Uncomfortable Approaches - Joshua Corman, Beau Woods

welcome everyone um welcome to uh uncomfortable Solutions the uh second part of day two of the I am the Cavalry track and our last thing here um oh we have closing segment I'm sorry I'd like to thank our sponsors tenable productivity uh I forgot one already and Amazon uh source of knowledge yes uh all the other ver Sprite all the other sponsors there's like 30 of them on the list um I we're going to be interactive in this session so I'll be walking around with a microphone if you want to have people hear you if you don't want to have people hear you if you want to say something that you do not want public you want off the Record tell us

and we will kill the microphones so that nobody outside of this room will hear you um and with that all said it's Bo ws and uh Josh Corman yep so while usually uh what happens in Vegas stays in Vegas at cons where they record and broadcast everything that's not the case but we have have the power to bring Vegas to make Vegas stay here again or something I don't know great again yes oh no no um thank you for coming back um who is here for this I see SE several familiar faces but you chose different seats just just to mess with me who was here this morning all right so in the inverse who

wasn't okay well that's good thank you for coming back and thank you for coming for the first time um let's do a kill me if I go longer than 6 minutes don't kill me but maybe punch me hard in the arm um I'll do a short recap of what we Tred to do this morning and and how it was meant to be fuel for what we want to do now so yesterday was really kind of look we turned three years old this crazy Mission seems to be working so it was where we kind of won like some victories and accomplishments where we're winning you know we're far from done but we're on the right path with folks like the FDA

with folks like Nitsa with some of the device manufacturers we're getting coordinated vulnerability disclosure culture started which is causing competitive need to to copy so we're we're kind of trying to bend the Arc of history today was meant to be really hard problems that are overwhelming us uh and we don't want to just wear that weight on our shoulders and and have people watch us like fatigued to death and give up um and the number and variety of these really hard problems are growing so while we're doing a great job we also want to be honest and caned with you of where we don't have any answers or we don't have any good answers and if the

morning was about uncomfortable ground truths and sometimes the opposite of of a truth is not a lie it's another truth and there's tension between say the need for privacy and medical devices and cars so we don't do any logging without any logging we have silent failures that we can't study capture and learn from for forensics and for having evidence of proof of harm or evidence of hacking in cars or whatnot so sometimes our truths compete so this morning was about showing up we wanted to get to a few incredibly overwhelming challenges we've encountered that don't seem to have an obvious solution that was meant to catalyze some uncomfortable experimentation uncomfortable brainstorming and this is why it's not going to be a monologue

it's supposed to be um we want to hear the best ideas that you all might have that if we get out out of our comfort zone are there legislative responses are there regulatory responses should we do a do documentary expose a you know should we have um you know consequence-free brainstorming we'll put all the ideas out there they may not be smart but we at least want to surface some of the beliefs or some of your best ideas to rise to some of these challenges so um the spirit is when you're a little bit behind you work much much harder but when you're very very behind you have to work work smarter and think differently

one of the best quotes Bo and I encountered when we went to the think tank was we were talking to somebody from Germany the German government and she had this perfect phrase that I wish I had just come up with she said it's become clear to us that we need radically different approaches to it not little changes not best practices radically different approaches to it and for those of you who have known me for a while my rugged software stuff my rugged Manifesto rugged devops those were ideas that said we're becoming too dependent on digital infrastructure that's not not dependable and the Cavalry was really an extension of that to Public Safety human life issues so I agree we need radically

different approaches and what I found is we have a lot of Technical Solutions that no one's willing to use because the incentives are screwed up things like no software liability things like no software supply chain transparency things like um you know some of the most vulnerable products we have are security products things like um compliance things that have gotten in the way certain laws meant to make healthare better like meaningful use in some ways made us much much more exposed so I have some cognitive dissidence that on the one hand some of our biggest mistakes were caused by laws on the other hand if we don't hack the law and hack incentives and change liability

