and so one of the things I also wanted to kind of shed light on the scale of the problem. So giving people an idea of in just what we think of
45:22
as a pretty medium normal size hospital, you may have around 6,000 unique makes and models of medical devices, digital medical devices on that hospital's network. So when you start to talk about the maintaining of cybersecurity of those medical devices, that is 6,000 unique makes and models that update patches in different ways that you have to keep track of
45:41
if they're patched. I can tell you from working with hospitals, the number that have a grasp on what medical devices are even on their network is just so tiny. That is such a huge struggle in the space right now is hospitals, they don't know what medical devices they have. They don't know what's on their network from a medical device perspective.
46:00
The ones that are more mature that I've worked with that have gone through that exercise, what they've found was the medical devices actually represented about 15 to 20 percent of the endpoints on that hospital's network. That's a really big percentage of endpoints that you think of all those other hospitals that don't have those maps, that don't know what those 15 to 20 percent of those endpoints are
46:20
on their hospital networks. That's pretty scary. The scale of the problem is huge. We don't know what's on the networks. There's such a unique amount of just makes and models that even if you do have a grasp on it, keeping those things up to date with the patches just full-time job for dozens of people. To Bo's point, they don't have full-time
46:41
dozens of people just to run around and patch medical device cybersecurity. The other piece of it is just the legacy issue. Medical devices are actually designed really well. For a medical device to perform its clinical function for 15, 20 years is not uncommon. We all know there's just there's literally no digital components we could have put in that
47:00
that 15 or 20 years later is still secure. You can't keep patching it. At some point, it can't run the latest and greatest of anything. You have a lot of these hospitals really struggling with this problem if they have these legacy medical devices that still perform their clinical function but they represent a really high cybersecurity risk to their network. How do they decide
47:20
to let go of something that's still working? Medical devices are not cheap. When you think of, again, a medium-sized hospital, one of the ones I worked with had about 1200 infusion pumps. That's not even that big of a hospital. 1200 infusion pumps. You go to replace that, that is millions of dollars to replace devices that are actually performing
47:40
their clinical function just fine. So where do you find the budget to do that when those devices are working? What is that bar of cybersecurity risk where you have to make that decision to end of life that medical device? A lot of hospitals are really struggling with that right now. I just want to take that problem, combine it with the problem
48:00
that Josh mentioned on the video where we may have actual degradations of patient care here and turn the thinking a little bit from going, from admiring the problem to understanding how this might be an opportunity to actually do something about it. And I think one of the things that is very exciting for me, bad jokes on my part aside, are having people who are knowledgeable about these issues from the hacker community
48:21
in a position to where they can actually influence indirect policy at a number of really awesome agencies that are doing some incredible work. And Christian's not going to say this, so I will, he's doing an operational role. He's a medical director of security at a hospital. So there are hospitals who don't look at this as something that they don't want to address, but actively invite and engage people
48:40
to help them solve it. I mean, there may be a situation in the future and we can talk about the potential policy aspects here where, you know, there's a recovery and a stimulus and maybe this is something that we should address and put resources towards to help these hospitals that don't have them. I mean, I commonly think about this as a problem analogous to clinical medical disease, right?
