Attacking Healthcare and the Life Sciences

oh we always hear about and in an ideal world we want if you are a hospital and you through some reason I've got the ransomware infection on your internal network that could put lives at risk then you have to yes it's a very different situation right nobody wants to do it but someone at the door has to quantify so about me currently work compliance previously managed care for security

everything let's do that about this topic did some disclaimers in industry so I spent a lot of time thinking about what is this talk and I as I was making the slides identified this problem

research and so I want to take this opportunity is taught to talk about some of the threats that maybe didn't exist 10 years ago but that I've signed so many NBA's I don't even talk about I work in so many different environments touching each arms and natural providers I've worked at a series of clinical research lab there's a lot of stuff there will be at times things that I need to try to get also I'm not trying to tell me so the path path less traveled and so this might not probably is not applicable today but it might

so I like to start off with you know you hear an adversary how do you get information and out here they're a couple of really good ways that you can guess so the Accreditation Council for Graduate Medical Education and so if you have a residency or fellowship program you are AC community certified or you're accredited by a CPA so luckily for us they have the website where you can get all the information you could possibly want right so here's a website where you can build respect with the institution we've defined this about anything and so - Washington State I come from the Seattle area I don't want to pick on the University of Washington I just want to filter it

through Washington and I'm just going to pick the very first result this is completely random I have nothing against University of Washington they're showing something so do I search for Washington State for the very first program you see here is alkane MLG University of Washington Seattle again when you go to the stage if you can get a lot of information so usually you'll have director information and coordinator information this is all public knowledge so I didn't censor any of the data because you can't go out without a subscription without a paintball find this information the tender point is you know if you want to get the directors email address you can just get it if you want to get the phone

number fax over you can just get and usually there will be a coordinator there as well in this case you have actually here you just happen

so later on today you can see there's a link to the actual end again it's the first one on the list I just have to pick something and this is just a demonstrate you know what the program staff I work in allergy and immunology know specifically the program because the presentation information is public and so when you go on here most universities they're going to list their fellows or leadership administrative staff so you can gather phone numbers you can get their email addresses so if you want to be very targeted you're going after men's it's a Centers for Medicare and Medicaid Services but probably what you don't think about it's one person's back so Map Reduce

essentially you know there's a lot of things

one of the things we

and how what you can even create your own quality measures and so my last one to me we may not run all the way metrics for right so if everyone's doing something else if you want to be targeted about that you can just open the spreadsheet that they have on their website anybody can access you can find out if I email addresses you can find phone numbers but more importantly you can find out what they're collecting what services they're offering so you can be very versus now you can say okay well is this provider or an eight-part yes totally there's a public tool you can access today where you can put their API number and see if they are part of

the mix chances are are those

so the previous slide that that tool would ask for an EIN number well how do you get someone's at the I number well there's a tool for that you can know you can find a person's and piatti number just by searching on the school net available today probably most important in this talk is using research papers to enumerate the target environment and so how many of you have gone to like nature or cell and read through a peer-reviewed scientific research paper to get detail nation about the software equipment that uses perfect so I just picked one on plus one this is a brief research article in Greece and so if you're just going about your day and you see this

you're like you're like cool why does this matter well there are couple things one in - a lot first you know every single person matters we don't from the previous slide never know - is probably gone that lets up so you can get their contact information and most of these are going to be post ops or PhD students and so they're responsive or article but you also find what institutions they're part of them so you can start to get that picture so you read this you're going through the article whatever this is cool glial cells in abstinence why does this matter well when you read through this you're like okay or vision whatever that doesn't mean

anything but then you can start reading through it a little bit more and you start to uncover a really interesting story about what kind of desires and so they made mention of that RNA was evaluated with a people quantify it so the people one ship is going to be or the agilent 2100 by oh okay so now you have one piece of equipment you know which model music you don't check their review thanks you and then you can find out the software they're using ok that's interesting there's probably not much more then you kind of dig deeper in any fine oh they're all sick you see that denote by the rocker okay that's cool there's probably not much more

