Emergency & Urgent Care Remains in Critical Condition

Good afternoon and welcome to Besides Las Vegas's I am the Cavalry Track. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our gold sponsors, Profit and RunZero. It is their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. If you have a question, there will be an audience microphone set up towards the back of the room. And so if you have questions, please use that microphone so that the YouTube live stream and everyone in the room can hear

you. >> Very good. Um, this panel is so important. There's actually three introductions. So, that helps you understand how important this is. So, I wanted to touch briefly on photography. Each of the members of the panel have agreed to have you take their picture as makes sense for you. Um, so you can take their picture, but you can't take other people's picture if you do not have their permission. So, right now it is my honor to introduce the co-chair of this track, Mr. Josh Corman, who has some profound words of welcome for our panel. Mr. Corman, seems so formal. Um, who was here for the opening yesterday? Okay, so some of you saw a video. We're

going to play a video because neither Dr. Christian Demf or nurse Dena have seen it. Do we not have to play it yet? Um, but I'm if you've been tracking the cavalry since we started 12 years ago, we care about everywhere bits and bites meet flesh and blood, but we have a particular soft spot for healthcare and it was really meeting someone in med school, uh, working with the FDA. Bose's origin story. The overwhelming lion share of the trust that we built with the federal government was with healthcare, medical devices, healthcare technology, delayed degraded care. So, this is always my favorite topic block of them. And we have some people, you know, like Bo, some people you might

have seen in previous years like Christian. And we went from the idea of could cyber disrupt patient care, loss of human life, and now we've got legions of peer-reviewed studies talking about the impact of delayed durated care. So, we're really happy to have not only did Christian help found Cyber Med Summit as an 501c3 to pull together clinical technicians and nurses and doctors and medical stakeholders to meet them on their turf, learn their love language, find out common cause and common purpose. But that has kind of become the blueprint for what we're now doing with Undisruptible for water engineers and power. And you know, we had to build those muscles and trust. So, this is my

favorite topic each year. I'm really happy to do so. And then last year we have a brand new teammate from the medical world, Dena. And I can't wait to have each of you meet her. And she's a sponge learning this stuff, but like what does it look like to a non-cyber, nonIT person when we fail or when we have disruptions? So please a warm welcome to these folks. We'll play a video and I'll get the hell out of the way. So everyone, all right, two-minute video. Picture a hospital. Picture your hospital. When was the last time you were there? Was it to welcome a baby into the world or to say goodbye to a loved one? No one wants

to need a hospital, but when we do, we depend on timely access to care when and where we need it. Irrespective of cause, delayed and degraded care for time-sensitive conditions can affect worsened outcomes and even loss of life. A 5-minute longer ambulance ride has a significant impact on 30-day mortality rates. Time is brain where even an hour or few could determine if you walk again, if you talk again, if you even survive. Now, picture your hospital. What if that hospital was not available to you? If your hospital was disrupted, where would you go instead? Is it across town, more than an hour away? What if they are also down? The chance is not as remote as you'd hope. Hospitals have

become a top target of ransomware, cyber attacks that technologies in the vital path of care delivery. Worse, your hospital doesn't even need to be the one attacked to endanger you or your family. [music] We've seen a 10-fold decrease in favorable outcomes for heart patients merely due to excess strains of a ransomware affected region. Now, back to your hospital, back to your family. You and your family deserve better. If we want timely access to patient care and more resilience in the face of accidents and adversaries, we're going to need to advocate for ourselves. Now, as we head into an era of hybrid conflict with threats to water and power, these disruptions stand to get a lot worse. But we'll talk about that in

another video.

As Josh mentioned, this has been a topic um a staple if you will of the conversation. And I bet many of you folks have been raise your hand if you've been to this event previously. All right, keep your hand up if you're bored of uh healthcare cyber. This person in the back. Uh I'm gonna take another little audience poll here. Raise your hand if you feel like we've made significant progress since the last time you were here uh in healthcare cyber. Uh raise your hand if you feel like we've really made big advancements in ransomware in hospitals or medical device cyber security. Raise your hand. And that kind of sucks. I don't think this uh what we're going

to talk about is intended to be a bummer. It often is because we're talking about some pretty serious things. And I loved that video and it talked about how no one wants to meet a hospital but we all most of us are going to and when we do uh we're going to hope that it is operating at its highest efficiency and then every doctor and nurse and technician in that place uh ate their wedies for breakfast that day because it's going to be us or our loved ones. And what a dystopian nightmare we all live in now that we have to have these conversations about whether or not the basic technology that enables all this care uh might not be available for

you because of something like a ransomware attack. So we hope to do here in the next couple hours is give three varying perspectives slices of this um and bring some alternate perspectives into the conversation to try to convince folks that haven't been familiar with this previously that this is a deal. this is an issue you should care about. Two, empower you to do something about it. And then three, start thinking about this from a little bit of a broader lens. Much of the amazing content that we've had in this uh track the last day and a half has been discussions about national security, international security um things with increasingly sophisticated adversaries and discussing this as more of a strategic or larger go

a larger kind of picture is I think something that's really prudent for us to talk about there at the end. So each of us are going to take uh a little bit of time to give our individual perspectives and then we're going to be able to open it up to some questions at the end and hopefully engage you all in a dialogue because I think one of the best things about Bides is you guys aren't passive receptors of this information. You're really supposed to be active participants and collaborators and if we had it figured out we were just here to present it to you. Um I mean we we have mansions and we would be like

on jets and stuff. No one's got it figured out. uh and you might be the person that has that revolutionary idea and you being here in this talk and listening to this and then collaborating and working on this problem might be um the thing that cracks it or moves it or saves a patient's life eventually. So, we hope to empower you with that uh kind of voice at the end. You know, we talk about some pretty heavy stuff. I don't think we need like official trigger warnings or anything like that. Um but I do think that this can be, you know, sensitive information. talking about uh scary scenarios and patients and if that if you are sensitive to that uh just

consider that I don't personally have any materials at the end I'll have a little bit of a powerpoint presentation I don't have any videos or or images that might be disturbing this year this year sorry about last year uh but so I think that's it for our trigger warnings and kind of the introduction um anything else you guys want to add before you kick it off Bo >> let's do it >> all right so um my name is Bo Woods Uh I started my career working in a hospital. Anybody here work in a hospital now? Worked in a hospital. Uh worked in a hospital on the IT infosex side. A few people. Cool. So there are going to be some people in

here who laugh when the rest of you don't or who cry when the rest of you don't. Um but in I think I was at the hospital for almost three years to the week. Um and I saw a lot of stuff a lot of stuff happening on that that network. Uh over at some of the other big conferences they like to say it's the world's most hostile network. Well they are right. It is extremely hostile over there. But not too far behind that is hospital biomedical networks because you have all flavor types of devices, all types of generations and you have a lot of malicious software that just bounces around the network there. You know, network worms that you

haven't seen on uh in places for a decade or more. They still exist. They still live in these isolated environments like a a a niche um isolated environment where you find like um crypto animals like things that that uh time forgot, right? Um you can still find probably like SQL slammer worms which was back in 2003 I think. you can still find some of those old things running around some of these networks uh just because of the nature of health care in hospitals. Like I said, you've got all these systems of different generations that are there. Uh and a lot of times, you know, in a hospital, I would be working on troubleshooting things that weren't even uh malicious

probably. And so when in the cover, we talk about accidents and adversaries. Uh malicious intent is not a prerequisite for harm. I remember one case where we had um all of the medical devices of one class. I think it was a an infusion pump would flash every 15 minutes like clockwork. And so it was it was really really scary because these are in every hospital room pretty much. And we traced it down to there was this network packet that one of our IT systems would send out polling every device in the hospital to see if it was up to get a telemetry readout to get just other basic IT information. It was it was like a proprietary version of

SNMP if you're familiar with that protocol. And these medical devices didn't like that. So they would they would bounce. Uh so we disabled that packet being sent every 15 minutes. Uh but you deal with a lot of things like that. Um who here thinks uh strong passwords, multiffactor authentication is generally a really good practice to have other things being equal. All right, pretty much everybody who thinks that if you can't do that, you should probably at least just have strong unique passwords. Everybody has their own credential to log into a system. Yeah, pretty much everybody. Who here thinks at a minimum you should have shared passwords that everyone knows? One person. [laughter] Who here thinks that uh that's probably

a bad idea? Um well, I'll tell you how I found out that that was a bad idea and it might be different than what you expected. So, um, for certain types of systems, uh, we had a setup where the computers themselves had no passwords on them. So, anybody could walk up and they have instant access to desktop. Uh, I saw that as a pretty big problem. And so, I went to my boss at the time and I was like, "Boss, we got this security thing over here. We should probably do a thing." Uh, and she said, "Okay, well, talk me through it." And so we talked through it for a little bit, said, "All right, I tell you what. Uh,

come back with me on Saturday night. We'll go into the ED and we'll just sit and and look at how these computers get used so we know that there's nothing in the way. You know, when you put passwords in front of things, you could put something in the way." So sure enough, I went looked and after about an hour or two of sitting there and watching, seeing, you know, every 15 minutes, you'd probably have six to seven people come and touch every single PC. And if they had to individually log out, log back in every time to that, how much time would be lost? And this is the emergency department. You've got people coming in with critical cases where, you

know, seconds can save lives. And certainly the cumulative effect of minutes of extra login time between these things with the system having to log out, come back up, oh, somebody forgot their password, they got to call the help desk, 15 minutes for a password reset. >> It's true. >> That's a pretty big deal. So after that, um, I no longer ask whether we should put passwords on things anymore like that and have, you know, strong multiffactor. Multiffactor didn't really exist 20 years ago, but like those are the types of things that you deal with in hospitals and in healthcare environments that are unique and different from other environments that you might deal with. Um I also remember

going in and uh we had a a push an initiative that all the systems across the hospital should have antivirus on it. Good idea, right? It's a uh at least a minimal protection against known bad software that will stop something when it pops up there. Uh but we had all these medical device vendors who would come in and but they're all special and they know how to make medical devices really really well and sure they're on the top of their game and security but security isn't really important because it's safety that you care about. She said all right well how does it react if you put antivirus software on there? They're like well it's not really

approved. We don't want to go through FDA clearance again for that. By the way, that's a red herring. The FDA never says you have to go through clearance if you put uh antivirus on it or or send patches. Um but a lot of medical device makers uh don't know that. They're getting a lot better though. Uh so anyways, we went and we worked with the vendor. We did a site demo. They came out. They said, "All right, you know, here's the workstation that will control this device that sits bedside with a patient, and this is going to be the remote piece of that. You can put antivirus on this remote piece of it, and let's see what happens." So, we

installed, you know, semantic or whatever our our antivirus duour was. Um, and instantly their clinical app crashed. No warning screen, nothing. It just fell to the ground like, "All right, what's happening? Let's try it again. let's, you know, let's reboot the computer, bring it back up, start it up, see what happens. Sure enough, the same thing happened. So, went back and looked through the logs. Um when we had enabled antivirus, we didn't realize it, but their software was using uh obfiscation techniques that malware uses to hide itself uh from the operating system um in order to I don't know protect their intellectual property from people being able to see it or whatever. I don't know

why they were doing this, but the antivirus would detect that and kill the software, just stop it from running and, you know, quarantine it, put it in this uh safe space. Uh and so we learned that, you know, you just can't put any virus on those types of systems unless you can control it and make sure it's not going to accidentally uh kill the clinical software that's running to help patients. So again, an eye-opening moment. Um and then when I said, you know, hey, we've got uh the opportunity here to do some other things where we could put, you know, maybe um allow listing software that only known good apps can run on the the system. Uh my boss said,

