State Of Healthcare Cyber Safety - Christian Dameff, Colin Morgan, Suzanne Schwartz, BeauWoods

okay so welcome this is the uh much talked about medical device cyber security cyber safety talk um we're going to have uh a few people come up here and and do things like we did in the last one um but I want to first kind of make a link to what happened last year so if anybody if I show a hands just who was in the room last year when we were doing these talks and specifically in the medical device talk I was somebody in the very back was and it was just two people I thought there were more but maybe they weren't uh so I want to kind of tie some of those things

off and follow up on some of the things we talked about last year some very cool surprising developments uh and then over the past year more and more things have happened so uh unravel what those are uh and then looking ahead what's coming up um and then we're going to get four very very cool people up on stage uh we're going to have Jay Radcliffe um who is a security researcher most of you know him if not you know his name at least uh Suzanne Schwarz who has already talked to us once today she'll come back and talk again um Colin Morgan who is with Johnson and Johnson he's done some really really good things to help Drive

cyber security into their processes uh and then Christian damf who is a uh rare unicorn he is both a Defcon speaker and a registered physician so he's one of the very few people that I know who have both of those on their title so what's gone on in the last year um specifically following up from some of the things we heard last year Well I want to point out that as of last year uh and before this has not changed um the FDA does not have to recertify patches for medical devices before they can be deployed in the field unless something changed this morning in the last hour no okay so this is still accurate and upto-date information you

don't have to worry about that uh and there's the the standard there that you can go and look it up for yourself if you don't believe it uh I know that a lot of um people falsely believe that you need to have the med uh you need to have the FDA recertify your medical device before it's published uh before it uh can be updated um I wanted to follow up too on something that happened last year we had uh Drager who's a German medical device maker um announce their commitment to a coordinated vulnerability disclosure for the first time at bsides Las Vegas which is a pretty cool thing you know a major medical woohoo yes a major medical

device maker came to us and said we want to announce in your track first and that was really really cool so since then uh about a year on uh they actually got the uh the thing up about a week or two later uh a year on they've had four vulnerability disclosures through this process um so where a lot of medical device makers said say we can't do a coordinated vulnerability disclosure process because we don't won't know what to do with all the vulnerabilities um they've gotten four uh which is not an onslaught uh it's not overwhelming zero of these have been extortion attempts um so contrary to the seemingly popular belief in some sectors that all researchers want to do

is uh try and get money out of you that's not the case um I'll also point out that they have about 12-hour turnaround time from when they get a report coming in to when the researcher gets a report uh notification back hey we got this we're looking into it thanks for sending it in that's really cool so uh of all the software companies how many have a 12 hour uh turnaround time to that notification human-based notification not many so to the medical device makers and to the others who say well we just can't do that we can't respond within 72 hours well they're doing it within 12 hours and that's with a a team of very

dedicated professionals um working very hard to get that done so it is possible uh and dreer's done great things so um they're probably watching right now if they're not watching now they'll watch the recording so how about a round of applause for

drer I also want to follow up quickly on the hospira situation so we talked earlier today about hospira um they had a a medical device uh an infusion pump that was um it's like a a new fashion new fangle IV uh it's a computer controlled uh system to to inject medicine into the patients um some security researchers found a vulnerability they reported it quietly uh in closed dialogue and then somebody reported it openly uh that triggered a couple of things first of all uh a safety notification went out in uh may I think it was May 13th of 2015 saying that the PCA 3 PCA 5 devices had this flaw and uh for uh healthc Care

organizations to take seriouse uh precautions when using them later on uh just before we came out to Defcon as Josh already mentioned the first essentially safety recall of a medical device without demonstrated proof of harm no patients had to die so after this what went almost un noticed in the Press after the big splashy stuff um is that hospira reported themselves that they found new vulnerabilities in their devices so in January the IC C released a notification that said hospira has identified these things um they are uh in some cases vulnerabilities and existing devices in some cases vulnerabilities and devices that they no longer sell uh and in these cases they have patches available in other cases