information oh wait they're also using the broke website or 4800 real-time pcr oh they're using the fiber at C of X and so we'll build it to more detail so where do you find these publications got somebody's name you know what institution they're part of everyone's getting published if you want to get into med schools your problem nowadays are probably going to have to be published in some way or another that's obviously not true in all cases by graduated your MD PhD student don't even talk about it and then we published your research are obviously many publications but where do you find them well you know you have science and nature which are like those big ones that's work all the

most impactful stuff goes doctor adenosine must leave the Harvard's and the University of Washington's and Stanford's they interesting the University of Buffalo has a really good

like my ladies you can also search PubMed Google Scholar some of these are free some of those are quite nice nature you have to be happy now I'm not saying either use the service but if you're you know engagement and you're an adversary and you can't find this thing that was published yesterday I can't say that I've done abuses website fascinating workings of the medical body so this is really cool this is the social media era reaching doctors and especially med students who grew up in Facebook and Instagram this one's really interesting and so I block out the basis that they don't want to you know call specific people out but this is a pretty popular

one and so what's wrong with this picture well what's wrong with this picture is I know who the doctor is I know what war this is I know what department this is but I also now know what each other news and that virtualizing it I know the operating system they're using and I know you know what applications are using that we probably from this yeah application or software versions for this now I also know that I can find these people's email addresses and I know that if they were on rotation they're probably in this world they're probably going to talk about it on the blog and they're probably been opened up emails here because maybe I've seen them

opening up emails here and so now I can start to put together a picture of okay if I'm targeting someone in a very specific way you know this is like 10 minutes at me this isn't anything special I just but they're everywhere that's an interesting one this is another interesting one so you know again for this I can blame what operating system you're using I can probably gather that you're using certain applications I see Internet Explorer is still very very popular I can see that a access to it on the internet I also know more this is a part of and I can start to figure out if somebody is on rotation here they're probably going to be using this computer

for research and if I send them an email and they open it all of these applications they're going through there so if it's an e-book you know science is advancing but what do you see wrong with this picture this is just one example of many times I've seen this what's wrong up in the top right so I spent hours and hours obsessing over finding this one shot this is me you know dragging the icon from YouTube videos to see the frames to kind of like yeah you know find places in the video there they're just walking videos this isn't so I specifically picked this one because everything is identified but it shows that you know I have the username

at the address TCP server and later on in the break in the video you can actually see what service factor amusing and and so now I just enumerated your entire environment and it's probably not very hard to find something because you know everybody sort of started and then here I can tell you know what girls are using I can see what security solution you're using this is probably the least every this example but you know here I can see that movies in my body so you know it may be I'm providing news yes or there's another way and I now know what your type Enterprises is

so what are the targets of interest we're talking about healthcare in the life sciences what's really interesting and so when I was doing research so I did some research at that for Hutchinson Cancer Research Center and at the same time I was so I'm looking at all this stuff from the security perspective I broke though I grew up breaking everything I'm just saying who said how can I explain this and it turns out there's actually a lot you can do in there a lot of targets the first is patient outcomes and quality initiatives and my last one can I look at a patient reported affluence manner and there are a lot of problems with the system from the vendors to the

places that can go to upload these massive databases patient data and but probably most concerning is like if you've had a hip replacement you're probably in one of these and that's kind of problematic for a few reasons so like there's a JRR so who here is ever submitted like that everyone's doing that if you think your hospital isn't doing it they're probably doing getting technical decisions this is your hospital sneaking away so what are the common third party vendors well there are many of them you can target many of them I can't talk specifically about most of these because I've worked with them in some in substantial way we have feedback centers you have patient reported outcome

vendors you have HR information bedrooms it's a probably specific vendor but do have the summation preparation this is all that you see there it's a random probably okay that's fine we will we'll get to why this is all kind of fall I'll try to talk Preppers and really wanted to talk about this but I've worked really hands-on with EHR integration EHR vendors I just can't talk about it there's some really good and out there on attacking hl7 interfaces to remove and so imagine if you're no longer working that's obviously and so this is going to be the focus of this we think about but if you're part of a non-profit research center an institution there is so much more to

this and healthcare is becoming so much more than just these cardiac implants or these so the consider all the moving parts there's so much going on there's DNA sequencing think about personalized medicine keeps your machines or amplifying DNA microarray instruments closely commoners for research there's medical devices you have like heat and cold baths or your samples so it's not just you know your typical medical devices there's a lot but the story is much more expensive big problem with a lot of this is everybody's trying to get an edge everything you know there's just vulnerability at the vulnerability your body but also things that you see that's a problem and there's also the software toolkit and so most of these