"All right, cool. Create this, you know, business justification for this." Like, "All right, cool." I went went away, put together a one-page document. Um, after a few iterations, uh, it was non-technical enough that we could take it to the the business leadership team. Um, and, uh, the price tag on it was like $250,000. I'm like, you know, this is I went and I negotiated with the vendor. We got it down to the cheapest thing it could possibly be. This is the least expensive product on the market. Said, "All right, well, what I don't see in here is what's the trade-off for $250,000, we can get two to four more nurses. We can get another physician in

here. which is gonna deliver better health care? It's like a So I had to, you know, crumple up that that piece of paper and throw it away because I knew the answer to that. So those are the types of challenges that people in healthcare it face every single day. For me, the most profound one that I experienced, and this is where Josh and I bonded uh day one of I Am the Cavalry, right after he had launched um he and I were both in this speaker room upstairs here uh talking about different things. Um and I told a story about literally my first day working security in a hospital was uh we had a a network worm that was

going around. It was Zotto if anybody remembers back I think it was 2007 2008 something like that was this malicious software written by uh I think it was a Libyan and a Turkish guy and they were trying to steal banking credentials right so like this is supposed to go out and like hit grandma's PC steal her banking password and then they're going to go drain the accounts um they were using IRC is command and control. So like it wasn't super sophisticated even for back in the time. Um but it was going around our hospital and knocking systems offline left and right. Um we managed to get it under control on a lot of the systems

that we had. Uh we sent out patches. I think we patched a couple hundred servers within a day uh to update it um to to avoid this type of thing. Uh, and we're like, "All right, we're good. We're good. We're back up and running." Um, the next day I came in and I had a couple of messages. So, I called up the the department. It was the natal intensive care unit. I said, "Hey, you know, you left me a message uh calling you back. What's going on?" They said, "Well, you know, we we know you're not uh working on medical devices. We've got the whole biomed department that does that, but they can't really help us with

this problem with one of our devices." Um, so we thought we'd call you. What happens is about once an hour, uh, this system randomly shuts down and then when it comes back up, there's a Windows screen on it. We didn't know it was running Windows. It's just one of our medical devices. It's the the fetal heart monitor, the thing that is making sure uh for those for those babies that we know what's going on with them. And uh you know if you if you don't know um those devices are a massive force multiplier in hospitals. They allow many more patients to be taken care of by many fewer nurses, physicians and others. So when those are down there is a um huge

resource drain on the people in that department. There is also a consistency of care issue because if you've got to then attend to more patients than you're used to, you've got to move a lot faster. When you move faster, when you're higher stress, you'll make more mist more mistakes. And computing technology, they just do that reliably repeatably, right? It's why we use computers. It's why we use these devices is because we have clinical studies that say they're safe and effective for use that they can outperform uh just nursing staff and physician staff alone when they work together with them. So they were like this is a this is a big problem for us. Said all right

well you know let me see what I can do. Um so I went up there checked it out. Sure enough you know they were computers running the same operating system. I don't remember it was like Windows 2000 or something. Um that had this same vulnerability and it was a medical device. So first thing I did is I called up a medical device manufacturer said hey you guys have you know this problem can you uh you know do something about it? They said well it's a medical device so we can't add patches to stop the malicious software from running on it like that. What are you crazy? You want to like fix a computer? you want to fix

a medical device that that's uh being attacked by adversaries. No, no, no. We'd have to go through a whole FDA cycle. And again, not true. But that was the line that they were sticking to that. All right. Well, you know, is it okay for me to add the patches? Said, "No, you'd be out of your warranty. Are you crazy? Why would you want to, you know, put well- tested, reliable software on something in order to keep out the known malicious software?" Like, that's crazy talk. Don't do that. So, I said, 'Well, all right, that's that's not really how I'm wired. I'm I'm wired like a hacker. Uh I'm I see a problem. I'm going to go fix the problem

and if there's something in the way, we'll look at the trade-offs. We'll worry about those. We'll make a business decision or, you know, some kind of a good risk decision based on that and then we'll take action. So that's exactly what I did is again I wrote this business justification having learned a lot of lessons from the first time I tried this brought it to my boss. We took it up to the the CEO of the hospital asked a couple of questions like wait so you're telling me that we have a problem right now that may have an impact to patient um patient safety. Yep. That's right. and what you're proposing might void our warranty, but our warranty is

already void anyways because the devices don't work. He's like, "Yep, that's right." He's like, "Well, this is a no-brainer." Signed off on it. We had all our permission. And so I used uh metas-ploit framework to hack these medical devices um to then install the patch, kill the malicious software, and reboot the box, get it back up and running. Called, checked in with the the NICU, the natal intensive care unit. They said, "Yep, those systems are all up. If we have any other issues, like we'll let you know about it." But, uh, the one of the reasons that Josh and I connected is I said, you know, I've been in infosc for 10 plus years at that

point. And that was probably the day that I had the most profound impact on people's lives is being able to help get those systems back online so that the people who take care of other people, some of the most vulnerable patients in the entire hospital could keep doing their jobs. And so uh that for me was a very formative moment in my in my infosc career and also something that has made me extremely passionate about medical device security about hospital security about security of these other lifeline systems that we depend on like water like power like aviation uh like other things. So um that's that's my set of storytelling and I'll uh hand the baton over to Dena who

will like pick up from there. Um, I just want to say I just want to say thank you [applause]

>> here. Should I come this way? >> Sure. >> Because I have to get my my braille uh computer. Yeah, my little notes. So anyway, let me um I just want to thank you so much for caring that I feel like um our IT people try but like to to be a force and continue the battle all the way up to the CEO because they don't care. And I feel like um I think I'm the thorn among amongst the roses right now cuz I feel like uh I'm a science major, but I'm like knocked out by how smart everyone is and how much I'm learning. So um let me log on here real quick. And uh sorry about

this. >> She does have a password on her computer, by the way. Much more secure than some places. >> Uh no, I don't share my password. Um, [laughter] at least I'm that far. Though Christian lectured le lectured me very kindly and said, "Dina, get a VPN." So, I will do that. So, I'm Dina Carile. I'm a critical care registered nurse. Um, I'm the president of a union. Uh, my story is we represent two different hospitals. And the first one is how I met Josh. Uh we were introduced by a uh reporter who was investigating uh 140 hospitals going down and one of them was who I represented. I represent two groups over at Ascension which is

now Henry Ford Rochester. Uh I have a large group of registered nurses and a group of radiology technologists uh at McLaren McComem which is about 13 hospitals in their system. They may have lost one uh that I have a group of the biggest group of nurses and a group of service group folks. The service group people are your phabotamists, the sitters who sit with you when you're not safe to be alone. um the people who register when you come in the hospital. So that's the kind of people we represent. It's all healthcare. Um my local stands for safe staffing pure and simple. That's that's like our hill to die on every day. In 2004, uh McLaren Mcome went on strike uh

indefinite strike. We were out for six weeks. It was very painful, but we took a less percent of money and we got a safe staffing matrix at that house. And I'm very, very proud of that. However, from 2004 to now, there's a lot lost in translation. Three years ago, I put some pretty big teeth in the last contract. I put a big penalty if they violated the safe staffing matrix. They violate it daily. Never in my wildest dreams did I think they would pay later instead of staffing upfront. So I guess I'm trying to paint a picture of where healthc care really is. Our sister hospital at Ascension/Henry Ford has no safe staffing matrix and we are fighting very

desperately for that. Um, in June and July this year, both houses went out within 30 days on strike. Again, fighting for safe staffing. Uh, one needs a matrix. The other I'm trying to um tighten down. Christian and I were discussing like how EDs are so severely understaffed. So severely. Um, so um, and it's never about money. It's about safe staffing and protecting our patients. Um, we survived CO. One hospital at McLaren where I work was hit very, very badly with CO patients. We had a refrigerator truck out back that was a morg. So, I want to tell you, I've never seen that much death in my life, and I pray I never do again. So imagine health care workers surprise

when a cyber attack took us to our knees again. You just don't see this coming. I mean I'm just now learning the things at such a basic level from all my new friends and like what a warm group of smart people you are. So thank you for helping me on this journey of learning what I need to do because it's taught me a lot. Uh the bigger hospital lost 200 RNs postcoid. Our ascension hospital lost about 100. Um and the service group lost about 100 folks also. Make no mistake there is not a nursing shortage. There is a shortage of nurses who want to work in these environments. It's not safe. So, I thank God for the

people who are fighting to make this safer for everyone. And you don't see it coming. We didn't see this coming that a cyber attack would us the way it did. So, you've all heard of an electronic medical record system, right? We have become very reliant upon it. I've been an RN since 1996. So back in those days we were chiseling away on paper are our charting. I'm aware of what to do. I know my dosages in a different way than these smart young people who are coming up. But let me say when this occurred the first one was I want to say let me see get my dates again. May 8th for Ascension and August 5th for McLaren within months

of each other. So we have new baby doctors and nurses who are coming in and have never written on paper before. We have hospital systems who have uh paper charting that's stuffed in like little areas where we don't even know where it is. Uh, the Ascension Hospital, now Henry Ford, had a little bit better of a system that did not go down very frequently. McLaren, it stinks. It goes down like for a few hours once a month. Every time I think they reboot the system or upgrade the system, right, it like the next morning it's like chaos. We can't log in. So, patient care is delayed. those EMARs not being available to us as clinicians, these people came in, you

would be shocked at the amount of people who don't know what medication they take. You would be stunned. And you men are the worst. So, y'all better y'all better learn what you're taking cuz your women it's always like when I do a preop day, well, my wife knows all my medicine. That's you know, that could be a deadly mistake someday. So be on your best behavior. So we go forward. I've got young doctors who are used to clicking and I say this with great love, Christian. I that who are used to like we're all used to clicking boxes in the computer for our orders to to get things done to get patients different places. There's no