insurance or these other things there's no reason to pick up our Technical Solutions you've got things like Lang that are really clever from Academia you've got things like liability that work in other scenarios and we're just too uncomfortable and too uh condition to think those are bad things and the government can only make it worse but sometimes the the cost of inaction is much greater than the cost of action um so how many minutes is I into my six minutes you are seven minutes into my six minutes I can't math um you're you're four minutes okay so that's the general Arc is that we wanted to establish some really uncomfortable truths in the morning and

then use that as motivation for us to have a sustained experimentation on look in the last 15 years what really made a dent insecurity I can list a few but I want to surface some from you and how could they maybe instruct the next Innovations and Leap Frogs We need to do the analogy I used was when we needed to we made the Manhattan Project and we pulled together our best and brightest and we figured something out to end the war when we wanted to we had the space race like how can we put somebody in a space when we wanted to do the moon shot we figured that out but we haven't had a

ground swell in a public Consciousness that these problems are really severe and we need these Grand challenges to to ask for the really big changes radically different approaches to it and then now the slide I put up yesterday morning was from the Martian where he was out of food he was not going to survive being stranded on Mars but he scienced the out of it so I want us to maybe science the out of it and it's going to be partly Technical and partly policy and some of us hate government interaction on Tech and cyber but let's at least brainstorm what that might look like so let me give one of the scenarios as a recap for the people

that weren't here I'm on the HHS cyber security task force that Congress asked for we have 12 months there's 20 of us Michael mcneel from here yesterday was one of the 20 we've got some really smart people that are very overwhelmed and what I put on the table in one of our first meetings was even though the FDA is doing a really good job helping to make new medical devices better more secure the clinical Healthcare environments are a disaster um it looks like an intractable problem and the case example I brought up was Hollywood Presbyterian hospital this spring was hit by a piece of ransomware for a known vulnerability in Joss in a mesan device that hit lots and lots of

healthare organizations but in their particular case they didn't pay the very small uh Ransom and it affected patient care it affected patient delivery they had to divert ambulances to other facilities they almost had to move patients and to our knowledge knowing it's been hurt but the the probability people getting hurt with a sustained denial service of patient care is the reason I left my private sector job to try to go further into public policy work and accelerate the Cure and what I posed to them is I said what if if that was an accident where rans somewhere accidentally hit patient care what would someone is there any technical barrier to someone deliberately taking out plural hospitals

and what would we do if they did would we be able to fix it in an hour a day a week some months and we at the near-term midterm and long-term Solutions and they're terrible like years of changes to rotate out the bad and indefensible supply chain and and devices in these clinical environments and worse even when we gave them new stuff they admitted they don't have the budget or the stomach to get rid of their old XP systems right so if that's a ground truth an uncomfortable truth there's really no technical barrier someone has the means motive and opportunity to do significant damage on public TR trust crisis of confidence in our ability to

have Healthcare delivery and specifically if you combin it with something the Boston Marathon attack where there was several injured people who luckily were saved because they were blocks away from some of the best hospitals in the world were you to add something as simple as just readily reproducible more prominent than you've seen in the news kind of denial of service ransomware is a distraction it's a payload it's a symptom the underlying disease is when Billy Rios looks at it a device not a medical device but a device in a clinical environment had 1400 known cves in it so even if we patch that one it's just we we essentially have a public health issue and what we're

really looking for is to crowdsource your brains and your Innovation that how do you secure something like that they don't have a siso they barely have an IT person on staff they have wide open networks almost required by law horribly vulnerable individual devices and I look at that problem and 100 of the Fortune 100 have lost intellectual property despite having massive security budgets one of the banks we talked to had 500 full-time security staff and they're still breached routinely so if we can't defend people with massive resources how do we defend patient care in these highly exposed environments and I'm not trying to scare you I'm trying to motivate you and make us dwell on it for a little more than

five minutes and if that is a scenario and we have to do a moonshot and we have to science the out of this what might that look like all right I think I'm out of my six minutes you are okay pass way pass is that a good summary for the people that were here is it clear enough to the people that weren't I guess I left out 30 more seconds since if you didn't see any of this two things made me want to quit my private sector job and go further into this um Hollywood Presbyterian kind of we knew they were vulnerable but I think it advertised to new adversaries how vulnerable we really were and I see a