here's what to do to avoid the vulnerability so this is an instance where uh on their own and in a self-reporting format they took their own initiative to go and do it now that wasn't because they got threatened with a talk at black hat it wasn't because someone was going to go full disclosure on them it was some of the quiet work that had been done to build trust in that ecosystem uh and to specifically get them on that pathway of saying all right well we can't avoid the fact that we have vulnerabilities we now must address that and embrace it and get on this Pathway to getting them fixed faster so I don't know anyone from

hospira if anybody is here from hospira come up and say hello later uh but it seems like they might be on a very good path going forward uh which is great another thing that we talked about last year uh we did a uh very small private event uh up in one of the Suites here on Thursday night last year uh we had about 25 or 30 people um it was representatives of security research Community medical device makers healthc Care organizations government uh many many others who came in sat and talked amongst themselves very quietly very openly and honestly um not really hiding anything or covering anything up uh it was to the the point where we had no

non-disclosure agreements we had no agreement to be off the Record or chadam house rule it was just a bunch of people coming together who saw a common need uh and a common trajectory and a common desire to do the right thing collaborating it's the type of information sharing that's probably intended by uh information security analysis centers but that rarely happens in a formalized structure it's only the type of high trust High collaboration environment that can engender these types of things um I'd also like to let you know that we're doing it again this year um For Better or For Worse looking at the size of the crowd in this room right now I'm not sure that the space we have can hold

everybody but you're all invited and if we need to overflow we'll figure out some way to accommodate it take a straw pole take a straw pole yes what what do you mean take a straw pole ask everyone in the room if okay I'm I'm afraid the answer that comes back so is anybody interested in going to this raise your hands okay yeah we're going to need a bigger boat which is a good thing um it means that this year more so than last year even we've got a lot more people coming to the table and and wanting to engage on these things so if you're interested uh come see me come see Josh come see quati

who's over here uh and we can tell you where that's going to be was magical what's that it it was magical hours it was yeah we were going to sit down for like an hour maybe and have a bunch of beers I think maybe half a dozen got beers got drank and we sat there for 5 hours and just like talked it was very very encouraging which is why we're doing it again this year uh so in the last 12 months a lot of things have happened first one I want to highlight is uh def December 5th right after the um the nhac uh security and privacy meeting up in Boston we held something called cyber

Med RX uh and we did this in order to bring a bunch of the stakeholders together who wouldn't normally talk to each other get them in a room together cage match you know all of them enter and only one leaves no uh we did it in a very uh collaborative manner so it was a a really cool layout that we did um we essentially set the tone in the morning and said we've got some hard problems to solve but it's a worthy worthwhile cause so let's get to work then over the course of uh of the day we had lightning talks and stakeholders from I think 18 different groups we gave them two minutes five minutes who are you what's

your role in the ecosystem what are your hopes dreams and aspirations as well as your fears if you get it wrong uh and what can you give and what do you need in return and we had those people go and and essentially identify themselves and say what they do why they matter and it it was a very powerful message to get out there so people who had been working on the opposite side of the aisle of some of these folks for years and years and years but had never really sat down and understood what they did why they did it and that they were all pointed in the same direction towards patient safety finally got the chance to come together

and see what that looked like see what it looked like in practice uh and to build some of those connections that otherwise wouldn't have been built uh and to empathize a little bit with the position that the other folks were in so you had uh medical device makers coming and saying you know here's what we do and God if it weren't for all these standards and things that we have to follow of course we could do those things they would be easy um then we had people coming up like healthcare delivery organizations saying well look we get these bad medical devices I think one of the quotes from a different talk was it's the same crappy software that's

in your Windows machine uh in life and death situ situations uh and then you had people like Marie Mo who we saw earlier photo of her and I know she's watching the live stream now say I'm a patient and I'm a security researcher I depend on a medical device to live so I don't care if it's crappy software it needs to be improved um I don't care what needs to happen uh I need this device uh in order to to survive my dat day to-day life with all the flaws it has it has way more benefits so we need to consider all of those types of things and the uh the mass of getting those

people together the gravitational poll that they had um made it a really really productive event to the point where somebody who's been in healthc care for like 25 or 30 years who's who's crusty by now who's uh hardened against any progress said wow that was one of the best events that I've been to that really opened my eyes so I think we're see a lot of progress by getting people together in the right room and so we're actually going to repeat this uh we got an invitation from the Dutch government to come over and run one of these in the ha uh tentatively we've got a date set for October 10th uh so anybody who is in