are windows-based software's there is no PSLRA just take any file that you want I'm not saying anything but if you were to go and weird buzzbee's with AFL you might find something and no and I are disappointed but you know these these files are random in nature right there is no Hannah Hart's on the planet that's willing to detect something that's going to get you system so let's get to the meat and potatoes of all of this I'm talking about all this equipment you're like I'll get your truth or whatever but what are the actual attacks that we can do and so this is going to be half talking about that attacks and talking about the signs because the context here

matters how the stuff is used [Music] so going back to you know but what the problem on the station yeah there's just nothing it's one of the largest orthopedic data registries on the planet there's no pls I purported the suit that I worked with them I reported it's still not there so what's the problem yeah it's a registered login right it's there's again no pls ego is an actual third party vendor that hosts the database yes there's still less and their security is probably pretty good but everybody goes through it from here how hard would it be to find some fog in outdated WordPress site with no TLS and no sub resources everything I don't know

I've never tried it but if you were to try it and here's another example Marquis of different Michigan this is the big quality database and same thing or then you have their accuser Bobby TLS WordPress site interface here how hard would it be to find something wrong with this website change the link to the database steal the credentials and get into and this speaks to a larger problem with all the outcomes is all of these are supported on these big insurance companies and so in the example of Marquis right it's part of the Blue Cross Blue Shield of Michigan security

and so here you can see Marquis on the list and again this has all the importance additional attitude actually for you to report these these issues and get serious response which is part of the larger problem where like they already know about and it's just falling on deaf ears yeah I'd like to talk more about the actual patient outcomes and then here's how we partnerships Thomas where you learn about all that information and you go to register for all these programs and again no TLS so this is a putting together this presentation so researchers from it's practical it's practically unacceptable there's not much you can do somebody can get inside their network which helps there

probably isn't very difficult then you know like having you trust your images right and this this speaks them this is a proof of concept not just for this MRI but every other device that you see

[Music] absolutely so here they just say 18 hundred and forty-nine plus $140 and so here's just at the a website showing that you know this stuff is happening so medical devices all the time and so if we know about the medical devices the MRI machines a little more concerning than things in the past what's really the problem well this is this 1848 this is the full standard or how do you design through your network medical devices you know why are these the fusion cost but it's more or less the same thing everyone's going to have an architecture like this or a couple of people and this is essentially what it looks like and you know luckily VLANs

are used but you know it's a traditional you know the heart is in the perimeter across that's a big problem when you're in Europe in and we'll talk about more why you know these new lands and these security appliances between as we already solved that problem if you're in the network like this if you're if you're motivated that's honest but first I want to talk about this this is the all-important ppm Personal Genome [Music] back in 2003 that's what 15 20 years to sequence the first human genome it's about five billion dollars and now we have a machine not necessarily the best but now you have machines that can do it for $2,000 so the advancement technology

has gone far but these devices are really important because they were used in verifying everything that happens right so when you create something let's say a gene that would be the way you verify this witness this is the architecture of that machine you have I don't began for ion PGM for a server which is just on a new login it's pretty much an outdated abuja box

I wouldn't know this but and then you're connecting to the G no machines the the actual sequencers and the as well why don't you just speak encrypt their firmware packages with their private Internet attitude and so the way these of these so this appointment is in any healthcare substantial healthcare environment you're probably going to have some sequencing probably so here I just want to highlight at the point that these devices are not making dirty money right so here you have a in corporate 3 and 22 or a sensation remote support and this is all done through really really outdated Moodle box and it's unlike so it's genome sequence it's just a host that's okay right I

just want to highlight the point back you know what smoochy because the user manuals of public find all this hopefully and you see that Internet access

and this goes back to what we were talking about with the promo right so yes is encrypted that's nice it's gonna stop me for a little bit but as you're going through this process this guy it only works if you don't put the same key every single device and if you're part of that community that's looking at this up it doesn't really know so and then you start talking about okay well how do I get remote connection well some devices not not necessarily that I own PGN may have hard-coded credentials that can take you directly into hospitals new land where all their research division and all of their other research equipment is and nobody knows