gold rush effect where people once they see weakness they exploit it repeatedly it's like when open SL heart bleed happened you had 31 other bugs found that same year and the second thing is when I researched Anonymous with Jericho we did the building a better Anonymous series we tracked very few hacking actual hackers in Anonymous that knew what to do and how to do it and one of them left team poison after we were done Jad Hussein a UK citizen he moved to raqqa he radicalize he joined Isis he helped start the Cyber caliphate he was recruiting and training people to use Shan to use use free attack tools and when we know that these

systems are directly connected to the internet we know they have hard-coded default passwords we know that all you need is the the motive because the means and opportunity are already there the combination of more visible exposure and people willing to hurt us is what is bothering me and why we trust you to have this candid brainstorming conversation so we can try to get in front of this but the truth is even if we had the will to do something tomorrow it'll take 10 15 years to to actually clean up our technical debt here and I don't I'm pretty certain we don't have 10 years to to win this foot race so how much preparedness can we do between now

and a confident shattering attack so if that's a little over the top it's because I had to condense a whole morning into n minutes but uh keep in mind that we have means motive and opportunity and we've got to think of some radically different things so I think everything's on the table from what did we do like Depp and aslr that really took out large classes of attacks in the past which things can work when you don't have a security staff which things might require legislative or liability changes which things might require an expose documentary that shows how bad things are is there some sort of Grant or government grant challenge we could stimulate everything's on the table but

we don't again we don't want a monologue so how should we pivot from that to now lots of hands that's good all right and reminder if you want to shut off the camera this is valuable for posterity but if you want to shut off the camera we will pause

it nothing works better than a demo right I mean we need a forcing function to help certain people understand that this actually is a potential reality right the the stuff like uh Hollywood pre is I think a good demo but we need other demos for these people to to help them understand now I think in terms of of uh smaller places or places that don't have security people don't have security budget especially in the medical sector what about stuff like a fire drill I mean you go back and you say okay if power were to go out in this Hospital what would you do right if your infrastructure uh especially certain Services were to go out what would you

do do you have backup systems in place do you have paper and pencils and things that you would do to to handle these sort of situations if power went out what would you do if if certain um it systems were to go out yeah and I should probably set some ground rules as well Bo and I know certain things that are already done or being done but we're going to withhold some of those so that we can get the juices flowing for a little while we'll pepper them in when we slow down yeah I think um we have uh we as an industry have a a long and stored history of uh creating uh short-term solutions

that make things harder in the long term yeah um actually one of the examples you that you gave about five minutes ago in your speech was was an excellent example sure we created the atomic bomb to end the World War II but then we started yeah nuclear Armament for the rest of the world right for the next 60 years um uh we created a we we created a a a solution to solve a short-term problem because we didn't want to kill 200,000 people or possibly to a million soldiers which is what the Army's estimates were it was going to take to invade Japan um but I think that uh whatever solution that we come up with we have to remember

that uh we can't it can't be shortsighted it can't be to solve this the the problems that we're seeing now but how's that solution going to uh react to and be reacted to how's that solution going to be placed in future situations which is something we're very bad at doing because we often layer technology on top of Technology on top of technology and then before you know it 5 years down the road we don't have just one stack to defending to defend we have 12 Stacks to defend each with their own individual vulnerabilities their own individual exploits their own individual idiosyncrasies and everything else like that so I I I think um to flip this around into the solution um I I

honestly think that uh in many cases non technological Sol Solutions can fix technological problems um I mean everyone says kiss and sometimes it applies sometimes it doesn't you know keep it simple uh a lot of times it's more complicated than that to be stupid about it um but there's a lot of uh uh solutions for well the your uh uh uh uh example uh where an airgap system or uh going back to manual uh well going back to n Gap system that that requires manual updating and doesn't have to connect the internet to get updates or to get firmware updates or to talk to the vendor or anything else like that um which may be on the table and you know