49:00
It's much easier to prevent a problem or to manage it chronically before it becomes an acute issue spiraling out of control. And so I think figuring out ways for us to turn towards those types of solutions is really interesting in this particular moment. All right, we're going to play a little game. All right, raise your hand if you think that if a hospital loses your medical records,
49:20
they should be fined a lot of money. That's okay. All right, keep all right. Keep your hands up. If you think that that's going to make healthcare cheaper for you. All right, keep your hand up if you think healthcare is cheap. Tell me if you think
49:40
it's going to get cheaper in the next 20 years. We have a... Oh, I hope so. I really hope so. And maybe so. You should... I need to talk to you because you have the solution and I don't know what to do. So we get these hospitals,
50:01
we've talked about how hard the problem is, how they don't have the people to help them, how they're up to their necks in vulnerable legacy medical devices and infrastructure that's very fragile. They get owned and they have a big breach and they have to pay millions of dollars in fines and then it's going to
50:22
probably increase healthcare costs across. And you know, Beau talked about the trade-offs that hospitals have to make if they pay a big fine. How much money are they going to have left over to fix the frickin' vulns that got owned to start, right? It's a really hard problem but we have to hold people accountable
50:40
and organizations accountable for this and we're in a real hard spot. You know, there are cyber... I'm sorry. I'll drink a whole case of Red Bull later. I'm frickin' sorry about this. All right. But there are cyber haves and have-nots in healthcare. There are hospitals that have marble floors and palm trees in the waiting room. Right? Those exist. And they're doing a lot better. And then there are rural hospitals
51:01
and critical access hospitals that bleed millions of dollars every year and are the only ones taking care of patients for 500 miles. And if that hospital didn't exist, people would die. They're the ones with shared credentials. It's still running Windows 7. They're the ones that can't afford new infusion pumps. And we want to fine them a lot.
51:21
So I'm not saying let's pity these hospitals but we got to figure out well how do we fix this problem? And I want to just have a hand up. Would you as a taxpayer be willing to pay to have healthcare more secure? Raise your hand. Would you be willing to spend taxpayer? Oh my. Don't take a picture because it's against the rules. But this is the sentiment, right?
51:43
It's a shared thing. The pandemic has reminded us that we all share this ecosystem of healthcare. It's really fragile and it's unacceptable that it maintains in this state. And what we really need to do is raise the entire ecosystem's security resilience. I'm going to just quickly say
52:00
I worked in the ER on a Monday. And if you work in the ER you know that Monday is the worst day to work. They're always the busiest. I was on a Monday and the waiting room was blowing up. Wait times were skyrocketing. Patients were staying in the hospital for two or three days in the emergency department sometimes two or three days waiting for beds upstairs. What happened?
52:21
It wasn't even us that got hit with ransomware. It was a hospital system in the same town as us. Right? It's an ecosystem of care and that if we don't build up the resilience of the entire ecosystem guess what's going to happen to the ambulance transport time if you have a stroke or a heart attack and you have to go and bypass those five other hospitals
52:41
that are on diversion because they got hit with ransomware. Guess what? Your time is going to be longer and that's not going to do well for your heart or for your brain. Maybe the difference between whether or not you walk or talk or eat or live or need to have a pacemaker implanted in your body. Sorry for the rant.
53:02
I wanted to, oh anyway, reflections of that before I move on to a less depressing topic? No. Raise your hand if you're familiar with software bill materials. Anyone? All right, rad. I'm going to quit talking because there's this thought about software bill materials
53:20
as a potential mechanism to reduce vulnerabilities or at least identify vulnerabilities and patch them sooner. I'm going to open it up to the panel here. Briefly talk about SBOM and then as well as whether or not it's going to fix all these problems, right? Is this the magic secret sauce? Yeah, so I'll start this. So for those who,
53:41
you know, said you're familiar with the SBOM, one of the things everyone in the room might not realize is that I actually credit sort of the healthcare and medical device space with being one of the first industries to actually really rally around this concept. So the NTIA working group that was really building the foundation of what is now becoming a NIST standard based on the NTIA working group work,
54:02
that was actually very heavily run by the healthcare industry and so the healthcare industries had several years of working on SBOMs. If you look at that draft pre-market guidance that I mentioned that the FDA put out about two years ago, you'll actually see that that was one of the requirements inside it. They called it a CBOM at the time. They're updating it to be called an SBOM to align with industry terminology.