Europe round October is um let us know we can we can see if uh how we can get you to that also we're going to do another one I think the date is December 7th um I I didn't fact check it before I up here December 7th okay we got confirmation there we go so December 7th again in Boston again it's going to follow the nhac or the HS privacy HS privacy and Security Group um so this is going to happen again watch this space cybermed x.org another big thing that happened uh we previewed this a little bit earlier on today in January uh just alongside the the uh FDA Workshop that happened we released the Hippocratic Oath for

connected medical devices the idea here is that Physicians take a symbolic oath uh to act in the best interest of their patients increasingly medical devices are the care delivery instrument they're the ones carrying out uh the orders of the physician so they should also have some type of a symbolic ethos right um this is meant to be it uh we also wrote it so that anyone in the care delivery ecosystem can see their own role reflected in this right so Physicians can read the hipocratico for connected medical devices and say oh I see I do this this this and this I have a role to play medical device makers biomed Healthcare it Hospital administrators patients even they can

look at this and feel like it's talking to them uh this is modeled Loosely on our five-star uh cyber safety framework for automobiles um the five core ingredients here are uh safety by Design how do you make a product safely and securely it is third-party collaboration how do you tell take help from uh people in the ecosystem who find problems and report them to you um how do you have some type of evidence capture we routinely hear that no one has ever died from a healthcare hack or from a car hack but the truth is we don't know we don't have the evidence to say one way another um how do you contain and isolate failure and in the

health care context uh we made it very specific how do you avoid harm from failure things like fail safes uh and in medical devices this is very common where you have a physical fail safe where even if somebody has uh the administrator password to the medical device they can't cause harm um and then finally how do you update once you know a better way so it's five very simple capabilities here that uh many people within the ecosystem can have some role in and can have control of uh that allows us to have safer devices um the FDA postmarket guidance for cyber security of medical devices was published in January and there was a workshop following the publication that

was really really good um Suzanne will talk a little bit about that I want to steal her Thunder but very briefly I want to mention that um the postmarket guidance essentially has a carrot-shaped stick or a stick-shaped carrot if you will helping to set the incentives for medical device makers for healthcare delivery organizations and for others um to uh to to make a big effort to engage the security research community so without going into the details of this essentially one of the requirements in order to reduce costs once you know that there's a flaw is that you have the ability to take um a vulnerability report from researchers that you have some type of a coordinated vulnerability

disclosure program in place already and that you're sharing this type of information you're actively seeking to get the information to make your products better um even though this is not a a law uh even though it's not a regulatory requirement it's certainly being treated as a regulat requirement by a lot of the manufacturers and uh I was at a medical device conference in Virginia the other day uh and every single medical device maker I talk to either has a coordinated vulnerability disclosure program or they are about to release one so without saying who it was in the room U my informal survey of the six to eight people who were there says that every single one of them is

thinking about this now this is the type of change that as researchers we would never be able to drive right if we're on the outside knocking on the door and saying hey let us in it's not going to happen but by teaming up with those medical device makers with Healthcare organizations with the FDA the ecosystem is able to make those types of SE changes that will make the world safer I want to talk a little bit about something that um you heard a little bit about this morning in Karen's talk uh if you haven't seen that I encourage you to go back and watch the recording of it um she talked talked a little bit about a

software bill of materials uh the idea is uh when you go get a car uh or when you go get a toy you know what the materials list is that's in that so when there's a defective part of that car somebody can go and and recall it very quickly and safely so in the automotive industry for instance every bolt every rivet can be traced back to every plant every facility every week it was manufactured so that when something happens it can really quickly trace it and find out what vehicles are affected right so while we're um doing and seeking these things in uh in some very very uh easy to reach places um we're not doing it in software