of course the common the common issues with that are well then they never get updated because some dude has to go around with a USB stick or something else like that which means that the device has a USB drive and if you have physical access da D um those are problems that we know about uh introducing devices that can connect to the internet with all new levels of firmware software introduces vulnerabilities we don't know about yeah I mean maybe so and maybe maybe this maybe part of the solution is the devil we know versus the devil we don't know yeah I do think and if you didn't hear this in the last couple days our

dependence claim on the Cavalry mission was our dependence on connected Technologies growing faster in our ability to secure it and that implies if you can't depend upon it you can depend upon it less so there's there's plural options one of them is there might be certain use cases that are wildly inappropriate to be connected to the internet um yeah so there were a couple things packed into his comments and one thing is don't worry about at this stage maybe we'll worry about in the second half of this this block don't worry about the law of unintended consequences it's it's a given we can make things worse in fact if you've ever been involved in a breach

it's not the breach that kills you it's your bad response to it that kills you so yes law of and unintended consequences we should measure Thrice cut once all those things are true really we're looking to surface ideas even if they're bad because there may be a negative truth in a bad idea um so let's just rapid fire whoever was next um all right um so this is a clarifying question when you said there's there are devices that have 1400 vulnerabilities um are you referring to uh like medical devices like a pacemaker or are you referring to e-records because I think those may be two separate problems with different solutions so so yeah there's a variety

of devices each with different levels of attack surface each of different levels of complexity in code and operating system that was not a pacemaker uh okay yeah for for e I think um like the the low Tech solution is probably better like they hate the electronic records the people like like their doctors you know and they have like office staff and it like their job is not it so why not have something like H&R Block for taxes where it's like they just send copies of their files to this central office and like they they deal with it because it's people like the um the new Cyber task force that fixed uh Obamacare um why isn't there something to fix like

medical records right okay who's next in reminder uh you can feel free to point out things that have worked in Enterprise it that had a big impact as well right I ask to the gentleman who was uh speaking about fire drills um how would we go about enforcing two hospitals this is supposed to be a dialog right uh how do we go about uh having these people would be self- selected why would why would I as a as a hospital practitioner decide to join your fire drill what's my business incentive yeah that was that was the first part of the comment which was we need some kind of forcing function to get these people to understand that this actually is a

problem right demos right have have people that know how to exploit these systems maybe that are in the room be able to go into these places and exploit the systems with an easy back door or you know go in there and just just do a port scan and shut stuff down seems to me like going through all the different hospitals one at a time yeah going to every hospital one at a time in order to to demonstrate that they're vulnerable one at a time when there are millions I don't know how many hospitals there are but millions of hospitals right how I can't we we don't have the infastructure to do that so I don't know that that's a

viable solution um maybe uh so we don't get stuck on this one even though it's a great one and we do have some ideas that we're holding back um let me put that experience into maybe an incentive structure so if for certain publicly traded companies they have to go through business continuity Disaster Recovery annual tabletop exercises and they have to have a play for things like a hurricane or an outbreak or this or that and and hospitals do this as well they already do drills for things like sustained power outage so yeah it wouldn't just be that this kind of an experience could help it might be that there's a requirement to have a cyber

play in your certification or your insurability from your underwriter so try to connect the technical and the incentive whether it's government incentive Insurance incentive um but I like where you're starting but let's expand it to all sorts of levers yeah um uh I'm from Canada and we had an election last year and uh I was coordinating the security for that and so like six or eight months before what we did is we actually had a pretend election like we opened an office we hired people we gave them the training and then we threw lots of security incidents at them like jerks and then saw how badly we did on some things and then got way better very

quickly and so now they're going to do an entire simulation every year so that it's like a smooth machine for the do you know what I mean and like I couldn't believe how much we learned from the simulation and I don't know how to motivate um a hospital to do that but like like I don't know you practice before you go out on stage and play music right like you should practice for bad stuff too I mean our kids have to do a fire drill before they can Le you know right so they know where to go when there's a fire uh you have your hand up so I really like that you're going after policy and I'm glad you're you