box clicking. These people had never written out prescriptions. you know, we do like uh the prescriptions go straight to the pharmacies. Now, this is a huge problem. So, now they're writing prescriptions. Um we were I was discussing this with my executive board. What was the worst thing that happened to you when when we were down? She said, "I had a doctor write Tylenol and like walk away like no dosage, no route, no nothing." You know, these things are important and can be life-threatening. So, you know, we were really helping our young people and our young nurses who had never charted on paper were were just as new. You know, they didn't know. So, then the hospital

has no preparedness, no communication. During COVID, we had a different chief nursing officer and a different vice president of HR. Every three hours, they pulled me out of my job. I was helping them make decisions on what we were going to do as staff in the hospital. This was a far different animal, different CNO, different VP of HR. They didn't care. They didn't want to include us. The nurses are I'm telling you, there's 50,000 nurses in Michigan who are not working, who have a license because they can't take the stress of doing this anymore. They can't do it. we can't not take the best care that's possible of our patients. So to go forward from that, um

the EMAR, it provides us with allergies, what medicine you're on, what surgeries you've had, your medical history, um lab work, diagnostic testing, um that system that was a great safety net for us since it's come on board like really decimated us when when we lost it. So, we didn't know what your lab work was. And let's talk about our phabbotomist who are trying to care for you and draw your blood. It was so timeconuming. We had patients going into surgery with no lab results. >> People who are on different medications, we need to know their lab values. If you're going in for a patient uh a surgery and we think that you might be losing a lot of blood, that's

invaluable. we need to know that before you um go into surgery. But I'll tell you what, we work for corporation. They didn't care. And as all my friends here have said continually, I loved Joshua's mant man mantra. No one's coming to save us. We all better rise up. And that's that's what my union is doing. So, um, let's see.

At one hospital, a preup nurse had to call every single floor to find the patient. We didn't even know where patients were. It was really, it was really dark. Um, and I believe that due to the lack of a computer system in place during this time, there were errors. I think there were people who had very legitimate bad outcomes. And I think it's going to be easy to just brush it under the rug because there's no clear record of it. And that is so disturbing. Um, medication administration. This is very frightening. There's a a machine that is in our med and it's either called a Pixus or Omnisell. Everybody may have a different type of

machine that they go into. My my fingerprint gets me in. We were overriding every medication and just taking it out. There was no second checks with pharmacy. There was no check second checks through from the pharmacy system that went into the omnicell or Pixus whatever anyone's using to get to stop a hard stop for any medication that could be wrong. Um we had to be the ones to catch any errors. Um we found discrepancy from doctor's orders. Um, we were used to pharmacy like being that second hard stop. Hospitals began asking the patients to bring in their actual prescription bottles, to bring in their own lab work printed, um, printed scripts for testing. Um, and as Bo

referenced, the the connection between our computers and all our devices. Um, we've talked about before how certain IV pumps can can like deliver a lethal dose of medication if we're not careful. So, I mean, kudos to our our IT friends who are there for us. Um, the McLaren site is a level two trauma center. We continued through all that, taking in patients from all over. They're kind of like um a little hub and everyone would deliver all their patients to us. So, we're already overburdened there. The underst staffing was horrific and we're still taking in critical patients from other facilities. I this just can't happen. And what is that? That's profits over patients without question. Um and and as we've

all said with those delays in care due to us searching for medication, verifying trying to find lab work, what what was the outcome? I think Christian was going to reference this later. What are the out or possibly do a study on it? I think you said, but like what are the outcomes for these folks who were sent elsewhere? And so I was I was jamming on Christian on some YouTube and he he did a study that really caught my eye that it it showed the um spike in surrounding hospitals. So if my hospital was down and we sent it to another hospital, that hospital can be overwhelmed. As as I love that little video, Josh, well done.

um that time is brain as in even with cardiac things, minutes make a difference in your outcome, whether you're going to speak again, be able to swallow, all of these things. And when you're diverting people and we're not ready and we're still not ready, um my key thing that is my biggest thing and closest to my heart is safe staffing. So every type of nursing has a a different uh person who or a association critical care associations for uh the ICU. It's like one one two hospitals violate these things daily and you don't know it when you're a patient and every one of you some at some point in time you're going to be a patient or you're

going to be a family member there with a patient and to see these things is heartbreaking. So this is staffing ratios save lives. They do so many good things. Um, and as I said, hospitals violate these ratios daily and they don't even flinch. They're not even afraid to pay the penalties. They don't blink an eye over that. Um, some nurses in the med surge areas can have up to 8 to 12 patients. It's not possible to care for that many people. Not on your best day, not on your best game. So, I think people need to realize what's actually going on within hospitals. Um, I want to add that staffing ratios reduce mortality rates, shorten hospital stays, improve patient

satisfaction, patients have fewer adverse uh situations, falls, things like that. Simple things that we need to take care of. uh faster detection of patient uh deterioration, reduce medication errors, um financial benefits, it's cost effective, um it decreases readmissions. Um how did my little local fight? We had a generous cyber journalist presence that brought our story forward. Um our demands were as follows. uh because we had little interaction with our administration at both hospitals, we asked for unit shift huddles um to be able to have some communication over safety issues, what they were doing, what we could improve upon and none of that was occurring. Secondly, we asked the hospitals to conduct regular training sessions. I

have begged for this for the past year plus. It's not happening. So, this new wave of baby nurses and baby doctors still aren't learning those things that that are imperative for our patient safety. Um, third, weekly progress reports to update staff on the status of efforts to resolve the cyber hack incident and restore access to the EMAR, address any safety concerns, staffing issues. Number four, patient ratios. We chose uh one to four for the bigger units and we kept the critical care units at what they were 1 one for ICU, one to two, that kind of thing. Step down is 1:3. Um we tried to fight for reduction of elective surgeries and transfers in. It

didn't happen. They they kept doing elective surgeries like it was no big deal. And it was patient safety was completely depleted. And like I said, the biggest example, people coming in with no lab work. Um I'm just touching on what can happen with underst staffing. We all desperately need legislation. My local spent the last year there was um some legislation that was going forward for safe staffing. I know you all have been trying to get something through with cyber security. These things are imperative because no one is accountable. Um these are people lives whose lives are at stake. Um I want you to consider what this can do to communities that have multiple hospitals. Um our friend Dr. Dr. Damoth

states that these cyber attacks can cause our neighboring hospitals to be seriously overburdened. And thank you for that research. That was awesome. Um, so today what I'm doing I I brought we're trying to get contract language and it's appendix C, our cyber security contract language to fight for this to be in there. So, if this occurs again, we h I have something to stand on top of. I mean, and we're one of the only um unions who had pandemic language. The women that I started out with in the in the union were thoughtful enough to throw in one line and it saved me. So, you people think, "Oh, it's not going to happen again." At Ascension, there's a large uh

plaza right next to it. And the vice president of that, who's under me, had gone in there either for food or for a doctor appointment. There's a lot of little uh offices in there. And she said it was week two of five weeks. She said people already thought it was over. Oh, it's over. Right. It's I feel like we're kind of a fast food society. We take in what the initial input from the media is and then it gets forgotten. And I think people aren't aware of that. Um, downtime paperwork's not has not even been redone. It was so outdated. Um, I was I was talking with Christian about it's it's got like drugs that aren't

even used anymore on it and wrong dosages. Um, I love that the Josh Corman's and Christian Damoths and Bose are fighting for legislature and bringing this all to light because it's a dirty secret the hospital holds on to. But I have a big suspicion that if faced with a big fine for not being prepared or doing the right thing uh are training the healthare workers doing their due diligence with making our computer system safe for the healthare workers and most of our patients. I believe they will roll the dice and wait and see if another disaster strikes. There is no accountability. Um we never give up. There's no one riding in on a white horse to save us. That's why as a union,

we band together. We're fighting for legislation to keep our patients state safe. Um, and it's a good fight. I'm all in it. And with my over a thousand healthcare workers, I'm going to fight until we figure this out. I want to thank you so much for listening. And thank you. I'm honored to be here. >> [applause]

>> Good job. That's a that's [clears throat] a lot of brave things to say and a story that um yeah, as difficult as it is to hear secondhand, imagine living it for five weeks. >> Showing up every day and working a 12-h hour shift and being faced with all of those struggles of taking care of those patients, knowing that even on your best day, it's still risky to take care of patients. And then to have all of that completely taken away from you and having to navigate all that danger and all that peril and all that risk uh now leveled up by 20 just because of how bad these attacks were. >> Um it is uh that's a heavy thing. Um

I don't know if it's going to get much lighter, folks. So if anyone needs to start drinking just kidding, I'm a doctor. You're not supposed to do that. Um, we're going to kind of continue a little bit with this, but I think in some ways shift gears to what we've had is what it's like to operate on the technology side um of a hospital system. constraints, the troubles with budgets, some of these uh medical device issues, uh that intersection, and then we've had a firsthand account of what it's like to take care of patients um during the heart of a ransomware attack and talk about that u from a individual patient level to a unit level to a hospital

level to a regional level. So, I'm going to spend the next little bit of is kind of doing a little bit of a recap um and then bringing two new things for you folks this year. And the focus for my remarks again are going to be a little bit more on the national uh sta scale scale or whatever. So I'm Quatti. Uh that's what everyone calls me during the summer cons. Um that's my handle. I've been coming to Defcon and and the summer cons for like over 25 years now. And so it's weird when people call me by my uh my my real name, but you call me whatever you want. I'm an associate professor of emergency medicine,

biomedical informatics, and computer science. I just made associate. Woo. >> Right. >> Yep. I'm tenured. I'm tenured now. They can't fire me. Just kidding. They can fire you. I found that out. [laughter] Um, please don't fire me, boss. Uh, and I co-direct the center for healthcare cyber security UCA San Diego. We're almost two years now on this mission of uh kind of a academic healthcare cyber security research center. I want to talk about some of that work. I just wanted to say thanks for you folks for what you brought and just the amazing bravery it takes to talk about something like this. And I bet some of you in the audience are like, "Wow, what did I get myself

into?" Um, I saw a lot of heads like nodding. I bet you folks are the ones that work in healthcare or have people like you you get this. But I think some of you folks are probably like, "Is it really that bad? Like, what did I get myself into? What a mess." [snorts] This map's going to come back later on, but I've been doing this with Bo and Josh and all these folks in this community. It's great to see so many familiar faces with, you know, for for a while now, like over 10 years. And it's allowed me a chance to, I think, take a step back and and try to from hearing these stories of what's

happened with Ascension or change or um all these like gigantic attacks. It really poses you about it really causes you to think about how big the scale of this problem is and how if we're really going to be addressing some of these issues, we're going to need fundamental change and the way we think about this problem, study it and the solutions that we implement for it. And that even if we're so fortunate to solve it at one hospital, which is this is an unsolvable problem like cyber security concerns in a hospital, we're never going to solve this problem. But even if we get really good at one hospital, there are over 6,000 in the United States alone.