which is trivially easy to do you can run a simple software script and figure out what parts of Open Source software and Commercial Code exist in your medical device or in your software package um the manufacturer certainly know what code is in their devices or I would hope that they know um yet we're not doing it and we're not we're not publishing it well Phillips took the step uh and said okay we'll do that we can publish a bill of materials of what's in our software so now when a hospital is buying a device they know what vulnerabilities exist in it that are publicly known so if for instance heart bleed exists in a device that you

buy today you can say say I'm not going to get that device until you fixed heart bleed that's a major thing that I need out of my environment also 5 years down the line when the next heart bleed comes out those same hospitals can very quickly with just a SQL query rather than uh an exhaustive port scan of all their systems figure out which of their medical devices which of their systems has a heart bed like vulnerability if we had this for instance in electronic medical record systems and we knew that half of them have a J boss vulnerability that is actively being exploited by ransomware and that shutting down hospitals instead of having the response be well let's see

if we get ransomware and then let's try and pay the ransom it would be let's eliminate this vulnerability it's posing a serious threat to patient safety today that capability is hard it's very very easy however to unlock that and Phillips has taken the first step they're the first medical device maker that I know of to say we will issue a bill of materials uh for the products that we make is that public there's one other that's about to um Johnson and Johnson uh I think they're the biggest medical device maker in the world biggest yeah biggest medical device maker in the world they now join the other uh medical device makers that have a coordinated

vulnerability disclosure program this one follows the ISO framework by the way so Applause for ISO uh which one is that 3111 29479 ISO 2947 vulnerability handling uhab vulnerability disclosure 3111 vulnerability handl process yes if you want to know anything about ISO no uh ktie missouris who's in the audience helped uh develop those standards she's one of the co-editors co-authors of the standards that essentially it's a a rootkit into the established processes of many many manufacturers who know ISO and if there's something you can point to an ISO they'll just go do it right I know I know it seems crazy but uh but if you can do that uh then now they have a way

to engage and to actually build a secure uh coordinat vulnerability program um Jen talked about this a little bit earlier uh but uh there was a HHS task force established to look at healthc care cyber security as a part of a legislative act literally there's an active Congress that says get together a bunch of people 20 different stakeholders representing multiple stakeholder groups one of whom uh one of those stakeholder groups by the way named in this act that passed through Congress is security researchers so Congress is getting clueful and saying we need security researchers to be a part of this dialogue if we're going to talk about security research type things kind of makes sense we all know it but

uh getting that level of awareness into the legislator's minds um is a real accomplishment so uh two of the people out of those 20 one of them is sitting here Josh Corman um who represents the security research Community there the other Mike mcneel works for Phillips who's a very very clueful individual he spoke earlier on a panel here he's the one who's pushed through a coordinated vulnerability disclosure program with Phillips as well as the software bill of materials that they've got so uh I've got high hopes for uh what might come out of that um expect disruption come you know March 2017 time frame looking ahead uh and I'll speed up because I'm looking ahead to getting

some great people come up here uh in October 2016 the dmca will have certain exceptions come into effect one of those is you will now be able to reverse engineer medical devices that's a prettyy cool thing so up until now if you took a medical device and you tried to reverse engineer the protocol as it was using or any of the software or firmware in there it would have been illegal under the Digital Millennium Copyright Act um one of the people who is a signatory to this Harvard publication a letter uh campaign actually to uh the librarian of Congress is in the back of the room now he'll be up here later Jay Radcliffe uh because

of his his work as well as some of the others including Jen Ellis who might have walked out of the room um now we have exemptions for things like medical devices for cars and for uh voting machines where we can look at the security of these critical areas uh to find out what flaws exist before the bad guys do in a legal way uh I'll skip this one for now and we might talk about it tomorrow uh when we're talking about some very hard problems and very hard approach es so now I want to call up to the stage and I'll grab the mic for them um we'll have a handful of people come up and give

their perspectives uh a US regulator Suzanne Schwarz of the FDA uh Colin Morgan who is a product and SEC product security coordinator for uh Johnson and Johnson J Radcliffe works for Rapid 7 is a security researcher and Christian damf who is a uh both a security conscious person who has spoken a Defcon and a physician so first let me introduce Suzanne Schwarz of the FDA to give a bit of her perspective and you can just Advance the