know you guys are heading on the right path there I think that's the rules of the road that's where the game is going to be changed a lot I think there's another opportunity that we should look for I visit with a lot of sea Suites uh level type people and have for years 20 plus years Health Care it and security so what I've seen a lot is a real reluctance even though there several people might be identified as the accountable person that's either signing off on an attestation or whatever there's an opportunity there to go after something that's a little more dear to them and that's their money okay so if their boards or they are not able to see

their bonuses or um we can affect change in policy that requires them to meet certain requirements before they can get their bonus I think that might start to have an effect on it spend and then it security spend and they might get a little bit more interested in the problem so that's a that's a a stick approach right a fear of penalty there could also be carrots hi so my name is Suzanne Schwarz from the FDA and for those of you who weren't here yesterday I want to comment a little bit further or provide a little bit more context with regard to the suggestions that have been already kind of put on the table with respect to fire drills or

exercises and that's something that uh FDA Health and Human Services government working together with hospitals with manufacturers with others actually already have uh uh undertaken in terms of establishing what is needed with respect to taking a simulation and having people go through the motions of what would that response look like to a specific kind of a crisis we do do that all the time for different types of you know for hurricanes for power outages for electrical failures and in fact there have been number of really good exercises what are called um Beyond tabletops but functional several day exercises that have taken place with respect to a cyber type of an attack so leveraging things like organizations

such as American Hospital Association the AHA that brings together that's where you're able to get that scalability of getting a whole slew of hospitals across the country to participate um leveraging different trade organizations among manufacturers so that manufacturers can participate in the play of those exercises also leveraging parts of government and I'm not talking only about federal government but because there is an entire um infrastructure we're talking about critical infrastructure here there's an entire response mode that goes into the state and local level with emergency responses with Departments of Health with like really down into the weeds there is that need to sort of kind of play out out what might something look like if it goes bad and how do we

recover from that um I just wanted to share also really kind of an important anecdote that once was said to me by the person who is the assistant secretary for preparedness response uh the asper um and that that's rear Admiral lurry who has said we exercise to failure not to futility but to failure the whole point of an exercise is to stress the system to the point where we don't pat ourselves on the back afterwards that wow we did everything really really great and we've got it all together but rather where are the gaps where are the learnings that we're going to need to fill in to assure that people patients uh do not get hurt and um not to lose

our sense of confidence so not to futility but to failure and then you iterate on that and you keep on Shoring that up with new situations yeah I think the the blueprint exists um but thus far we haven't found folks that have done a cyber exercise that that affected patient life they may have happened we just haven't encountered many and if they have happened um I don't think they're have reached the whole ecosystem

yet yeah so we did did without saying more than I probably should um we did get a read out of cyberstorm 5 it did involve some pretty key people in Industry ecosystem and they did involve some healthcare injects if you're familiar with how these things work it's like a cap you it's like a CCDC type thing um but none of the injects involved any loss of life so to to the point of stressing um we're sort of working on something that might be a great demo and stress simulation with the right kind of stakeholders to maybe catalyze some action so that's a great idea and there's probably other ideas as well but simulation is a good topic area and one

of the things that I've observed if if as we're trying to go through these is I was walking through something with a a colleague of ours and they were saying well what we need to do is to get insurers to go do this okay well why now we've got to go convince insurers how do we convince insurers well they're convinced by this and this and this and you start pulling the those threads until you find the kind of the Bedrock right what are they in uh internally incentivized to go do what's their intrinsic motivation once you find an intrinsic motivation uh at that point it becomes a little bit of a job of awareness how do you make them aware of

that and then you unlock them to just go do that work for you right hello yeah sorry I have the mic I'm from the Netherlands and uh in the Netherlands we are already working on it so it might be good to to watch it we have a law now which states that if you as a company lose personal information via heck or whatever the Dutch government can fine you for 10% of your uh yearly Revenue so that means that you have to show that you have done enough to secure your site when you are breached and they are actually working on it now and they have the law and yeah I'm not sure if it will work for for