54:22
But this whole concept in SBOM is really polarizing. It's very interesting to talk to people who are just immediately against this thinking like, oh my God, we're just giving a roadmap to all the attackers and I'm one of the people on the side of the fence that actually says this is actually a really good thing, right? The attackers are going to figure out the roadmap. They're going to figure out what's in your device anyway. Instead, let's enable the good guys
54:40
to actually have that list of ingredients that's inside of our devices and so for anyone following on the policy side, earlier in May there was an executive order that came out here in the United States around sort of this supply chain transparency and one of the things hidden inside of that was around SBOM and so that's why you start to see that initial NTIA working group
55:01
around the SBOM is actually now getting translated into a NIST standard and so so much more of a spotlight has been brought onto this topic of an SBOM and since that May executive order but the healthcare space has actually been really working on this for a number of years and some of the initial like formats around cycle MDX. I'm trying to think
55:20
of the other two. I'm totally blanking on the other two formats but a lot of the work around getting SBOM to actually be operationalized is getting around consistent formatting and consistent nomenclature and so the healthcare space has been working on that for several years trying to actually figure out you know how do we one generate SBOMs in a consistent manner and then how do you get use out of them right
55:41
so we've had a lot of hospitals who are actually trying to use SBOMs and their struggle on both sides of it and so I would encourage anyone who's interested the NTIA working group actually put out a report around how we tried to use SBOMs in the medical device space how hospitals tried to leverage them in a lot of the struggles basically that are are still in the works
56:01
of trying to tackle like how do we make this really impactful in the healthcare space and to Bo's point earlier anyone in this audience who is interested in that topic absolutely get involved those working groups are open you can reach out and join any of them we absolutely need as many security people as we can working on these topics any of the guidance around cyber security
56:21
for medical devices I would encourage anyone in this audience to join them we need those guidances I will say I have sat on a number of those working groups around any kind of regulation guidance document technical frameworks that come out for the medical device security space and they're so influential in the space but I can tell you a lot of the working groups really lack
56:40
subject matter expertise there's a lot of people who write standards as their day job and I love them gotta have people who love writing standards but what we're lacking in a lot of those working groups is the security expertise and it's not sexy work you will sit on phone calls where you listen to people argue about where commas should be
57:00
for literal hours not joking and it is incredibly painful but at the end of the day when those regulations come out they need cybersecurity expertise to make sure that those are actually impactful so same things with those working groups that NTIA we need more security people so anyone in this audience if you want to make an impact one of the biggest ways you can do it if you're not willing to sort of
57:20
change jobs and change your salary join those working groups be a subject matter expertise on any med device security working group if you're not sure which ones to join absolutely reach out to me I can send you a list of stuff but please be on those working groups and lend your security voice for those who aren't
57:40
familiar with SBOMS HoffaVilla materials the idea is gross oversimplification but it's like an ingredients list on your food right what's in the thing that you're using and Dr. Marie Moe who is herself a pacemaker patient sometimes says that she can know
58:01
the ingredients that go into the candy bar she's eating but she can't know the ingredients that go into the pacemaker that keep her alive and in a another very oversimplified example if you look at two extremes and you know software bill of materials
58:20
is not either of these extremes but two extremes one where manufacturers have no idea what goes into the products that they make and sell you and one where they have full visibility into what goes into the products that they make and sell you which one would you rather be at anybody anybody want manufacturers to have no idea raise your hand Christian does
58:40
he's in that camp that's cool but in some of the last few years when hospitals have started asking medical device makers to provide a software bill of materials it causes medical device makers to have to figure out what's actually in their software what's in their hardware
59:00
and they said when they looked into it it scared the hell out of them and they issued updates not because there was a new vulnerability announced but because they found out that they were very old vulnerabilities that were causing undue risk so the act of asking to reveal what's in your software what's in your hardware
59:22
can have a catalytic reaction even if to your point even if the the hospitals themselves don't know how to use it the act of asking can create that and in financial services organizations they've been doing this for a while one of the people who participated in some of the NTIA conversations
59:42
said that they were at a large bank and they asked for a software bill of materials and if the manufacturer of that software couldn't tell them what's in their software then they asked them for a 20% discount because they knew that they were going to have to layer on extra security on top of whatever they bought because they
01:00:00
couldn't account for what was actually there. So there's many, many uses for a software bill materials, whether you keep that internal to the organization that's developing the software or whether that's something that's requested and passed on through the supply chain. Just to add on to that a little bit, I mean, as someone who sat on a pharmacological
01:00:21
review board as well as a recombinant DNA review board, we analyze every single ingredient that goes into every single pharmaceutical that is out there. It's tested over and over again. We know exactly where it came from, you know, what modifications it has, things like that. Why wouldn't we want to know what configurable pieces go into medical devices?