slides oh let me get that there you go can everybody hear me yes yes yes yes so thank you very much I have to apologize in advance because I'm going to use some notes here I'm limited in terms of time and I really felt it was important to get this right I have a few personal messages to say here and um again I just wanted to make sure that I was able to convey my sentiments in uh in a concise manner but in a very meaningful way so um let me just start off by saying that I feel very reflective today and highly appreciative last August I was privileged to participate by phone by calling into

this particular session and I don't know if you remember but I stated at that time that I was hopeful to be able to participate in person this coming year this year and here I am and here I am because of the outstanding work of B woods Josh Corman and the entire I am the Cavalry team who live by The Credo of safer sooner together being here provides for me a study really in contrasts and I might add really stark contrast from our medical device ecosystems really state of being when I compare that to even three years ago three or more years ago and to where we are currently and that's not to say that we should be patting

ourselves on the back um or lapsing into any sense of complacency we do have a lot of work ahead of us this is an arduous Journey but the steps that have already taken we've taken over the past few years really give me hope they give me hope that with persistence working together we're going to continue to improve and there will come that moment when these baby steps will be transformative into more into greater strides as we move towards what really is a desired state of medical device cyber security so kind of picture this in 2013 2014 that really was an inflection point for the agency for the FDA as well as I would say for the medical device

Community prior to that time you know live demos of medic device exploits and dropping Odes on the stage of whether it was black hat or Defcon it was really rather the norm and it was very much anticipated by attendees by the participants on the other hand FDA medical device manufacturers healthc care delivery organizations in other words our ecosystem the healthcare ecosystem we were first learning about these vulnerabilities and their potential for exploit at the same time as the public at large now that's not a great trajectory as you can well imagine when it's especially when you view that through the lens of patients who rely upon these Technologies to really to better their lives but this

year by contrast a number of panels at besides black hat and codenomicon are living proof that when all Stak holders are given the opportunity to have a voice a voice that's heard and that's not ignored and are given a seat at the table an equal opport seat at the table we can better understand and appreciate each other's perspectives our motivations needs as well as interests and and collectively we're in a much stronger position to address the tough challenges that plague healthc care Security's posture as we continue to evolve as we are evolving right now it's worth noting that we don't get to Showcase a panel of diverse stakeholders like today conversing on this topic unless there's

already been an investment in the hard foundational work the dedication the tenacious commitment to being collaborative and developing that Unity of effort and dare I say I think we've unglued ourselves from being stuck in that very alluring admiring the problem phase as a community and Bo knows what I'm talking about I'll be very interested in hearing your perspective on that so how did we get here the answer I would offer is really through a coalition of the Willing um individuals and organizations who've shown Courage by moving out of the comfort zone of their own silos and there seeking thereby seeking a common purpose that being to protect patients against potential harm as patients Place their trust and confidence in the very

technologies that are supposed to help them so this past January here let's just switch this slide okay yes okay as B mentioned this past Jan anuary the FDA together with HHS with Department of Homeland Security as well as with the nhac the national Healthcare ISAC we convened a public Workshop bringing really all stakeholders together to further expand the depth and the breadth of collaborative efforts in medical device security and this Workshop was held on the heels of releasing the draft guidance that Bo referenced on postmarket management of medical device cyber security so I've selected a few of the murals that represent the panel sessions to share with you and as you can see some of the very important themes that

emerge the need to embody empathy and to identify shared principles understanding motivations the importance of building trust relationships as a vehicle for coordinated disclosure and understanding that progress here will happen incrementally and is contingent upon change in mindset change in behavior and ultimately a change in culture now transparency and communication throughout the total product life cycle is critical what does security testing of devices look like what is considered acceptable risk risk what forces exist to empower and to better inform the customer before purchasing decisions are made again ultimately patient safety is