Right? So it is a daunting challenge, a never- ending battle, but I think about this picture and it'll make sense a little bit later about really how much we need you folks to step up. And so I hope at the end to again instill that charge in you to kind of join us. I'm gonna do a re quick recap of last year just because I think it has some in some stuff that's been mentioned and alluded to. We'll go real quick through this and just so I know how many people I'm going to board that who was here last year for my talk. Okay. Well, not that I'm sorry, but hopefully this will be I'm just going to go through the

takeaways real quick and build upon what the other folks have said. Takeaway one was that we are critically dependent on connected technology. Right? So how much did we hear uh about how much the nurses were needing the electronic health record and the pharmacy and these Pixus omnicels like you cannot deliver even the basic standard of medical care in the United States without a huge amount of technology whether that's be connected medical devices servers all the way up to like operational technology email um communication software uh VoIP phone lines in a hospital all of these technologies are critical for the timely care of patients So, it's amazing. It works just normally, but let alone while we're

under attack. But lesson one, we cannot deliver safe, high-quality care in any hospital without technology. Um, and to exemplify that, you know, I talked last year about a study that just says like they followed some doctors around, I'm sure it would be even more so for nurses, and just counted how many clicks they used to execute their job every day. And it was tens of thousands, right? Like I'm sorry, it was thousands of clicks. It's probably even more now. On just a regular shift in the hospital, a doctor or nurse is making thousands of clicks on a screen to deliver their job, to actually accomplish their job. Takeaway two, healthcare attacks are rising. This is some great work uh from

Dr. Nepr um out of University of Minnesota. You know, an update to this study is coming up. I've heard it just talked about year after year the threats are not decreasing. The frequency is increasing and the severity of them. It's not ransomware lasting a day or two anymore like we all know. It's these are such devastating attacks and the recovery is so complicated. They're talking about weeks to months. You mentioned you were saying one five. I don't think some people recognized in the audience that she was talking about weeks of downtime. That's huge. Oops.

We've been having a lot of lately some contemporary largecale failures um with thirdparty stuff. So not even ransomware specifically getting hacked but you know whatever critical third-party vendors that health infrastructure has will get attacked and change healthcare is a really good example of that where a single ransomware attack on a third party vendor decimated thousands or it's not impacted thousands of clinical operations like small clinics to hospital systems and by impacted what did I mean it means that financially devastated many of these there have been uh clinics private practices etc that closed because a vendor they used to process insurance reimbursements got ransomed. That's how fine a line so many of these organizations are really treading. Like

they are on the razor thin margin. Most of the time they're lucky if they break a 1% margin of profit year after year. Now I'm not saying hospitals should make a profit. What I'm saying is that if you're always on that financial edge of a razor, um these types of attacks that you're not even responsible for that impact a vendor could cause you to go out of business. And then what happens to the community around it if that hospital that goes out is the only hospital within 150 miles. Like that's huge. It has cascading rippling effects that lasts way longer than just the downtime of a single ransomware attack. Takeaway three, you know, cyber attacks

impact these technologies and cause patient harms. You know, I feel like we're getting my I was talking about Bo and Josh, like we're getting old. Remember like a long time ago when we were like we don't have studies that show patient harm. We we get this constant feedback from like you're scaring people. There's no data that says that this happens. But we have I think that's changed. I think that it is hard to make the claim nowadays that cyber attacks like ransomware attacks do not impact patients. And I think one of the papers I was talked about a little bit ago. If you're interested in this, it's an open access paper. You can go review it. But we just measured what

happened around a hospital system that got ransomed at hospitals that didn't get ransomed. So think about it like an ecosystem. If you're in a city and there's five hospitals, if three of those get ransomed because of the same hospital system, those other two hospitals, uh, they don't just continue on their merry way. They take a lot of the rippling, um, ecosystem effects. They get overwhelmed. So, everyone suffers in a community u when ransomware happens. And we looked at what happened to emergency patients. Their care was impacted. They waited longer. They took longer to get admitted to the hospital. They left sooner than they were supposed to against medical advice at higher rates. Like a lot of patients in the emergency

department at a hospital that wasn't even ransomed were impacted. Ambulances were significantly impacted. The whole uh system of prehosp care. This is a a graph that just shows the middle there is what happened during the ransomware attack. And it just shows the cumulative number of hours that hospitals are on diversion. and diversion. There's tons of papers to show that diversion is not good. If it takes longer for you to get to a hospital for care, if it takes longer for an ambulance to arrive at your fac at your home when you're having an emergency and then transport you to a hospital where you can get definitive care, that delay can kill people. And so ransomware attacks in communities

impact even the ambulance systems. And then that video I thought was great. They talked about time and medical conditions like hearts, heart attacks, strokes and things. And when you look at these types of really vulnerable patient populations where like minutes matter, hours matter, um these patients can be disproportionately affected. And then this is a study we followed up with that that just said like listen, if you have cardiac arrest, if your heart stops and they got to do CPR on you and they shock you, all that stuff you see on TV and you're getting cared for in a hospital in a town where ransomware is happening, you have a t-fold decrease in your survivability with favorable

neurologic outcome. Just because there's a ransomware attack in your town, that means that you, your loved one, your parents, whatever it's going to be, have a tenfold decrease in whether or not they're going to survive and be able to feed themselves after a heart attack, after cardiac arrest, just because ransomware is in their town. this body of evidence that these types of things have impact well beyond the very obvious rippling effects, diversion, complications in care, medication errors. We're building more of a a literature base to show that. Takeaway four, hospitals are closing or consolidating. Okay, so I think Ascension's a good example. They had 140 hospitals go out with their ransomware attack. This is only going to get worse because

healthc care is in such bad state financially in this country and it's so desperately uh funded. That means we have financially welloff hospitals and we have poor hospitals. When the poor hospitals no longer can pay their bills and they want to close, they get absorbed by a larger health care system. So we're just getting fewer and fewer independently owned and operated hospitals. Now we're getting mega hospital systems where like ascension 140 hospitals are on a single IT stack which means if they have a ransomware attack that effect cascades to all of the systems that are on a unified platform and that's just accelerating. Hospitals are closing they're getting acquired. We're consolidating health care and at the end of the day we're

going to be we're increasing our risk for catastrophic failures across the country and rural healthcare is uh particularly at risk. There's a list that got published a couple months ago that talks that there are like imminently 300 hospitals rural and critical access hospitals in this country. They're at the brink of closure right now. Like that list is going to grow. All right. All right, takeaway five. We're critically dependent on other critical infrastructure. I alluded to this. You know, it's been great and also terrifying to hear how much a an understanding I've had just learning about how critically dependent healthcare is on water, electricity, these types of interdependencies on critical re critical infrastructure that are shared among critical infrastructure

is terrifying. And then now we're going to go on to some of the newer stuff. So the last takeaway from last year was like these problems are hard to fix quickly and I made this analogy last year and I think it still kind of holds wherein a lot of what we talk about is about prevention and we want to prevent ransomware attacks, right? But like we don't just uh try to prevent heart attacks and cardiac arrest, right? These are the things that I'm supposed to tell you as your doctor. I'm not your doctor. As uh as a doctor, you're not supposed to do, right? Don't smoke, don't get old, I guess. Don't drink, don't eat a

lot of unhealthy food like I eat, right? Like stress, diabetes will be these are things that can put you at higher risk for heart disease, right? We're supposed to not do these. If you are if you try to adhere to these uh recommendations, then your chance of something goes down less. We do that in cyber like MFA, uh no shared passwords, network segmentation. We can go over like all of the specific recommendations on how you're going to try to make your hospital system more resilient. You're going to do the good stuff to try to prevent the attacks. And we spend in my opinion a lot of effort on the prevention. And that's ideal. We never

want to have a ransomware attack hit a hospital. But how much are we really preparing for the inevitable when it does happen? If you if would you think it like if hospitals never actually had treatment for people who had heart attacks, we just spent all of our time in prevention, that's probably not a winning strategy. What's the right ratio? Do we spend 80% with prevention, 20% with response? Like what do we do? And there's like these risk factors. I talked about all the like the things that are against us, but what is the kind of CPR, if you will. What's the treatment for when a health care system gets ransomed other than just recover as quick as you can? Try to do

your best. Try to go on downtime paperwork. And the young doctors that don't know how, they know Tik Tok, but they don't know how to do prescription writing. And I have to confess like I think I've handwritten prescriptions like 10 times total in my career. I'm sorry. >> No, it's >> No, no, not all. But what is the acute response to these types of things? And that's what I left on with last year. You know, I alluded to this thing what we're doing called the healthcare ransomware resins and response program. And I got a couple things to show you guys today. And so we're very thankful we're funded out of the advanced research project agency for health. It's

kind of like DARPA but for healthcare. and they took a chance on our pitch, which was exactly this, like how are we going to respond to ransomware attacks in hospitals that can make patients safer? So, this is like a two-year research sprint, and we're almost done, and I got some stuff to show you. Um, thanks a lot to RPH. You know, the NIH would never fund this. The National Science Foundation would never fund this. I'm an academic, so I got to get my grant funding from the feds, and this type of stuff like would never have been funded. So, we're thankful for RP. They don't pay me to say this, but I just am very thankful for these folks.