about it because how many of you here if you work in a health setting work with your principal investigators to inventory all devices that are purchased with an ro1 white book like you hear that your life lesson far away right and that's kind of a problem this is part of the same network infrastructure that's going to rip MRI machines in their cap scans and the tools you're using to you know measure Bibles maybe it's all going to the same place we saw a big problem is that poverty hitting them so a lot of this is going on to the cloud for one reason or another there's also from mobile app earlier in this conference if you went to that talk

about the glucose meter there was also an app and through some certificate pending magic and a little bit of basic defensive security you were able to gain access to that and so this right here is the thermocycler this is what you use to sort of unwind the DNA of the development part of every and this year is just a basic standard circuits also cloud-connected this is what you use to sequence your DNA it's also platform you can control it through the platform at the back all this boots in place you can sell posts nobody does that everybody uses success offering but what's the problem with this mission I don't know I don't know this is a tough

one to say I can't really but

it's on a single you situations no load balancer no security of clients no laughs and I think is considered single so this is a henna partnership well this one is no it's not this actually this is a master Commodore that looks at proteins this important beginning and it's the same thing that's wrong with everything is essentially who moves you to and I have the suspicion cannot confirm this that none of them use something which would be great

antivirus intentful protection is probably one of my favorite things to talk about because it's so prevalent now I'll just preface this by saying I'm not as intense about this as some of the researchers out there artists but I do remember writing my first little bit of code to completely take down an infrastructure do not have serviced by just sending a file to Austin so this is Lisa Jeff Kennett oh she's a security researcher and she made a really good read about anti viruses so she says one thing I like about attacking antivirus software is that in architectural ink we're just every conceivable conceivable attack vector format Marketing System Kali acrobats browser extensions kernel modules with dioctyl and in this

industry dynamic base life pretty much doesn't exist because this is well documented in the handbook I strongly recommend that read so it is what it is and it was no the updates simply issues Ciara rate zero JavaScript interpreter and later vol sideloading third-party software let web interfaces do some fancy open source database and so if you've ever deployed one of these things you know about dozens of open their

little bar for entry and so that's that's high praise the vector this factor in else you so kind of taking a setback usually one to do is write a buzzer defined what random violent I generally to make this in crash is there a way I can escalating quickly do this here one percent of the total attack surface people are starting

she says she did her first an arts project probably around the same time which is in our panelist she repeats it a few once you know few years just to refresh for reverse engineering skills and so the security for anti-viruses there's a lot go in there it's getting better Microsoft is doing some cool stuff with Windows Defender you know this artist how the metals out there still do not sandbox me and those kind of so what might be

right there everywhere I hope we'll talk about why that is and so has anybody really looked at this have antivirus is being exploited in any meaningful way and the answer is yes and so tax or money is very outspoken about viruses about disaster they can this is one of the first highlighted so many different problems the chaos and motivated attacker could cost to peace systems namely something that has over some salt there's a realistic local rat this is a project zero researcher turns out this papers all the time so this product should only ever be considered for low value non-critical systems and ever deployed on networks on bargains or completely compromised adversaries would inconvenient and so the problem is in

health care this is everywhere will I can see a diagram how this is just you know some people are kind of looking at it it's a hardened target only nation-states are doing like like people are doing this as hot gives researchers they're getting system access by this is a significant problem and if you're in a health care network that has an Argus installed on every single end point and every end user is protected by a virus you know you can obviously use this to your advantage so here are the considerations or the recommendations that the newspaper about subs I think this was back in 2012 also the since changed but I just wanted and it started

long ago this isn't something new that people are just it says they exclude Silva's products and considerations of high colony members and so if you have

but that's what I'm contacting your MRI machine or attachments protecting you from MRI machine no sequencers then like that's a problem that's a pretty big problem security researcher recommendation like this this is a strong recommendation indicates everyone that and so if I'm going if I'm ever doing an assessment into a healthcare network one of the things I yeah if your patient reported a center you know we have something on capture what's capsulate important because you need high percentage of patients who get the survey to fill it out seeking a financial reversal now what have you most centers do this well they do what's the problem probably even antivirus activated that's a problem right so I've seen this a the