Centric and to enhance situational awareness developing trust circles is what's going to enable actionable information sharing on risks threats and cyber pract practices but how do we get to establish those trust circles well we have to be able to speak a Common Language and share an understanding of our respective pain points what constraints different stakeholders have what hurdles that they face so the cavalry's hypocritic oath lays out a blueprint for advancing medical device security recognizing that no this doesn't happen overnight I mean to paraphrase Josh Corman you got to learn to crawl and then walk before you can run and with that I'm going to turn this back to Bo and close by SP saying

that we aspire to be your running Partners in this great journey safer sooner and

together all right thank you Suzanne um next up is going to be Colin Morgan and I'm going to jump out of the presentation for just a second uh because he's got a an intro video that I think you will want to see uh oh all right let's try

this we'll see if the audio comes out well this is my dad's job and he's really superhero that's awesome that he saves people's lives by making sure no bad guys get into any medicine machines to hurt other people all right so first of all let's hear it for Irish uh and secondly I'll pass the mic over to Colin to give a medical device maker perspective thanks bo uh first it's an honor to be here you know I first time I've spoken at bsides and I mean how cool is that what parent doesn't want their kid calling them a superhero it what was the amazing part was I explained to him probably months before that you know what I did for work

because long my wife stays home she has her own own Consulting businesses but every day it's it's Dad's going to work to earn money for the family and he's working really hard and I'm a big family guy so one day my son asked me what is it that you do and I explained to him that I work in cyber security and I've got this new fun role where I get to take what we've learned in it security and try to bring it to a world that doesn't understand it he's like what does that actually mean I'm like well you know how people get sick and sometimes they have to go to the hospital or sometimes they wear devices

that help heal them he's like yes Dad I get that well I try to make sure that no bad guys get into them and break them and hurt them and his first response was why are they able to do that and then it was why would somebody want to do that and I've really thought about that messaging a lot over the past few years and there's a couple points that I want to touch on in this brief five minutes that I have here and uh I'm open to any questions afterwards as well I'm as much of an open book as I can be um but I will preface with the obligatory these are my opinions and not those of

Johnson and Johnson my attorneys make me say things like that but Johnson and Johnson that's where I work and for those who don't know Johnson and Johnson and when you hear about it you think of babies you think of Johnson's Baby think of you know cute cuddly faces but what a lot of people don't know is that Johnson and Johnson is made up of 20 over 250 companies across 60 countries across the world about 130,000 employees and we touch 1 billion patients a day 1 billion we have products that range from Over the over the shell things like Tylenol and Listerine to pharmaceutical products for rheumato arthritis or cancer and medical devices such as sterilization

systems insulin pumps and many future ones that are going to be coming so we are a very diverse Healthcare organization that touches 1 billion patients per day so here I am joining j& 5 years ago and coming to a realization of what the security world looks like in healthcare mostly my background was in the federal government which is a whole different umbrella which you know ex hav touched on some of that and after a few years in the organization really understanding the breath of the company I uh had my aha moment around this space and it was when I first met Josh at absec New York City a few years back where he talked about I the Cavalry and I went up to him

afterwards and was like Hey I work at J&J and apparently we're the largest medical device company in the world and I'd like to learn more about what you're uh what you're talking about so fast forward a few years fast forward through a lengthy investigation into our organization of understanding what we have in our inventory today what our future pipeline is going to be having all of those tough conversations the political battles and the challenges that we faced we now have a dedicated program focused on this we went from a simple idea from a conversation with I am the Cavalry to a full-fledged program dedicated to securing our products Engineers that sit on the product development teams building Security in

things that all of us think this just makes sense I'm a security person this we should be doing this the world is different and Suzanne hit on a key word that has really been one that's been resonating with me lately and that's culture two years ago at the FDA public Workshop in 2014 there was a cultural issue within the security community and the Healthcare Community around this is this really an issue we've zoomed past that in the past two years where the public Workshop This Year everybody understood the issues and the questions were more around how do we solve them so the cultural issue is not in infosec the cultural issue is outside of infosec the

cultural issue is with the R&D organizations the quality organizations the teams that develop these amazing life-saving products but now slap on some type of Bluetooth or RF or network stack and now all of the sudden they have to become a infos SEC or it expert and that's not what they are and they operate in a realm where security has never historically been part of where quality sits within a quality process and they have to follow the process but when you look inside the process security is not mentioned once and so you have to go through that effort to change that process and that's a really big cultural battle and challenge that every medical device company every