All right. So, I'm going to just stop and say like listen, the goal of this is to say, how do we rapidly identify ransomware attacks in critical health infrastructure? How do we let the doctors and nurses have how do we build resources for them to deal with this when right now they have no playbooks? Raise your hand if you uh work uh cyber for an organization and you have a ransomware playbook already already figured out ahead of time. Raise your hand. Like you're supposed to, right? Like you're supposed to have a guide book for your technical response. We're going to do forensics. We're going to look at IoC's. We're going to do this, this, this, this. You

have a technical playbook, but the nurses on the cardiology wing on telemetry don't have a guide book for how they take care of patients during a cyber attack. They just don't. So, we aim to do that. I'm not going to show you that work today, but that's the second part of this work. And then the third is this thing we call uh like a crash cart system. Like how do we a hospital's been ransomed. What do I need to bring to a hospital to get them off of paper? And how can we rapidly deploy that within hours of a ransomware attack so that doctors and nurses can take care of patients uh to the standard of care

that the patients deserve and the clinicians are capable of doing. So, it's not just me. We have a gigantic team of folks. We have a bunch of really smart computer scientists, uh, graduate students, and I got to say like I these folks work every single day on this project. So, I'm going to show you some of that work, but please, like, if you ever see these folks, buy them a beverage or something like that. They've been working tirelessly on this for what has been a really crazy sprint for the last two years. So, there are three technical areas. Um, they have little piffy code names. We're going to have to change some of these names. Um, but right now, these are just

kind of our research project code names. We're not going to talk about the tome today. The first thing I'm going to talk about is the thing we call ransomware. So, and it was this question that was really frustrating to me as a researcher. It got born out of the the problems we had Bo and Josh about like, hey, where's the data that shows what hospitals have been ransomed? Like, what's the data about how long they were down for? What's the data about what the patient adverse effects were? It didn't exist because when a hospital system gets ransomed, they don't want to talk about it. Their PR teams say, "Shut up. If you talk to the media, we'll fire

you. Um, and I'm not, you know, listen, that's it's complicated. Why do they do that? It's because they are already under attack. They're they have these risks that they don't understand fully. They don't know how long it's going to be about. They have a lot of unanswered questions and their default position is to like not talk about it. They don't want to invite subsequent lawsuits. They don't want to have any more brand reputational damage, etc., etc., et those are reasons why they say don't talk about it. So I can't as a researcher go up to him and be like hey will you give me all of your data about this and be like no thank you like sir

this is a Wendy's get out of here. Um so I was really frustrated by this. So I want I had this question this idea like can we figure out if ran if hospitals have been ransomed without them ever having to tell us without having to find out about it on the news. So we did that. We built a system we call ransomware. It's like an academic project where we have a prototype system that scans over 6,000 hospitals um hourly. We've spent the last year and a half reverse engineering the uh public surface of every hospital system in hospital in this country and have a really good understanding of like what services they're all running and all of

this stuff. And we have been scanning it for over a year and we've amassed a gigantic data set over 6,000 hospitals. We know and we've been kind of looks like this, right? Little dashboard, little red dots saying, "Oh, stuff's down, little yellow dots. Some stuff's down, green dots, everything's cool, right?" And so we've been collecting this data and we've been successful in identifying three instances of ransomware attacks we detected on our system before it was ever publicly available. So anyone here from Shytown Chicago? I like your pizza. I know people from New York hate it, but I love it. Uh we detected Lur Children's Hospital when they got ransomed uh last year. this this year, earlier this year before

they publicly announced it, our system saw a bunch of their stuff drop off. And we've had this benefit of scanning at a nearly hour. We initially were scanning every six hours, every three hours, but now our frequency is every hour. But we have like longitudinal data about all these services and when it's up and down and we've been measuring it. Now I'm going to show you guys a study we just published. I have some important caveats I have to say ahead of time. Uh number one is uh science is messy. It's also sometimes controversial. Uh so I'm going to show you this paper and you can read it yourself. I have to put out some uh disclaimers ahead of

time which is I'm going to show you association data. Does anyone can quickly explain to me what an association is in research? Like something is associated with something else. Raise your hand if you want to quickly shake a stab at it. Yes. >> Who pays for it? >> Ah that's a different type of association but uh that's a funny I like that. uh all we know is that two things kind of temporally or spatially or something happened at about the same time. Okay, so I'm going to show you. So I it does not show causal data. I cannot tell you with certainty X caused Y. I can say X and Y happened at the same time and I

can show you the data and you can ask yourself what you think happened. All right. Number two, uh this is one of what happens. What I want to do is lots of studies about this type of stuff. So, it doesn't answer every question you're going to have. So, we had this system running for about a year. We were seeing evidence of ransomware attacks. It was pretty cool because we could also see how long they were down for. We could see what services they brought up first. Oh, their email servers came up first or hey, their their service now came up first. That makes sense. They bring up service now first because they can do all the tickets for what needs to happen

on the response. Like, we saw these hospitals recovering as well and it gave us a lot of tremendous insight. with the system running and then something happened uh a little bit over a year ago. Does anyone remember what happened before Defcon about a year ago in the news? >> I'm sorry. >> Yeah, crowd strike happened. So, I know I'm going to tell you if you want this QR code, you're going to have to trust me. This goes to this study. We published this last year and um I'm talking about association data. I'm going to show you some stuff. I really encourage you to read this paper uh and I also en encourage you to read the

limitation section of this paper about what this paper does and does not and then if you have any methodology questions you can ask me but I ask you to read the paper first because it talks about a lot about what how we did this and what our data was. All right. So the question I had is what did we see go down around Crowd Strike? I can't tell you that Crowd Strike caused this. I can say I know what h what we had seen prior to Crowd Strike, what happened during Crowd Strike and what happened after Crowd Strike and I can tell you what I saw go down. So the question is what patient care

outcomes or technology outages were associated with CrowdStrike? Um there was also a Azure outage that day I've been told. Um so maybe it was that as part of it. But we actually did 2200 hospitals in this data set. And we looked at again before, during, and after a crowd strike outage. This was not an attack. This was not a ransomware attack. This is not a cyber incident. They had an outage. Um, and we identified 759 hospitals that had outages occurring associated at the same time as Crowd Strike. So we saw 759 hospitals have some outages right during Crowd Strike. And then we went and looked at every single one of those and what services were available before,

during, and after and tried to characterize every single one of those services and say, were they ones that take care of patients? were the ones that took help the enterprise or were they we were not able to identify. I think this graph speaks for itself. Some people want to say that uh how did you know that they didn't do a firewall configuration or that they didn't do like an update or that something else. So this graph shows daily the number of there's a technology an API standard called fire fast healthcare interoperability resource. This is a healthcare specific kind of API standard that lets your hospital share your records with a bunch of apps and other providers. So this fire

endpoints is what we call it. We have been monitoring fire endpoints for over a year. On average, we see five, eight go down on a daily basis of the hundreds that we measure, thousands that we measure a day. At that orange line, uh that's when crowd strike outage happened and you can see an associated huge spike in these fire end points that went down. These are healthcare delivery organizations, uh not individual hospitals. And then we l looked at all of our IP data, not just our fire endpoint data. We went and looked at again all of our IP scanning data. And we saw all these are the hospitals that had downtimes associated uh at the same time

temporally as CrowdStrike. And we have the duration. We know when they were up and when they were down. And again, we're not scanning every minute. So I don't have minute granularity, but we have like hour granularity for most of this stuff. And then we went and looked at every single service of that outage and we c categorized them into four buckets. One was patient facing stuff. We saw prior to crowd strike um having we saw things like EMS ambulance um dispatch software. Um there's software that allows a ambulance to communicate patient information to a hospital. That was one of the services that we saw go down. We saw a whole bunch of patient portals go

down so you couldn't access your patient records. We um saw a whole bunch of other kind of clinically focused stuff and that was about 22% of all the stuff we went they saw go down associated with crowdstrike was patient facing. Then we had about 15.5% 15.4% of it be operationally relevant. These are things like email servers going down or uh service now portals going down. these types of things that matter to the healthcare delivery but aren't necessarily directly focused at taking care of patients. We saw a bunch of research stuff go down. We saw about 5% of what went down had to do with like recruiting patients for studies or educating patients on clinical studies

for new drugs and trials and things like that. And then about 57% of the time we couldn't tell what this particular thing was. Um so we just put it in this unknown uh or not relevant bucket. And I think this kind of shows the the a couple things. one that a single um issue could maybe cascade that's associated with this like really large health care disruption that we saw. But how many of those are there out there? If you would have asked me, I'm going to be honest. If you had asked me if I would have thought Crowd Strike would have had an outage like that a year and a half ago, I would never have

thought it would have happened. I would never have thought that would have occurred at the scale it did. Um but it did. My question and what happened was significant. It wasn't just healthcare. You guys saw airline industry all these other things happened. How many how many different systems it impacted? My question is how many analogous dependent third party vendors that are critical for the delivery of health care are there out there that we don't even know. We have no idea. Like if there's an 0365 outage, how many hospital and trauma centers are going to completely collapse, right? If there's an Azure outage or if there's an Amazon EC like how much stuff is hosted critical

healthcare stuff that's hosted in the cloud >> change >> change is a great example I talked about that before if you think someone knows those lynch pins those digital lynch pins in healthcare infrastructure in this country you are wrong I I have not seen a single person that can coherently explain to you the scope of the risk no one knows how many of these are out there no one's mapped it so it's a kind of scary thing. The other thing I would say that this speaks to a little bit is um again just how critically dependent healthcare is on these types of thirdparty uh vendors. So that's the first thing I want to show you guys and if you're interested can

read the paper and the limitation section. I'm looking at you. All right. Next rapidly. Uh we're going to talk about the next project which is this like hey what's the CPR for a hospital that's been ransomed and the question is like what would you need to bring to a hospital that's been ransomed uh to like get them off of paper? Like what would you have to give the nursing staff and the doctors and the technicians and the registration folks and the phabotamists? What could you put in the back of an 18-wheeler, drive to their facility and deploy within two hours to say, "Hey, you're not going to be down for five weeks or you might be

down for five weeks with your own systems, but we brought this other thing." And you can work on at least this somewhat better system until you can recover. I have questions like that's a that's a scientific and a usability question, right? Like what do you actually need to bring and how would you engineer it? That's what we sought to do with what we call crash cart um disaster recovery crash cart and we spent the last year and a half building a prototype of it and it fits in the back of a 9 foot van and it's scoped to try to restore the technology of a 20 bed emergency department. We're not anywhere near being able to do it

for a whole hospital but we're like prototyping this for like hey the emergency department needs to function. we need to deliver patient care. If anyone has a heart attack or a stroke or got gets stabbed, what do we need to bring to basically to do it? And that's what we scoped it at. And so the other interesting engineering challenge for this is like you have to build this into an entire um you have you have significant engineering challenges because you are going to set up this replacement system right next to a hostile network that has active malware. So we can't touch any of their switches. We can't use any of their existing infrastructure. We can't use

any of their existing spectrum because they're going to be bringing up their own Wi-Fi, right? We So, we have to operate on a different spectrum. We can't use their back haul internet. They won't let us touch their fiber because they're worried about data xfill, right? They're worried about command and control. So, they'll cut their back haul as part of their ransomware response. So, you have to bring your own internet. You have to bring your own spectrum. You have to bring your own endpoint devices, your own electronic health record, your own laboratory devices. You have to be able to quickly integrate with their own CT scanners and their ultrasounds and all that stuff. And you have to bring