sort of attack introduction before we might leave our missile people where people will ship files to you know middle server hoping that it's all just one big piece intuitive sense which oftentimes it is never deploy so this products advices that count updated easily health care this is a huge problem that how much time to update is it's very very long and even the license it says it took them several months to fix it which they did so by changing and so this is not unusual and I understand it takes a long time for these updates go and so you know by the time that update is released maybe healthcare organization is already then they have to delay it even more you

can get it here plus for you to make any sort of significant action this is a piece of paper and I'm using taxes work as an example because it's high-profile there's a lot of legitimacy there and there's a proof of concept but there were many other examples there's one teenager who had a blog who's going after big defenders engine so you have like a big defender specifically you have an integer overflow that was important by the zero day initiative that was really bad there was a blog talking about engine exploits a big defender back in 2017 Plus this this person provided a sub R bypasses and so he has a great mitigation that was also

a problem this is the so essentially what he does is he blows a web page and everything goes explodes right so this is the problem and you can see the proof of concept code you can run this for yourself this is all the real stuff so he says in this paper that music can be completely compromised complete compromises allow reading my mind [Music] right and so what you're talking about writing an attack like and why you know they have a lot going on if they are making a lot of noise in the system you need a lot of permission and privileges to do that and so how did you get to that point right you can obviously fish

but you know when you get that you know more close to the pork instead of me probably with no more organs it's a great way to do that that's how I would do it there DZero indication of compromise as disk i/o is a normal part of the operating operation of the system there is ZERO user interaction required so these aren't some dystopian risks that you know may or may not be happening like this is research and it's being published for years now and we know this and so this also from is 1800 weeks this is essentially the best advice that you get or protecting these they did this is it have network and then and so you might be thinking you

know people we mentioned he said if defenders so pose you know semantics is on one but thanks to some guy getting down this on LinkedIn to share this post just as I was making this this presentation well what it looks like someone who just figured it out they have an ex way for semantics that they're going to push proof of concept code out and it took what is it 140 days and that's it like this is a real problem you know if you're getting here this isn't just this isn't greater stuff that you have to look really hard to get this isn't something that happened to make you know working that's what this is huge running a buzzer knowing

some basic excellent development in know we have a SLR isn't a problem because your targets running Windows XP and these protection software's don't use SLR anyway most of the time I mean this is real stuff that's happening right now and so why is that is such a big part of this pot we're gonna we're gonna type all this in to talk about more of the specifics of the attacks you can do existing how many of you recognize this

protection from malicious software procedures for guarding against attacking and reporting malicious software your compliance team is going to tell you this is an anti-virus we need an artist some sort of endpoint protection it is what it is show seven and hit but is federal regulation

so you can say okay well they're a bunch of other protection mechanisms out there you can deploy Cisco ASA's and you can do all this security compliance it is there's a lot out there that you can use well here to see these from 2018 how many of you remember is a whole Cisco debacle with being able to yeah so there are a few of you here right and so you could say well we have all these things and you know SSL VPN and that's protecting access so like when I take my new pup ahem sometimes maybe I did one for some unnamed predatory you see maybe whose pesticide week is extensively government they also use it extensively

in health care for some applications it's becoming more than a comment and sit around this well people are getting rear-ended all the time this is just one example at this time right this isn't some one people are looking at these systems are realizing the actual code that's running this stuff it's really cool Gorman's in mind and don't have security acronym and don't have any mandate to make it secure right and so C and C++ known for its spectacular memory sickness and almost all these products and so you know why do we want to rely so much on the C and C++ sometimes we can't do that and so that that's kind of the problem and this was a great talk