hospital has to battle through and we're fighting through those challenges and we've had a number of wins and a number of of uh um you know successes that we're very proud of you know we've heard about one today as our vulnerability disclosure one product security. j.com which was a significant significant accomplishment for us it took many months of effort getting the right support and buy in from everybody who would impact it you know I mentioned we have 265 operating companies all of our franchises are independent of one another they don't talk to each other we're a security team that spans all of them and have to have go have the same conversation with every single team at different times and it's

just the nature of our business and we've had to really adapt and create flexible models number two is the crowdsourcing piece we have crowdsourced the crap out of our framework we didn't go into a bubble and say this is how we're going to build devices securely we went outside we talked to I'm the Cavalry we talked to our our competition because you know the medical device companies we don't compete on security we talk to the government we talk to researchers we really tried to understand the approaches people have taken to build a solid program or what we think is is solid you know we focus on the N cyber security framework we focus on the ISO

standards that you know that Katie authored over here for our vulnerability disclosure we looked at tr57 which recently came out around M risk management from a cyber security perspective and we've really tried to figure out how we take a lot of these build it into a program that fits into a quality process that doesn't understand security because if we go into that process with something brand new it's going to be hard for them to understand it so we have to do a lot of language translation which Josh talked about this morning really what we talk about in security and put it into their language and their speak so when we talk about threats to them that's a hazard and we

need to talk about it that way and we've really tried to adopt that internally to help buy that support the fourth one is community we're working on some Community projects or what we call them uh one we we talked about it a bit at the NH ISAC event and have really started some movement on it and that's trying to open source within the Healthcare Community our framework so what we're doing for threat modeling what we're doing for security requirements how we're building out our assessment questionnaires and sharing that with the greater good of the healthcare world so using the nhi sac as a for to pass that through to the other organizations you know for for most that

don't know 80% of the medical device companies that are out there have 50 or fewer employees 50 or fewer now how many of them do you think are dedicated or understand security they're the ones that need help and if we can help them we're going to do the best that we can uh so finally and I try not to run too long here here is is you know back to my son's video there he talks about he called me a superhero I'm not a superhero I'm just the guy in a company trying to do the right thing trying to make our devices safer and secure I mean if I want to throw a ter around I'll steal one of

Josh's and maybe called myself and my team super change agents because that's ultimately what we are we're security guys I'm a tech guy by trade I used to love breaking Network equipment and now I get to try to change and work to change culture in the largest medical device company in the world that touches 1 billion patients per day and to me that's exciting and empowering because I feel like every day I'm making a difference so thank you for the opportunity and uh I appreciate it thank you very much Colin so next up uh we'll go to Jay Radcliffe who will make the long walk from the back of the the room where all the cool kids sit up to the very front I

don't think anybody's shocked that I would be in the back of the room right so it's been a really interesting kind of Journey uh in looking at the research that I've done and what it kind of what it kind of means to me as a security researcher and as an IT professional I started out this just by playing around with something playing around with my medical device to see what happened and to see what it would do and at the time that I did that I didn't really think anything of it and it turns out that it's become a very large issue and it's a very important issue and watching the last last hour here and seeing all the

progress that this group has made and seeing all the progress that we have made collectively as a community by building something where manufacturers have a stake and they're saying yes we want to do this individuals are pushing up from the bottoms of their companies saying this is something that's really important this is something that I really believe in that we need to do pushing on the media areas so that way Executives get the idea of yes this is something that's important it's not something that we can hide from it is something that we can do something about five years ago when I kickstarted this there was a lot of hiding nobody had a plan nobody knew what to

do and as a consultant I have this great Insight because people call our company up and they have us help them out in this and they ask us all right we've got executive approval uh you know we have a a huge hospital and we uh we hired one person and we gave them $5,000 we want them to secure everything can you please help us do that and that's really where we're kind of at right now we have an excited top end of the branch that can give us limited resources that want something done and we have people at the bottom that want something done and don't have the resources to do it so we're in this