America but yeah that's that's the problem but you have you have to say you have to state that you done enough uh for what you can do so that means penetration tests firewall Etc uh and if you have those things in place and and we updated then you cannot get the fine yeah that's just privacy okay but it's uh a start and it also affects a lot of hospitals in the Netherlands yeah that's that's correct that's correct it's privacy can you repeat some of that for the for the people online his point about privacy okay there thanks I just noted that that's the EU privacy and it's again it's focused on privacy and oftentimes focus on privacy

diverts our attention from security and denial of service so you can fully meet the EU regulation um which you still need you still don't have to do for two years and and be completely exposed from a security concern yeah I said something I might not have should have said this bluntly if he's next um at a Detroit event like a week and a half ago I was kind of pointing out that some of the Privacy Advocates might be getting in the way of the necessary evidence capture and I wasn't I I had a sticker I pulled out of my pocket and said I love privacy but the old joke we used to make was you know to thought provoke was I

love my privacy I'd like to be live to enjoy it but I took it a step further in Detroit and I said I don't want to have a situation where we have a corpse with its privacy intact right so these These are truths competing truths that both matter and they both matter differently in different context that have to be resolved one cannot nominate the other I just said it again so I guess I didn't regret it that much no okay uh your turn yeah all right uh so I think it's every 10 years or something the Army Corps of Engineers goes around America and looks at critical infrastructure Bridges highways Key Systems dams and they give

a rating um our infrastructure is at a c plus or it's at a d and we've had a lot of years where we've gotten really bad reports bridges are rated DS they need rebuilt there was one I think was in Minnesota that basically collaps and that bridge was known to be like it was like a D minus rating and we have this you know the government is already going on giving these rting ratings to critical infrastructure as it is and we're still not doing any action with it so I mean one of the big problems even if we figure out how to identify where there are these weaknesses in infrastructure maybe every time a Hospital's closed

down and a new one's open I know Stanford's doing this soon in California they're opening a brand new hospital why not go in there and say okay well this is all the existing infrastructure that's probably in most other hospitals of its age let's go in and run like a disaster scenario over a week like let's have patients of this level of life you know simulate it and run through what an attack would look like just to give a ranking of like okay well this is like a baseline of what we have in this environment like how how would it score in Readiness all right so someone mentioned a let me just springboard off this a little bit somebody mentioned a a

a stick right some fine for for getting it wrong one of the things Bo and I have talked about is there are certain hospitals that want to be the Exemplar the most Cutting Edge the best and most connected in the world there's one in Canada that comes to mind I think it was like Hummer River or something like that where it's the most connected Hospital in Canada um we talked to some people in think of Dubai that want to have incredibly world class Cutting Edge um technology one thing you can do is you can punish failure and point out fail another thing you can do is we could do a reference architecture we could go in

from the ground floor and try to design a more defensible experiment that others could emulate because one of the things we said yesterday is there's this classic story of the kayoga river in Ohio that caught on fire many times and nobody did anything about it until it was on the cover of Time Magazine I think but you had a burning a river of fire to show how bad the pollution was and the industrial runoff was and sometimes it's going to take that so for sake of argument let's say we have to wait for our Burning River on fire moment for clinical environments what do we do the next day right because we will have a kneejerk response and sometimes

that response will make things much worse so liberate yourself from the idea that maybe we can even stop these things but what's the recommended after action plan all right who next you're you're after him okay yeah um just thinking trying to think laterally here I I spent a lot of my time in operations that's my M my primary focus security secondary um and one thing that we spend a lot of time mulling over is how do you measure availability what does it mean to be you know in systems what's uptime right is it when the customer comes to make a request did you satisfied what not but maybe that's another lens to look at this thing through like if if half of

your infrastructure is down due to a an exploit or a defect or a flaw then your capacity is diminished and you can measure over time you know if you've got 100 beds and you can only effectively use 52 of them at you know for a month at a time that is a way of of quantifying you know the the posture and the particular arrangement of uh uh an actual Hospital installation it's like you know find some way of measuring yeah you may have 100 beds but on a given day odds are you might not be able to use more than 50% of them and that' be a way of characterizing the problem ande providing a way to do an Apples to