01:00:47
Alright, so if you've ever been to do no harm before, you kind of know that we do this for a little bit. We're going to take a couple audience questions for the full panel and then what we're going to do is we're going to break up and each one of the panelists is going to go into a corner or so, you can congregate around them. We'll get to that in just a moment.
01:01:05
I have one last question for the panel before we take open Q&A and that's going to be, I'll first say, who here is invigorated, or sorry, who here is depressed after watching this talk? Raise your hand, it's okay. You guys are already depressed, so you couldn't get
01:01:22
any more depressed. Okay, well if you need antidepressants, Jeffrey at the end can write you a prescription for some. They take a while to kick in so we encourage you to start now. How many of you are not depressed but maybe like invigorated to like try to go and try to help this problem or try to contribute to make things better? Oh, that's amazing. That's
01:01:43
my last question for the panel. Each of us could take an opportunity to say as the hackers in the audience, what can they do individually besides what we've already talked about, you know, take a pay cut and go work for a hospital. Anything else that you in the audience could do to make this better, you know, set on standards, et cetera. But
01:02:02
anything else to take away before we open up the Q&A? I'll say talk to your own doctors and nurses and people you interact with as a patient and make sure that they're up to speed on some of these issues. They don't have to be experts but make sure that they are aware of the fact that this is becoming something they should pay attention to. Yeah, so I already mentioned the working groups, so absolutely the
01:02:24
working groups, but beyond that if you work as a vendor that is in the software security solution space, right, so maybe you guys make some widget that is supposed to help with cyber security. Um, think about how that widget may help the healthcare space. There's a lot of general purpose sort of security widgets out there that just
01:02:41
don't work in the healthcare space. Um, either the medical devices are too resource limited, they have interesting operating systems, they cause too much of a delay on the system for things that have real time signal processing. There's a lot of general purpose security widgets out there that literally just do not work in the medical device security space. Um, so they're also very limited in some of the solutions that they can just
01:03:01
generally adopt. So if you worked at one of these tool vendors, maybe bring up the fact that like, hey, what do we do about the medical device space? Is there something we could pivot our software product to do? Um, and then of course obviously just go work for a medical device manufacturer or a healthcare organization. I don't know a single one that does not have open job recs right now for security people. I mean it's kind of a
01:03:23
conglomeration of the previous ones but ask a lot of questions, um, you know question everything, do your research, visit the villages that are, you know, messing around with your medical devices and your infrastructure and just, um, be that kind of force that's continued to be an advocate for this kind of thing. Yeah, um, there's a lot of good
01:03:44
things that have already been said. I'll say something that's slightly, uh, different which is, uh, states actually hold a lot of power over healthcare. Um, states in a lot of times there's a big focus on federal, um, legislature, on federal public policy but
01:04:06
states also do a lot of public policy and a lot of times they don't get the help and support from, uh, the, the organizations that tend to frequent DC. So wherever you live you have a state government unless you live outside of the United States in which
01:04:24
case you have another type of local government. And often times, you know, you can just call up whoever your local representative is and say, hey, I have a certain skill set. I'd like to offer it to you. Do you have anything that's going on? Or, you know, ask them for a briefing. You'll get 15 minutes and you can go talk about healthcare
01:04:41
security and some of the consequences and some of the other things. And just having those conversations sometimes will lead to, um, them taking some action. Maybe it's writing a letter. Something as simple as writing a letter even from a state legislature can make a big difference in nudging hospital administrators or medical device makers or doctor boards or others into a, a situation where they actually consider security
01:05:07
as a part of whatever they're working on, whatever they're doing. Awesome. I just got one thing to say. I think one of the most important things that happened in this space in the last, you know, 10, 11 years was that hackers out there went out and got
01:05:23