all that infrastructure in a mobile set. And that's what we did and we call it crash cart. And so some of the stuff I'm going to highlight here is like we use Starlink as our internet back haul and we co-agregate a bunch of 5G. So we have a system where we can basically bond every uh commercial uh cellular provider in an area and then bond that also with the Starlink back call to get we've achieved some pretty significant um bandwidth throughputs to try to support the system. But is that going to be the same bandwidth that we're going to have in rural Idaho, rural Nebraska, downtown Manhattan? I mean these are constraints that we have to make the system

available anywhere in the world. We spin up our own private 4G, 5G um network. We don't use Wi-Fi. I told you we can't compete on their spectrum. So, we actually do we run our own private little cellular towers, our own little cellular access points. And we run all of our endpoints and all that stuff on cellular. It's not an air gap. I'm not stupid enough to say that. What I'm trying to say is like they're going to be infected on their endpoints. They're going to have we can't touch their APs and all their stuff, but we spin up our own things around everything over cellular, private cellular. We bring our own laboratory devices. is we bring our

own endpoints that are hardened. We have or we bring our own monitoring system so that we can monitor patients if they deteriorate. We can't use their existing stuff. And so I'm happy to announce that we deployed this not during an active ransomware attack, but about two weeks ago we went out to a small hospital in the Imperial Desert was 110 degrees with our U-Haul van. Um and we deployed this in our first we had done this in the lab we had done this in our sim center but this is the first time we deployed it in a real hospital system. Um so we brought it we set it up it took us uh 29 minutes no sorry 30 39

minutes from the time we opened the back of the truck to when we had a functioning electronic health record a our private private 5G network in all of our endpoints booted all that stuff. It took us 39 minutes. [applause] We print our own labels, our armbands, this stuff. And like what is this? Like this is proof of concept for a different way to approach the problem. If we can spend a ton of money trying to prevent stuff from happening, we don't have a plan clinically for when it does happen. And the question I have is like if we had this and we scaled it and it was a national resource, like if we had that

type of stuff available, would hospitals pay ransoms? Would ransomware operators go and attack them because they know, hey, there's a backup system we can rapidly deploy within hours of response that, you know, can we bend the arc of ransomware economics with something like this? Hey, this healthcare is a complicated example. You got to do labs and imaging and all that stuff, but can you apply this to other uh verticals that get ransomed as well? like the idea that can we take the sting or burn out a ransomware enough with something like this that we can hopefully try to prevent them uh attacks in the longer term is kind of the goal. And so I'm like really happy to talk to you guys

about this. I mean I know there's going to be a lot of questions maybe or like flaws in our logic and we welcome them all. But it's been like a whirlwind two years that we've had building ransomware, building crash cart, testing this stuff. And what we need are folks to like help us make it better because I think our patients deserve it. And like you're going to be a patient one day. I think you deserve it. That's it. [applause] Thank you. [applause] >> All right. Well, great. So, >> so I'll do uh Dave's job while he's getting the mic turned on. Uh we have a microphone over here. We have 38 minutes for questions. Um we've got two and a

half smart people uh who are ready to field them. Um got one question ready to go. Um Dina, if you have it handy, um one of the things I had socialized to people is you had a demand letter of five things that you felt would equip the nursing staff to maintain the quality of care and the communication. Uh could you maybe enumerate those five while people are lining up? >> I did throw it in my presentation, but yes, the microphone. >> Yes. >> Um >> and by the way, I loved them. we hadn't even spoken or met yet and I think arguably this room could maybe add to and refine these for intent but um

already on their own they're pretty impressive. >> Well, we threw them in a cyber attack uh appendix for the the contract. Um we we altered it. I kind of like our our our article even we improved upon it. If there is a declaration of an authentic, and I'm telling you, they don't want to say cyber attack. We had to cross it out, authentic electronic operational failure, bargaining unit RNs will not be required to take any more than 50% of the patient load assignment as designated by the CBA staffing matrix. So, I felt like that was an improvement on the 1 to4 at the time, like we just did that for the bigger units. Uh the im

immediate recruitment of service group ancillary staff through a letter of understanding is crucial to alleviating the burdens placed on our RNs ensuring that patient safety is not compromised. Um it's essential that one calls for additional staffing need to be communicated in a timely manner within eight hours of the start of the ship for a successful response. We added daily meeting times as we did in the the petition. We um put in uh daily unit shift huddles, weekly huddles with the union and uh HR addressing all the issues going on in the house. Um alternate measures of communication. One thing I didn't say that was mildly enjoyable, the VP of HR had to come to me because my text blast and email

blast, they could not communicate with the registered nurses in the service group. So they came to me and said, "Will you please send our emails?" And there was some mild enjoyment of that. Just saying. So anyway, that was what I I felt like I we improved on it in our contract language. >> I might be misremembering this, but a followup. Did you ask for simulations and trainings like fire? >> Yes. Yes, we did. And >> question, >> uh, we asked also for training for these cyber attacks because no one's ready. I I sent Joshua a picture the the other day. In the corner in in my unit was this big stack of like just thrown

together papers that we're supposed to figure out if there's some downtime issues. So, it's just incredible. But they it's profits over patience. So, thank you. >> Uh so, hi Dr. Thank you so much for uh your uh display of Crash Cart. I've been excitedly waiting for Crash Cart because I got $40,000 waiting with your name on it basically for Crash Cart for my community. Um do you know when you'll be releasing any of the information or the the data from that because I really want like the equipment list or the training list that you've been developing? >> Yeah, we just uh finished writing a paper and submitted to a journal. So hopefully it gets accepted and then

it'll be available for the whole world. Um, our two-year sprint with RPH for the research funding is supposed to end in September. And so we have a couple extra like large scale deployments we have to do, some more proof of concept uh, kind of integrations with some of the clinical tech, but we're kicking the tires at the end of the prototype now. And now it's going to be about scaling, right? So, it's like I think there are a lot of unanswered questions like the hospital systems probably not going to be able to buy their own crash cart and keep it in their like build their own crash cart and keep it in their basement for when

they need it. So, like we have these questions about like well should it be deployed as a critical national resource. Um like we do this thing called the strategic national stockpile for drugs and vaccines and stuff that are like strategically positioned around the country. Do we need something similar for healthcare IT? Right? like do we have this around so that we're within six hours of any large area of people in hospitals that we could drive a truck there? Like there's these questions about how do we roll this out? And then there's questions about scale. Our prototype fits in the like it's almost like 60% of a of a back of a 9- foot truck. But if we were to do that

for a whole hospital, it's going to be much bigger. It's each individual parts of the hospital are going to have unique considerations. like the ICU is going to need different stuff than like your family practice office across the street. So scaling this to be able to say could we roll into a hospital and replace an entire 200 bed uh hospitals total stack. There's a lot of more work that has to do with the scaling of this. Um that doesn't answer your question. What I'm trying to get at is right now I think what we need to do is have people deploy this and do a test deployment in their area and then say have you

considered this or what about this or hey we need to work on what do we because right now during ransomware response we throw the baby out the bathwater. So you get you get hit. Your technical playbook says cut off your back haul, turn off all of your systems and then do forensics. IOC like there is a a technical rationale for what why we do all this stuff. But what it does is it basically takes a system where we maybe could use 30% of it or 40% of it. You know, there are not many cases that are documented of CT scanners being primarily infected with ransomware. I'm a I'm aware of one. That means maybe it's the case that we can use your MRI

machine and your CT scanners. We don't have to not use them during a ransomware attack uh or other clinical. I'm just giving you an example. But this work of like what can we use safely in infrastructure that's been hit. What do we need? What assurances do we need before we can reliably use it? How do we do that quickly? These are all these questions and things that are still research questions that we need to do before this is ready for prime time. Um, but in the meantime, we're going to get it out there and we're gonna have people kick the tires on it and make it better because this was our first uh swing at

it. And we had to do it on a crazy timeline. Like we had two years from start to finish and I've been pretty proud of what we've been doing, but we have a lot more to do. >> Good job. >> Thank and just in a minor response. Um, so it's it's I'm thinking the hospital preparedness, our healthc care coalition, and then maybe our public health emergency preparedness grant um recipients might be able to fund these local implementations. And to your point like the that NDMS, right? It's like can we deploy these mobile hospitals? Can we deploy these through the Arizona National Guard or other things like that. So yeah, thanks. >> Yeah, great ideas. [snorts]

>> One question, one uh analogy. I'll start with the analogy or story uh before. So there was a a very small little hospital in Yeah, I figured it was a little small for me. Uh yeah uh in uh Los Angeles Hollywood I'm sure many of us have heard for it. It supports you know very cool things and lots of important people. Um they had I was the incident commander for an event that occurred and it started with um basically somebody looking at X-rays uh going to sites that they should not. Um those devices were not really on the network. Those devices were vendor owned. those devices were supposed to have a vendor managed uh antivirus. Uh

they did not. Um and so that went [snorts] reasonably well. There was no actual impact to any other surrounding systems. Uh very localized. We did find it because ransomware artifact started appearing on other domain uh systems like the domain controller which started the panic attack on a Saturday morning. Um the sad thing is is we actually had that same problem. uh the computer right next to it about six months later with the same you know medical technician kind of doing the same thing going to sites that they should not have. So obviously there's a whole aspect around vendor managed systems and everything else like that. And so you mentioned like I've never heard of CT machines and

all some of these others of you know doing that like I I actually have. It's it's exciting. Um and this was just for clarity and everything else like that over 10 years ago. So if that's helpful in terms of explaining that my my question is completely different. We talk a lot about the medical stuff and ER and everything else like that, but how does behavioral health have any impact on some of those things? Because we know especially coming out of COVID, uh there's been this big push for behavioral health having just such a an impact on our communities and everything else. You know, has there been anything around behavioral health being part of that emergency preparedness kind of

conversation? I we have we have a really large ER in the hospital I work in and we have a huge area for behavioral health. A very kind governor many years ago got rid of all our mental health services like virtually most of them. So it's very hard to to move these these folks to the place they need to get to. We hold them for a horribly long time. The one good thing about their issues is they're not on a monitor, but their meds are of the utmost importance. So, it's it's kind of the same as everyone else, you know, medication wise, because when you start messing up medication for someone who needs that for their mental

health, it it's even more it well, it's just as important as everything else. So, I don't think anyone looks at anything differently. I mean, I think they package them in with all the other important things, but mental health, it's a crisis. It's terrible. >> Thank you. >> Hello. Uh, new to the field. This is my first con talking about these sort of things. So, thank you for the amazing work you do. Um, the question I have is with the crash cart, is there augmentations or overlaps into more national disaster situations such as there's no power here or you know something of that sort? What does that timeline or effectiveness look like from your perspective? >> Yeah, great question. There's no reason