Apples comparison between different organizations say who's doing better who's doing worse uh you know so we have some Metric to measure progress against yeah I think operational metrics will be a necessary why don't we stay on this side just for the mic movement um and then we'll go right back to you I'm sorry the um in devops for example they measure meantime between failure and meantime to respond under restore services so they had the mttr and things like that I think there are already some of those in clinical environments and we would only know under sustained attack what this looks like but if we aren't measuring it we can't manage it I think it's your

point all right real fast and then yep uh so I have three quick points uh oh sorry uh first one is uh NH ISAC the national health information sharing analysis Consortium has launched a new utility called cyber fit which was announced in April actually may time frame where what they're trying to do is create these utilities for anyone that's a member of the nhac to get you services at better more effective pricing so the first two that they're working on are shared assessments where if you're an nhac member and you do a third party assessment of a vendor and you share that through the shared assessments platform any other nhac member can go pick up that shared assessment instead

of doing their own independent assessment of that third party could use that if they if they you know meets their standards the second is a pen testing service so using the power of the nhac and the members having agreements with third parties for pen testing services at a much more uh affordable rate for hdos and such whereas if they went on their own the price might be 20% higher There's an opportunity for a more cost-effective option there so there's more that they want that they're planning to work on but that was recently announced to try to help some in the space um the second one is there's a group called the cyber security for Healthcare Alliance that's

a newer group that formed this year and they been going to kind of circles for what actually uh is going to come out of it but they're trying to create somewhat of what Josh is saying here reference architecture per se where they're looking at all these different categories of security and trying to create a scoring system and where it's been heading right now is to use that scoring system for your own internal assessment kind of like a capability maturity model assessment where you take this scoring system rate your organization and then you know where where it goes we're not sure yet but if that gets fed up as just Anonymous data then you can take benchmarks on the

average HDO sits here the average medical device company sits here and you can rate yourself based on that uh it's very it's kind of in the the Grassroots right now still early stages but it's it's looking to get there the the third point was one that I heard last night that I thought was pretty interesting and the analogy I put in my head I'm a sports guy so apologize for the sports analogy here is in many of the professional sports they do Revenue sharing so there was an issue years ago where smaller NFL or or professional baseball teams or such couldn't comp compete with the the the ones that made all the money that were in the big

markets so they created a pool of money where they Revenue shared so the smaller teams had the opportunity to compete by getting some of this extra money so I'm not saying we'd say hospitals you have to take a percentage of your money and put it in this pot and everybody can use it but along those lines if there's some centralized pool of money that the hdos can use whether it's a a fund for anybody whether it's incentives whether it's tax breaks for something to try and maintain your cyber security level I just thought it a different way of thinking about I thought that was kind of unique and I could see something like that feeding into insurability or risk

bands once there is a need for that insurability but there's no liability yet um for some of it uh yep yeah thank you for your patience um so I'm more thinking of like I work at a hot Healthcare Network right now so I'm a a security engineer there so one of the things that we're doing we're kicking off right now is um a prioritization level for biomedical devices because we have lots of them and we have more than we probably know about and we don't know the impact right right so but it occurred to us that we work with a lot of doctors who do so what we're doing is starting off with tabletop exercises where we go through

like you see a patient with this and then we just run through the checklists of all the devices they hit and then when they hit one that we know we can do something for that we just say okay what do you do if this device isn't there and some of it's well I grab the other one over there and then that one's not connected and you know so but then you know we're starting to hit points where like uh like Pharmacy systems like it what if this one's malfunctioning well you know then the nurses got to do this I'm like what if that's malfunctioning for everybody and they say oh well we got to start you know scaling back on

the amounts that we can do because we can only push through so many we got to start pulling people on staff and so with that we're able to start make a prioritization list of devices that we need to look at and see how we can better improve our defense and up strategies for that cuz you know because like logging if we could get logging just to be able to know what's going on with these devices and like because we get like uh you know some vendors are great uh some vendors are just horrible and a lot more horrible ones than good ones right now and it doesn't help that you mean horrible at logging horrible at