medical devices and started poking at them. And started finding what was wrong with them. And brought that to our attention. Whether or not it be Kevin Fu's group talking about pacemaker AICDs or Barnaby Jack before he died, um, talking about that. Or Jay Radcliffe's infusion pump or Dr. Marie Moe, you know, reverse engineering some crypto
01:05:43
on her own pacemaker. These are the types of things that hackers do really well. And we need more of that. We need more of you out there doing some device research. It's, believe it or not, pretty easy to get a medical device depending on the medical device. You'd be kind of shocked somehow how easy it is. Poke, prod, bring your research to a place
01:06:01
like Def Con. Teach others around you. Because that action, those hackers that went and did that research and brought it to everyone's attention, they really freaking moved mountains I'll tell you. Right? The FDA did great things in response to the research. Had their backs as security researchers. And as long as you do it in a safe and responsible way, using things like coordinated vulnerability disclosure, being responsible about that,
01:06:24
knowing that these vulnerabilities can really impact human life, doing that type of research and hacking on things like we do can really make a big difference. And so I would encourage you out there to do it and to do it right and to be responsible with it. But that can help us really change a lot of minds. Oh, yeah. So to add one
01:06:44
thing to that, I mentioned I used to work at the FDA. I worked there for a year on a one-year program. They really want to hear from you. In 2012, 2013, 2010, when some of the initial hackers were doing their research on medical devices, security wasn't as
01:07:05
prominent on their radar. Today they're all bought in. I mean, come on, they hired me to come in and help them. They actively recruit. They're not here this year, of course, but in the past several years, they've been out at the biohacking village going to talk
01:07:23
to hackers, going to talk to medical device makers, making sure that medical device makers know that they expect a certain level. And in fact, one of the things that we pioneered was a website called We Heart Hackers, wehearthackers.org, where the FDA, the director of the FDA came out and said, we want more medical device makers to put
01:07:45
their devices in the hands of hackers so that they can find the bugs before they become harmful. And so if you're researching medical devices, if you have done your diligence to report to a medical device maker, the next step should not be public
01:08:03
disclosure. It should be coordination, if not with the medical device maker, with the FDA. They want to hear from you. And they can pull levers that you can't. They have an amazing suite of capabilities that they can use to figure out what the right thing is,
01:08:21
not for the medical device maker, not for your ability to drop O-Day at Black Hat, but for patients. And that's what this is really about. It's about patients. It's about healthcare. It's about those vulnerable people who really need us. So I just wanted to add that. Awesome. All right. Well, we're going to take some questions for the full panel.
01:08:42
I'm going to ask you the following. If you could come up a little bit closer to the stage. Please do not spew COVID on anybody. Ask a question. I'll repeat it. There might be some questions that are off limits, but I don't really think that's probably going to be a problem here. And then if you want to save your question to an individual panel member, after we take a few questions, we're going to break up.
01:09:00
And then again, I'm going to remind everybody, respect people's COVID precautions. Don't get too close. Wear your mask, especially with our panelists as they're around and the people around you, because we're a community of hackers. We're a family. Last thing we want to do is hurt each other. Okay. Any questions? Okay.
01:09:44
Yeah. So the question was, how do you get software and I'm assuming hardware vendors who come sell a product and leave and never give support or how do you address that issue? Because it's a really huge one. Does that make sense? Did I encapsulate that well?
01:10:01
I think it was about acquisition. Medical device makers that get sold to other medical device makers too, right? So how to deal with shitty vendors.
01:10:37
Yeah. So I guess I'll rephrase it not from shitty, but vendors who are not very
01:10:41
clear about communicating end of support. So one of the things that several manufacturers are trying to do is make it very clear, kind of like Windows, right? When Microsoft releases Windows, they tell you the second that comes out when you're going to stop getting support for that operating system so you can make a decision on what you're going to do with that operating system because you know when support is going to end.