you can't take crash car and deploy it in like a gym at a at a high school other than our engineering constraints. We did not assume we'd have to bring our own power. We gamed it out. we could do it with a pretty uh readily available commercial generator um that could run multifuel stuff. So to answer your question about I I don't know if this is if I'm answering your question right but um crash car has multiple potential applications other than ransomware and we feel like that is one of the most challenging engineering cases for which if it would work under that circumstance and we've solved some of those problems then we I think we've solved a lot of

problems for some of these other things. out there are undoubted I'm not a disaster medicine expert. Um I'm not an expert in earthquakes or floods or tornadoes or anything like that. I'm not going to pre pretend to be. But my my feeling is that we're going to get a lot more applications from this and that I think lends itself a little bit more to this model like strategically positioning the stuff around. We do have some analogies for this in like military systems. They rapidly deploy uh field hospitals and these types of things already. So this is not an entirely new situation, but one of the things that we wanted to focus on is how do we leverage

the existing people at an organization. So if you're like a FEMA team and you're responding to a hurricane, you bring your own doctors and nurses and you deploy your technology in a in a field hospital, but you are training your folks for that system and they know how to use it. It's an entirely different game when you have to use doctors and nurses and phabbotomists and registration folks on site. So one of the things that we've built the system around is to be modular in the types of things like electronic health record views. The idea would be we have uh there are several flavors of electronic health records like epic and serner and all scripts and these other things. They

constitute a majority of electronic health records. If you give a Cerner nurse Epic and they've never used Epic before, you might as well kill the patients then. You might as well just kill them right then. >> It's true. >> Uh you give a cardiothoracic surgeon who thinks they're God uh Cerner and they're an epic doctor, they'll kill you and they will not be prosecuted. Um what I'm trying to get at is you these usability issues are really real. So how do you preposition cloud infrastructure to be able to be modular in your deployment? Your Cerner shop will give you Linel Cerner. So, at least your doctors and nurses know how to use that. You might

not have all your fancy bells and whistles and all the customization you had before, but at least you'll have the basics of usability. You'll know how to use it at an elementary level. You have to design a system that can on the fly deploy these different things. Um, is another consideration to this. I don't know if this is all answer your question but >> Yeah. >> Yeah. All right. Sorry.

A question on the crash cart for the 4G uh cell back end you have are you using just consumer grade 4G or is it on the is the 4G on the firstn net first responder networks or yeah just consumer >> great question. And so on the I if I mis mis uh spoke, forgive me. Our internet back haul is using Starlink bonded with we have we have like a cradle point router that will bond Verizon, T-Mobile and AT&T FirstNet um all into one signal. So there's the cellular backhall side of that and then we deploy private 5G on the CBRS spectrum in the hospital. So for folks that know don't speak cellular, we basically spin up our own

private uh cellular network in a hospital. So you look at your phone, you look at the top, it says T-Mobile or AT&T or whatever. When you when we give a we have a phones that we issue to folks in Crash Cart. On the top it says Crash Cart. It's our own private network. That's a separate cellular network that we deploy in the hospital. Why did we choose that? We couldn't use the spectrum that they were on. two, I only have to deploy one AP. So, it has much better penetrance. Um, in a hospital, I went to deploy one P instead one of AP instead of like five or six Wi-Fi APs. So, there were other reasons.

We more quickly deploy that. Does that answer your question? >> Yeah. Thanks. >> Yeah, First Net's been rad like not the fastest, but definitely deployed in a lot of areas in the hospital in uh the nation. >> Hi. uh as a as an EMT and a cyber security uh engineer myself, I think the the concept of uh of the crash cart's really really cool. And one of the things I wanted to ask about um it sounds like crash cart is going to be deployed during an incident. So what does kind of like the incident management process look like when you're working with the hospital? >> Yeah, great question. Hey, I heard you've been ransomed. Can I drive an

18-wheeler up to it and deploy a bunch of crazy stuff in your hospital like within four hours? Is that cool? Uh to be to be determined. Uh my mental model for this is uh anyone seen Field of Dreams? Come on. Like I'm getting old now, huh? Like I I have to say that and qualify it. Like none of my med students I teach or my residents I teach have seen that damn movie. So I'm now getting old. Like so many times I I I had this idea for Crash Cart and I'd tell people and they'd say it's too hard. So they wouldn't even like engage in the premise. So I almost had to build it and they

will come. Like I had to show that it was feasible before people would ever really wrestle with well how would we do that? And so I think if we can show technical feasibility, if we can show the benefit, if we can teach a hospital like hey you might lose a hund00 million on this ransomware attack. I mean there have been documented cases of hospital systems losing over $100 million because of a ransomware attack. There's been documented cases of hospitals being completely shut down from ransomware attacks, from losing all their funding essentially. >> So if we can get far enough with Crash Guard to be like, hey, this might be the difference between you shut down or

whether or not between you lose $100 million or $50 million, then it might make those types of conversations a little bit easier. But there's still a lot of work that has to happen. We we've built it and now we have to see if they come and play baseball. You guys are like haven't seen this movie or like what the hell is this guy talking about? But anyways, build it and they will come as the kind of faith if you will that we're having in this. But to answer your question, it'll probably depend a lot on the hospital system, the governor of the state, how it's actually deployed. Is this a commercial product? Is this a

national resource? Is Congress going to fund this? Will imple will impact a lot of what you're talking about. >> Great. >> Hope that answer your question. >> It does. Thank you for all you guys do. >> Yeah. >> Hello. Um okay so first of all love crash cart I have two questions uh related to it one the first one I'm not super familiar with like hospital network systems architecture in general so I'm I'm assuming that there is like some difference between like those environments from hospital to hospital right so if you have like a prepackaged um like crash card kit right I'm curious about some of the considerations that you've taken in terms of like

adaptability right from one hospital to the other. And I know you spoke a little bit about like the mobility uh sorry the flexibility you have with like modularity, right? But I'm curious more about like adaptability like hey I have this kit but um maybe a specific vendor needs a specific tool or that kind of thing. So how you kind of took that into account. Um and then in terms of the kit, you know, I'm assuming like you don't have a ransomware attack like every week. Hopefully not. Um but um you know in terms of like maintenance is one of the things that came to mind, right? Because you're gonna have like a s like the kit like kind of packaged up

probably sitting in the back just like ready to go. So like how much maintenance do you need to like keep that like going you know so that you can rely on it once you actually have to deploy it. Yeah, answer the first question first and just say like yeah like uh clearly however this gets implemented they need folks like you thinking about the logistics like and the actual scalability of that stuff. Um yeah there's undoubtedly there's going to be a lot of operational logistics part of this that are going to become even more important as it scales. So maintenance um we we assume our system is going to be more secure than the standard hospital system, but that might not be

the case. And I'll tell you how embarrassing would it be if like we didn't patch the endpoints and like we get into the clinical environment and then like we get ransom too. That would really suck. Um that have to >> have to just say I'm sorry at that point. But to your point like you need a whole program around that. Um and that's going to require like the organization of either like a dedicated unit uh company something is going to have to make sure that considerations like that are addressed especially when talking about another thing which is like >> the scalability problems I told you ascension's got 140 hospitals that got ransomed >> you can't build

200 crash carts >> right >> and have them ready to go so like these catastrophic failures >> right >> crash cart might not be able to to scale that quickly especially when we a single point of failure cascading so many other hospitals. So to your first question, um, a lot of what we've done and hopefully this comes out in the paper when it gets published is like we had to figure out the question if if we could use a cellular backall for hospitals. One of the questions you have is well dang 6,000 hospitals, how are you, if that's your critical back haul for your internet, what's the cellular connectivity for most hospitals in this country? So we did a little mini study

where we went to open source like we used wiggle. Anyone use wiggle? Yeah. So we used wiggle um data to be like here's every hospital in the country geollo what cell towers are around them and what services are around like what providers so we could say reliably could we take crash cart to the middle of Nebraska at this hospital and have an internet back haul. Um so we had to do experiments like that. Um, we built a set of tools like, hey, you have to get what if the ICU is on the fourth floor and how do you get from your internet back haul on the ground to like a system up on the fourth floor? So,

we've been experimenting a lot with like pointto-point Wi-Fi. We've been talking about building stuff to shoot through windows like cellular connectivity, all this other stuff that I think to your point is not every hospital is the same. They're not built the same. They're not located in the same way. So, what you really need to do is build a set of tools and techniques and a tool box to be able to take it to a hospital, anyone, and say, "All right, I have these things to help me accomplish this goal, and you're not just have one piece of technology that if it doesn't work, the whole thing doesn't work." >> Hope that answers your question. A lot

of open questions. >> Thank you. >> I'm sorry about all the crash card questions, guys. Please hop in. >> I love it. Okay. >> Hi. Um, so I am actually a dental hygienist and I worked at an office that was a recipient of a ransomware attack and that's kind of how I am now here because I just was like, how did this happen? Um, and so I it's kind of my my new passion moving from the clinical aspect into the um the security aspect. But my question isn't super techheavy. Um but I am curious about if you I keep seeing all these unions for nurses, doctors having to fight um with companies in order to get proper

staffing ratios, equipment that they need, basic things for patient safety. Do you see any path forward with any organizations or um uh individual either senators or congressmen that we can apply pressure to that would enact statewide legislation that would help with the those issues. >> It may be three and a half years before that happens again. Last year, not not to be political, I love everyone. However, last year we were very very close to getting some nurse to patient ratios passed in legislation like at the capital. We're super excited. They're also talking about banning mandating nurses because I'll tell you what, I'm almost 63 and you push me to 16 hours, I'd be a goner. So, we were that close. However,

my union banned there's no mandation. So, there's that. But we were trying and then it died a horrible death in January, you know. So, we fight. We're not going to lay down and stop fighting, but that's exactly how you make the change because right now I have contract language that says they can't violate the staffing matrix. And if you do, we're going to you're going to pay a lot of money. They don't care. Someone else higher up needs to make them accountable. There's no accountability anywhere. So, I hear you, sister. >> Thank you. But contact contact your representatives, contact everyone and tell them how much that means to you because all together we can we we are in our solidarity

fighting together.