Def Con 23 by my spot urban and more about medical devices and this this slide really stood out to me I think it's something that needs to be talked about more in industry malicious intent is not right so if you can cause a lot of damage up down an entire Hospital and we saw that with 105 you guys remember the you know what they did was like everyone but everything shut down right and what if you don't have a system in place to go to then overseas that's make many more and more with base right so you don't need somebody who's intentionally trying to shut down a health systems cause of all of this and

so I wanted to tie all this and so these are siblings who were cured what disease is named after a boy who was had this disease called skin they wanted before there was any remedy or cure they literally put him in a bottle has anyone seen that documentary yeah so one person has so when I was that Fred hutch this is what I work on X kit so skin is severe combined immunodeficiency and the only way to treat it is the gene though there's not a cure you're born without any use and so how did we get to this point that their baby well there's process involved so okay we just talked about all the medical

devices and the sequencers why does this all matter how can it be attack let's think about how this is all done the first step of the process is we need to identify that the person has the disease and so you've run it through all this equipment that generates results that event cross no way to verify the integrity of the data is that right there's no way for you to really know is what

do we need to vote me a blinkers that means you have to shoot high intensity variation into their body and destroy their immune system and get rid of their from their right but previously you would take some bone marrow and then you would use gene therapy to change their senses so that you can correct a genetic mutation that causes right so to do that we're using sequencing they're using PCR s we're using all of this equipment you know you're relying under machine collaboration to give you the right intensity of radiation but what if it doesn't like what what if it doesn't that's a problem what if your sequencer produces results that don't make sense or that aren't being honest to you

what if your MRI you know doesn't show it to you that's the problem right and so doing the gene edit these cells you would put it back into the body and then some percentage of those cells will have the correct version of the gene and because they're stronger than they have more like whether it's a bride that's going to

we fix that genetic mutation there's a process together and so this is also from the French so I was at the the team laps on this using that work as an example this one of the the post-ops there and essentially modified stem cells to generate a compound that base HIV P and the same process goes into that right the same process goes into you modifying the cells and verifying that they're there and then you put it back into the body and how many of you heard of this gene editing in a boss this is real so this is a dr. Jennifer dare

and it's essentially the pool a medical device that essentially automates the process of machine modification this stuff is so cool and next level but the point is in 2003 five million dollars to sync them to sequence a single genome now we have as you mentioned entering a gene therapy in a box right this is background in 2016 and it's probably far more advanced now and so one in front of it isn't that people are going around ruining these sequencers but healthcare today is not the healthcare of tomorrow and we're using now gene editing to combat cancer we're making yourselves more resistant to chemotherapy all of these devices and tools for abuse for them but oftentimes it involves stem

cells that's controversial and there's nation-state involvement in this it's going to become a problem eventually and I just want people to be aware of it that you should be looking at the schools in the context in which other use you should be looking 10 years from now you should be thinking about if somebody really wanted to reach out how hard would it be accidental are you talking about crisper cats you can use any so you can use a lens you can use crisper cast na which is what I worked on you can use a fingers it doesn't really matter right so so the key there is really just you need to get the use of eye rested to carry that

stuff and then electrocute it into cells and so as long as you can get that electrocution and that sort of wedding the virus and enter the cells to modify other than this but you can use just about anything which is like so kind of one might want people are going to do so it costs two hundred three hundred thousand dollars to me so I only have a few more minutes I want to end on a positive note my first recommendation is how to plan and practice it so this was University of Arizona where that's wrong I'm not having a CT scanner think about that somebody might introduce malar is your system that targets cars and shut everything down

denial of service you don't mean that's what else to do that if you literally just want a buzzer and run off cause until you find something that crashes let's practice that and so I bought that they're publicizing that and my second recommendation is if you're having trouble getting people to understand what the problem is or to make you know systemic change within the organization speak their language so in writing often you know the status was they're trying to achieve an objective and you do it easiest way possible if you're having a very internal writing and you're having trouble getting people to listen if you tell that exactly be effective patient reported outcomes platform was phones were that you have

proven concept that you can shut down an entire political warrant or modify the genome sequence a researcher is working on like think of a institution found out you know their devices were compromised a year prior and now they have no way to tell whether or not the work they could be doing for the past year is legit or not but you don't know that's all this like computer 214 just processing of stuff and you can produce keys in it and it puts data on your USB you know quickly a data onto the machine like who knows what's going on there like that can ruin your brand so so be creative about that process there were

recommendations is devices are devices that were otherwise needed for to them understand how their use and threaten all of them based off of current research you're not thinking about how antivirus will be and artisans can be used as an attack either people are already doing this and so the people I have spoken to in the in response field nobody will give me specifics because they signed NDA's that will just blow your head off but I've got multiple confirmations that this is happening in large academic research centers so antivirus is our target and so not just a metaphor you'd find a partner in your organization that does research the main source of funding in these institutions