01:11:01
Manufacturers are still very early in that maturity of announcing how long are you going to support this medical device that I'm selling to you. So you do have instances of manufacturers continuing to sell medical devices and you literally have no idea when they're going to end support or end of life that from a security update perspective. So there are some manufacturers who are working on this concept of this end of
01:11:21
support, end of cybersecurity support that when you buy that device, you know. But I would say right now that's still in its infancy of its maturity cycle. So the big ones are aware that that is an issue. They have not solved it yet. You mentioned it earlier, the FDA's post market guidance. The FDA actually set up something new with medical
01:11:47
devices so that security issues can trigger recalls. At the same time, they gave a carrot to manufacturers. They said if you meet certain thresholds, you don't have to do a
01:12:01
recall. A recall in healthcare is a big deal. So if you know about security vulnerability, in a product, you can report that to the medical device maker. Again, if they don't do anything about it, you can talk to the FDA. As long as those devices are out there, that manufacturer has a responsibility to monitor safety, potential safety issues. And
01:12:26
that's what cybersecurity issues are, according to the FDA. So there's a hook there that you can use to get at least awareness and attention. And when one of the things that researchers, Billy Rios, looked into security of some infusion pumps, even though the
01:12:45
manufacturer no longer sold the pumps, they were required to issue an update or try and pull them off the market. And so that's what they ended up doing. And that manufacturer actually changed a lot of what they did. And they became, I think it was
01:13:02
them that they became the first manufacturer that went through the U.L. certification for security. They've been at the DEF CON biohacking village device lab every year that we've had it. So the act of causing them to have to pay attention to security changed a lot of the
01:13:20
way that they did business. So I would say use those mechanisms that already exist to go through those types of channels that they pay attention to already. Thank you for that excellent question. If I could kind of distill the question down at the
01:14:07
heart of it is, do we have data to be able to measure or do we have data to compare certain interventions, right? Potentially between countries, for example, have different types of healthcare systems. Do we have very basic measurements of whether or not things
01:14:25
work and whether outcomes are better if they're a more secure health environment, for example? Okay. I'm going to take a stab at this because this is a little bit of a passion of mine. It is amazing to me how little data we have, right? When you drive a car or
01:14:42
when you go and do something of importance, when they make a product, they collect a lot of data. And they make decisions off that data because it matters. In healthcare cybersecurity, again, I swear I'll drink a whole case of Red Bull for you guys. I'll give myself heart palpitations. We have no data. I would love to be able to do a study that
01:15:06
compares, you know, take country A that has a nationalized health system and is quite secure, for example, comparatively to a lot of hospitals that are in the United States. And let's take a measurement of their heart attack victims and say who has better outcomes or who's more resilient to ransomware or what type of interventions in a hospital
01:15:24
or security control mitigations in a hospital actually result in less ransomware attacks. We don't have any of that data. We don't have the sophistication to even begin to ask those questions. We have to build the whole infrastructure. We have to get people to believe this is an actual issue. We have to put in place the sensors and
01:15:44
epidemiology to collect that data, then analyze that data. We've got to train researchers to do this. And what I'm trying to say is unfortunately it's a dismal thing to even think about. All we have right now are anecdotes. We don't even have evidence. We have stories. And Jeff mentioned or not Jeff, Josh mentioned on the video that we are now
01:16:03
starting to collect that data in some cases and publish it. I do think in a silver line to this, right now we don't have the data. I think 2021, 2022 is going to be a banner year for this. I think we're going to finally get some published peer reviewed data out there that says that ransomware attacks hurt people, not just their protected
01:16:22
health information but their actual lives. And that I hope is a catalyst for positive change moving forward. I hope it encourages a lot of other people to want to study this more rigorously because that's what we're going to need if we're really going to move the needle on this. Sorry, anyone else? I'll build a little bit on that. While we don't
01:16:44
have data, we do have some empirical evidence. One of the things that several of us do is we run an event called the cyber med summit. One of the really cool parts of it and one of the things that I think has been eye opening for a lot of people is these clinical
01:17:04
simulations. So just like pilots go into a flight simulator, so the first time they land in 30 knot cross winds and fog is not the first time they've ever experienced that. They experience it in a controlled setting. Doctors do the same thing. And what these two geniuses on the end did is they created clinical simulations that replicate what would
01:17:25
happen if there's a security issue with a medical device, whether it's, you know, ransomware of a lab system, whether it's a pacemaker that's been hacked, whether it's an insulin pump that's been hacked. And based on the evidence that you can gather from how
01:17:46
doctors actually go through in this simulated environment, in this controlled environment, we actually know a lot about what would happen and not just what would happen with the patient but what happens next. Do the doctors say I think that device got hacked or do
01:18:04
they just send it down to bio med to see if it can be updated or reset? Do they blame the clinicians who are in the room with them for, you know, setting the wrong drip rate on the IV or do they say I want this investigated and we need to do root cause
01:18:22
analysis on what caused this. And I think what we found is that the awareness among physicians is not necessarily there. The awareness among health centers is not necessarily there. Even when it is there, you may not have the data on the device.