>> Um [clears throat] I think the crash card idea is really interesting idea. One question I have is on um like the data piece of it. So you're talking about like EHR systems getting those working but but the value there is in the data that's in the system so Epic or something like that. So h how would that work in theory like to populate the crash cart system with the data? Would would you be would hospitals really need to start thinking about can we localize our data? Can we have backups of our data so that in a crisis we can populate this new system? And my sense is as with most other organizations, it's very siloed now based on vendors

and and um and their application and their cloud infrastructure. So hospitals probably don't have or own that data. And so how do you solve that problem? Yeah, that's a really great question. So, I think I'll handle it in two parts. There's value of the electronic health record outside the data. So, if you folks aren't familiar with this, we keep talking about electronic health record. We talk about things like Epic and Cerner and these things. I cannot express to you significantly enough how critical that piece of software is for healthcare. You can't do anything without the electronic health record. It is a phenomenal repository of data. But you also can't order medications without it. You also can't order

imaging. You you can't nowadays we're using it to communicate with staff. We send messages in the electronic health record to nurses and other doctors to do tasks. It is such a monolithic critical piece of technology that if we just deployed crash cart with a vanilla there are no patients data in there. you're going to register every patient again and there that you could do that and then you get the value of an electronic health record without the value of the data. So that's one. So even if we didn't get the integration or the backup integrated into the system, there's still potentially value there. Two, hospitals are increasingly hosting their electronic health records in the cloud. So Cerner got bought by Oracle.

Epic is increasing their uh percentage of of their customers that are hosting in their data centers. Now, we could talk about how terrifying that is for me. I'm not going to get into that part right now. But there is a situation where we could hook up Crash Cart to their existing cloud infrastructure. Now, there are security bugaboos with that, don't get me wrong. And you've been compromised. You might share AD. Are you going to flush all those credentials? How you going to handle all that? That is definitely still some considerations. But the model I have is like if we can hook you up to your existing cloud infrastructure with Crash Cart and we can handle these concerns

about AD, maybe go to manual physical authentication alternatives, etc., then cool. Or if we can't and you just have to get it vanilla from the start, reregister all your patients in a new brand new system and then we'll integrate it afterwards after you get your system up. We might be able to do that. Um, so there are different ways that we can approach it. The devil's in the details and so how Epic does things and how Cern does things completely different. But I do think the last part also a little bit if we have a system and we give them clear instructions on how they could back up their master patient index and then how we could

integrate it quickly. We could actually have hospitals preparing a little bit to integrate in a crash cart ahead of time which will also have added benefits of they actually will have like a secure backup of their patient health record that independent of crash card they should have anyways >> right because you know what chain showed us right is epic could be the target in addition to the hospital right or whatever I mean you're assuming those are available but they may not be they may have been involved in the same incident that took out your your local map >> you're you're trying to gave me nightmares. >> I don't handle microphones often. So anyway, um so first of all, I have uh

a kind of experiential uh an antecdote. So I um ex my local hospital experienced um a ransomware or cyber event, I'm not sure. Um, and I had a like potential aggressive cancer scare during that event. And so my experience was they wanted to get me into a special like facility to actually look into it. But then like that message didn't get passed along. And so like two weeks later my doctor's going, "Did you go?" And I'm like, "I never got." Like so it was just kind of this like you know potential perilous moment of just like what's happening. So but I appreciated your experience as a nurse because I understood when I'm in there in the office and they're all operating

on paper is like their world is like chaos and so I was just kind of like you have no idea what I do for a living. I understand you know so but I didn't fully. So I appreciated your perspective. So from the crash cart perspective is like how do you know what equipment you have to have or you know what specialist you have to have and I don't necessarily expect you to answer that. It's just kind of like from that perspective of that experience that I had. I was wondering like are you going to have that particular specialist to look for my potentially aggressive cancer like in that moment? Probably not. I don't know. But anyway, my other

question was about HIPPA and it's kind of I started my thought process when you were talking, but my I feel like HIPPA kind of hurts us in the cyber security protection of um healthcare organizations. A lot of my clients are healthcare organizations that have experienced ransomware events and so contingency planning is obviously like what is that? It seems to be kind of the experience. Um, but I don't think that, you know, HIPPA requires it, contingency planning. They expect you to have that in place, but there's no like it's a compliance checkbox. There's no like, do you have all of the staffing needs that you have? And like, I'm over here wondering, do I need to be asking those

questions? Like, do I need to be asking them, are you preparing in your contingency planning for staffing? So, now, thanks for that. [laughter] My my clients will either be happy or very unhappy with that experience. But, you know, is HIPPA helping is kind of my question because I think that they want to pay the fine as opposed to staff um or something along those lines. But for those smaller organizations, which are a lot of my clients, you know, you talked about them going out of business or closing as a result of these events, is it because of the HIPPA breach fine impact that they're closing? like could we be preserving those rural organizations that we need their

critical infrastructure, right? Could we pre be preserving them by avoiding those fines and actually providing them some cyber security assistance? So that's kind of a question if you guys have thought about that or anything. So >> there I think there was one about crash card, one about HIPPA. Do you want to take the crash card? I'll take the HIPA. >> Sure. Can you remind me real quick? The crash card question was like how do you so if I understand correctly >> specialist >> specialists and >> your referral didn't get sent. It sounds like it sounds like you want they wanted to send you to another >> a specialist >> specialist and that referral never got

sent. >> Yes. >> I'm sorry that happened to you first of all and I'm sorry about that terrifying fine just but I'm sorry too because that that's exactly what's out there. >> Right. Right. Exactly. So I think that referrals are one example of dozens of considerations that we have to take uh into account when we think about ransomware impacts. Many people would never have thought about what happened to you being a consequence of ransomware, >> right? >> That you had this cancer scare and the person that was going to tell you whether or not you were going to live or die or need chemo or something like that never called you because an electronic message from the electronic health

record never got sent to that provider. How raise your hand if you've ever even considered that scenario as a consequence of ransomware. Raise your hand. There's a couple. Not many people do. And how many of those similar things other than referrals sending prescriptions to the pharmacy blah blah there are many many examples like that. >> To answer your question about something like crash cards. Um, we do not have all the answers, but systematically going through and having people like you kick the tires on it means we add it to this list of like, well, how is Crash Guard going to handle referrals, >> right? >> And how is it going to handle this case in this case and this case in this case?

And that's what the things that we need to get prioritize and then build into it because if we can't win hearts and minds about its effectiveness or if people say I can't do all this stuff, um, we're not going to use it, then I think we miss an opportunity. So to your answer, the way we handle referrals right now is that a referral gets printed on paper. It gets signed and then you go and have a referral that you can take to the person. You don't have to wait for them to call you. >> But there are many things we're missing on that same line. >> Sure. Um on the HIPPA question, we've got a

very very limited amount of time, so I'll try and be as brief as possible and we can commence a uh on that. Um HIPPA is a law passed in 1996 uh to protect the the portability of patient information. Um primarily the two parts that come into play with security are the security rule and the the privacy rule. Privacy is do you have agreements with other people saying that they can't do bad stuff with your data lawfully? And then the security rule is how do you ensure that no one can break into your systems and steal stuff unlawfully. Both of those over are over confidentiality rather than integrity or availability. Uh and they also don't have anything to say about the safety

and effectiveness of the systems. So you could totally have a situation in which the data you need is offline. Um it is tampered with when it comes back online. Uh the systems that you use to implement things with that data go arai and hurt someone and everything's fine with HIPPA. That's a massive policy failure that uh some of the I am the Calvary stuff has spent many many years trying to unravel. uh and improve and I think we've actually made a lot of improvement in the medical device space um helping to empower the FDA over the past decade to have better pre-market and postmarket guidance to medical device makers. Um however that does not always translate

back to the hospitals who still think about security as primarily a privacy thing rather than a safety and effectiveness of patients and uh treatment thing. Thanks. >> Can I just add one tiny thing to that? I don't think anyone knows if hospitals are closing because of the HIPPA fines. Um my anecdotal again bad evidence is that that's actually the smallest part of the of the issue is that it's a class lawsuit and more and more also is that they lose a lot of money. >> Yeah. So cash flow goes and they see less patients because they go on diversion. the patients they do see the way that hospitals bill or is by documentation when they go to paper the

documentation is so for pardon my French it's so bad that so true >> they don't get the amount of money that they normally would for the same care for the patient and so they lose money from revenue for the patients they do care of they take care of less patients and then they're fined on top of it and then there's a class action lawsuit five years later that they pay a big thing from so what I'm trying to say at is I actually don't know if we said you're not going to get hippopedin that that change the equation. And I don't think you're going to be able to give them like class action lawsuit indeification

because they got ransomed. I don't think you're going to be able to stop the revenue. Like I don't think CMS is going to pay them the same amount for the hospital for the patient care before the ransomware attacker after so they still make the same amount of money. Like what I'm trying to get at is uh we don't know. I don't think it's HIPPA is a significant portion of that. I could be wrong. But what we should do is a study, right? We should take all the p all the hospitals got ransomed and ask them like how much they lost and why they lost it so we can say what the best policy targets are if we want to stop hospitals

from closing. We better get good data to make that decision. That data does not exist to my knowledge. >> All right. Great. So I I work in IT and my your comments about staff safety resonated very strongly with me. I've recently been learning about the national incident management system and the healthcare incident management system. Uh and it's been very interesting. One of the side notes that's not related to healthcare or it is the uh wildfire or the national wildfire coordinating group and its set of standing orders. They have 18 standing orders for all firefighters that fight in wildlands. A couple of them are the fire is not scouted or sized up in you are firefighting in

country that has not been seen in daylight. Their safety zones and escape routes are not known. Now, while that's very useful for firefighters and not useful for healthcare or IT, these are 18 orders that are if you are in this situation, you need to stop. You need to take a step back and assess what it is that you're doing. Could it and healthcare benefit from a set of standing orders that says if you are in this situation, it is better to do nothing and not become part of the emergency than it is to do something and become part of the problem. So, what would those standing orders look like, do you think? >> Nobody's coming, brother.

>> So, I'm just going to tell you, we I I am affiliated with many other nurses. >> We're all fighting for the same thing. We're all trying to do the same thing. and and until we get some legislation in there, like I like I said, I've had staffing matrix in my contract since 2004, I put big teeth in it and they're still violating it. They don't care. They need to be accountable either to the state on a state level or federal level because until then they're going to go profits over patients and that's exactly what's I love the idea. I commend it and that's what we're out there fighting for. So, I'm with you 100%.

>> Thank you. >> Okay. Please join me in thanking our wonderful panelists for this fabulous. >> Wonderful. Thank you guys. You guys are awesome. I love you guys. Love you guys. >> Thank you so much. Uh we are back here at 5:00 p.m. So, uh 58 58 minutes. Mr. Jos asked me what are we going to talk about? We're going to talk about two very important things. One is food and food safety and food safety relevant issues. We all like to eat, don't you? I I like to eat. You can look at me and say, "Dave, I can tell you like to eat." So, we're going to talk about food and then we're going to talk about endof

life devices with the stipulation that an endof life device should not end your life. Probably you're interested in that. So, come on back at 5:00 p.m. and we're going to talk about both these things. Thank you.