whether it's a big Hospital or academic center or ro1 grants so look that up find out for every lab who's who's managing this because a lab manager is volume isn't for men can create on your network and nobody knows it is big recommendation is we need SSO samandar we're gonna make a fortune doing this but not just started not so deserver trust if you're just doing Nessa so that's great but we need one part four zero across the whole thing not to this couple of parts of it why he entire thing needs to be reworked eventually the next decade or two for never trust the six recommendation here men are recent antivirus is everywhere and and there's a lot of additional risk

and don't really need when if maybe you have a good alternative is it's it's complicated it's a pure bender find solutions that incorporate security and compliance compliance easier seventh recommendation is ask yourself basic questions like how do you want me to know that our rights giving us good results if you don't have a good answer for that be honest about that if you do that for your managed don't use the reasoning of involve nobody's going to target this so it's it's no big deal just be honest about it and a recommendation and I talked about this earlier health care today is different and what its gonna be like ten years from now this integration of life

sciences and health care medical devices that we the plants that's one piece of the puzzle nobody's looking at the security of these devices they're connecting to your core network you can do it so that's it

actually not true not true at all 5/10 k certification changed years ago to where they actually have to be doing kind of a best-effort is what it amounts to to where the fda says you do not for security purposes you do not have to go back through the recertification process

i've helped enact change at large to letter healthcare companies that using that exact methodology and going through us-cert and having them get involved so one thing I would add is that there's still the certain medical device manufacturers would not be very focused on helping them do not be adversarial because that's when a backfire and if you don't get good results reported to the FDA so that's what happened with the same shoes with their cardiac implants is they weren't able to verify the vulnerability there's nothing there researchers went FDA FDA investigated they confirmed the vulnerabilities and then states issued affirmative and so like there's an avenue but it's still it's it's a lot less I'm sure than others that brings up

one of the medical doctors that I've worked with that talks a lot about the vulnerabilities but yes

but he said that with medical devices and the vulnerable as they are particularly the st. Jude's heart pacemaker there is a certain number of reinfection that occur and people get hurt so that's a known element they know that they're going to die they're going to be infected but there is not a number of people that have unknown security risk that make you late versus this known you're actually going to get an infection who's know a certain number actually going to get infections to upgrade this security yeah so we've been healthcare in the life sciences in particular this is a problem that has to be fixed over the forces 20 years there is no short-term base you

can't tell somebody well we're going to disregard all clinical recommendations for the sake of this unknown security risk for somebody may or may not die when you know somebody well so this is this is a risk management question I think more politically there's nothing practically speaking that we can do in the short term suicide because these things are already in patients and they're going to stay in patients for a long time and so that point you have to ask yourself a question of what is the best thing I can do right there is no perfect solution but probably the best thing that you can do is just try to bring awareness to these issues how

manufacturers you know design products in the future with these considerations in minds advance the technology and get to a better State I think it's again they taught their the title of this talk is the offensive path less traveled for a reason these things aren't happening at scale in the way that maybe and that's a good thing so we still have a really good opportunity to think about these problems and come up and roll out long term solutions like we should absolutely do that and what it started me to give this talk in particular is I want to create a base point for where she where should you be looking at and so hopefully that's going to drive some

interest in change but that's that's you know that's the problem right if you get rid of Windows XP the clinical work was good right and so I'm not I don't want to I don't want to come off as I that I want to address the problem and to say that if you're into a new medical center or clinic but you don't have a better choice and that's the problem it's like what else are we going

the way I like to think about it as ten years ago if you wanted to learn how to do exploits you know like what would you do right like if you had conferences you can do some folks you could buy now you can literally find the youtube series on how to you know read books on associations that talk about rockets and more people that haven't before in history like you can go from not really knowing much to being pretty proficient than here at sea there was a talk at I think blackout of Def Con last year about browser exploitation where you know the person says like I don't know anything about problems but I just kind of pick up on it and so like

people are starting to pay more attention and way but they're here sortie activity to like people are already using in our so they're already looking at medical devices hobbyists are now getting into it I hear that there has to be at least some sort

[Applause]

you