01:18:42
You may not have logs. So you may not be able to tell what happened. Even if you have the data, the bio med people might not be able to read it because it might be in a format they don't understand or in a way that they can't get it off. If they want to send it to the manufacturer, the first thing the manufacturer does is says wipe all the data, we don't
01:19:01
want any patient data on it. So, you know, it's hard to get the evidence but I think that 2021 is going to be a year where we see a drive towards acquiring, reviewing, analyzing, publishing data, statistical information and the types of things that we need to change
01:19:22
doctors' minds because they are scientifically driven. And if it's not in a peer-reviewed journal, it's for them just anecdotes. That's great because they build off education, they build off the data, they build off the data, they build off the data. So it's a great way to do something that is statistically relevant but it also slows down our
01:19:42
ability to change healthcare. Yeah. I'll chime in on this one. So one, I will
01:20:57
talk about this a little bit. One of the most powerful things I've seen is the hospitals
01:21:10
actually literally using cyber security in a purchase decision and literally saying no when it doesn't meet their cyber security bar. So the FDA and the regulatory bodies, they're
01:21:21
raising the bar but at the end of the day if a manufacturer can't sell to you as a hospital, that keeps them up at night. But I also will say a lot of manufacturers are doing better. But the biggest lever you can pull as a hospital is at purchase time, make sure cyber security is part of that purchase decision and if it doesn't meet your cyber
01:21:42
security bar, you have to be willing to not buy that device. And it's hard. It sounds easy in principle. It's not. At the end of the day if the device provides a clinical
01:22:01
function that's better than all of the competitors and security is worse, at the end of the day, patients come first and you have to still buy that device. But there's a lot of competitive devices out there. So if there's another device that serves the same clinical function with similar efficacy, buy the one with better security. I'm going to take it you guys and gals don't really like vendors. Is that a common thing?
01:22:27
But see, this is how you have to help vendors. Go work with them. So I've consulted with them for years. They actually want to do the right thing. They do not have the resources to do the right thing. All right. We're going to go ahead and say I'm sorry,
01:22:42
please hang out here. We're going to get you the right questions, the right people. But I think it's important for us to break up. It wouldn't be a do no harm if you couldn't come face to face with a panelist that's going to ask hard questions. All right. Again, to reiterate, find whatever speaker on the panelist you want in a corner, ask them a question, mass and distance, and move around. If you see
01:23:01
someone that's particularly swamped, maybe go to the other and then come back. It's going to be a little bit of a give and take. All right. Thank you again, Def Con for this. Please give yourself a round of applause. All right. Come talk to us. And I was just going to apologize. I actually have to run. But find me. If you have
01:23:23
questions, I love talking about this topic. Find me on LinkedIn. Stephanie Domas. You can find my name in the program. If you have questions for me, I would love to answer them. But reach out to me online. Sorry.