just support right so like like it's been pretty well known for a while now you know FDA said like no your security patches on your thing but you know still got you know people running MRI machines that say oh we need to patch it and they say no but when you got buildings that are built around pieces of equipment you know it makes it hard for me to say you know what's the potential of this you know and so it you know so if we get logging in there just to begin with as you know or some kind of framework where you don't even need to keep it on the device just put it out to a CIS log server you were

talking about like a reference framework if we could have some kind of reference framework says you segment this way you have this type of you know CIS log server set up that you can inest and then export that to some kind of sim analytics type tool um that would be great and uh to point out I mean they're lucky to have a team that knows what segmentation is and knows and has security experience yeah and like like I work for healthcare Network we have several hospitals that work for us but I'm a team of uh three right so um while we're on this uh one of the things that came up in the task force was when we

were trying to figure out how do we close this Gap what are the big levers and they said well we can't afford a ciso because all the good ones go to Banks and I said what if the government subsidized and can gave you a free ciso for three years to every HDO a health delivery organization I was joking um and they said yeah the next problem is there aren't enough we don't have enough cisos on the planet so there's a strategic Workforce shortage and to uh Jim Ralph's credit at the nhi sack he's also on the fsis sack which is the fin Services one and he's been encouraging people that retire from Banks to add two

more years to their career to go work in a hospital to at least pull some of their experience it's a it's a clever idea right it's about two years he asked for her um and some do it longer um but yeah there's a there's a real strategic Workforce shortage too which is part of the reason I'm I'm concerned so they're lucky to have you who's next I didn't see right to your first point sir um um it's just trying to maybe flush that idea out a bit more is there are the are the hospital the people making the purchase orders for specialized equipment at hospitals um whoever those guys are do they have access to the data of which

thirdparty vendors so say I'm trying to purchase an MR machine for my hospital and I'm not a tech guy I'm just a Hospital MRI purchaser guy um do I have access to the data about which one's more secure how do I and do do they have access to that now and if not what's being done to use that data in an intelligent

way so well it's all a preface for for those who aren't here yesterday I'm Colin Morgan I work at Johnson to Johnson so I'm on the manufacturer side uh but um so my understanding that's the goal where they're headed they want to be able to have that information shared so for example we we do third party assessments of vendors have our tools we do a full comprehensive evaluation of them but then that's ours we don't share that with anybody and most other organizations do the same thing we constantly hear from vendors you know you guys are asking us to fill up this questionnaire we just had five other companies last week ask us the same

thing with their questionnaires and so there's a there's an assessment overload from both the vendor side plus the hospital side the manufacturer side we're all asking the same questions a little bit different way to the same companies and really what's the value of that if we're all using a vendor for the same purpose can't we find a common ground and ask the same sets of questions and get the right information can we can we trust an SSA E6 or PCI assessment which I don't personally trust them but um is there something some Middle Ground where we can trust components to that share that information out and if there's something above and beyond we want to know well

then we can ask those

questions so we're talking about having some sort of say organization that just says uh all the different here's here's a list of all the different like I as an organization I'm dedicated to providing intelligent assessments of all the different Healthcare equipment out there so I have one section full of hackers that just F focus on MRIs they go out and they audit all the MRIs and provide the data of the MRIs to the healthcare market and maybe the healthcare providers pray pay a premium to get access to that data would that be the kind of thing that we're talking about making making you have a workout today no no not not and we can talk more offline about it

too is no not not from that perspective this is more of the if you're using a cloud provider for um you know data storage or if you're using Amazon for some service not not anything that is you're you're assessing a device and you're finding out what the vulnerabilities are and then sharing that with everybody it's more around you know if I'm using Salesforce if I'm using Amazon or if I'm using Office 365 and I fully assess them then let's all use the same assessment and if we do it all through the nhi sack then that can be shared amongst the nhi sack have anything like that the MSD

uh

AIO hold on e