execution stage and I look at some of the slides that Suzanne presented about the life cycle and the communication and things about that and that's great and I love that we have a plan to do that and every time I think about a plan and if that plan worked great we wouldn't have any problems I think about a quote from Mike Tyson and Mike Tyson says Everybody's Got A Plan until they get punched in the face and a lot of times that's where I I feel that I'm at and I know that other people in my industry are at we've got a great plan we go into an organization they want help they're very Cooperative

they want to do it we start the plan and something goes wrong somebody disagrees somebody doesn't want to cooperate and what's really important right now is for us to stay engaged in that process we can't get frustrated and we can't quit at that point in time we have to stay engaged in the process and continue to move forward sometimes when I present research to a company it doesn't go real well they don't like it but you know what I smile and I say hey let's try and work through this how can I help do this better how can I help you understand do I have to do it in a different way do I need to talk to

different people I try and stay engaged not to get a sour taste in my mouth and say you know what screw it it's not worth it this can't be fixed which we tend to do in infosec right we are frustrated because we want change now but we have to stay engaged because we're talking about something that doesn't move fast we can't get funding the way we want to get funding so everybody from the top to the bottom needs to stay engaged so we continue to execute on these things and make that continuous progress because it's amazing the amount that we've already got done but we really aren't done yet and as a patient as a practitioner as somebody

that you know often watches I want to see that succeed I want to see it get better so I think that that's kind of where I've seen things go and that's where I see a lot of places at everybody wants patients to be safer everybody wants medical devices to be safe there isn't a medical device company or Healthcare provider that I've ever been with that was like you know what screw the patients um Live Die whatever we're here for a profit none of them say that number one priority for every one of these companies is taking care of people how do we just do that effectively and how do we integrate that into the information and technology

ecosphere is what's important and the people in this room the people at these conferences are the ones that know how to do that the best and we have to interact with them and we have to continue to do that thank you all right thank you Jay so we often say that uh security is a relay race sometimes uh and you're always passing the torch onto the next guy well the running uh anchor leg of our relay race is Christian damf uh who as I mentioned is both a physician uh and a Defcon speaker so over to you thank you so much hey everyone can we just get it Lively in here a little bit can we give it up for I am the

calvary for everyone that's spoken here all the governmental organizations all of you guys are here learning or contributing or going to just give it up to them come on everybody give it

up all right so my job here is in about four to five minutes is to teach you two things about doctors and remind you about something very very important the first thing I'm going to teach you about doctors is that 99.999% of them know nothing about what you know okay and it's not because they don't care it's not because they haven't heard about it on the news it's because for the most part they're very very busy furthermore it's just not in their purview something that was very impactful to me last time we had our meeting and I hope all of you come on Thursday was that someone asked me you're telling me that when you go and

order a drug and that drug is being delivered to that patient and it's a life-saving drug that you don't even look at that machine you don't look at the stickers that are on it you don't know how it works you don't know what its name is you don't know if it has a horrible track record you don't know if it doesn't work I said absolutely I have no idea I put that order in a computer it goes to a nurse that's in a room 200 feet from me that medicine gets pulled out of the pharmacy and gets infused in that patient and I know nothing else about it Frank for the most part if I'm not

running around the emergency department with my hair on fire I don't know if that Drug's even been given now that's very different proba from your dayto day which is you're familiar with the technical tools that you use they're like your third arm everyone in here has so many different devices on them that are part of their everyday life that is not what happens in medicine okay so the first thing to teach you is that doctors for the most part know nothing about what you know now if you have been paying attention today you know that is is not where we should be okay one of the stakeholders that needs to be part of this conversation are Health Care Providers

nurses Physicians doctors nurse practitioners physician assistants everyone in the care delivery from the janitors all the way to the P to the doctors that are doing life-saving surgery okay they need to be part of it not all of them we don't need to have courses in medical school about cyber security excuse the Cyber and can throw something at me if you want but we have to use it I guess it's not going to happen and it doesn't have to happen but we need to engage some of them because what they offer is a very valuable part of the conversation okay the second thing I'm going to teach you about doctors is that they're hackers too they just don't know

it they just don't know it let's talk about this what do they do they look at a system the human body and they recognize where it breaks they recognize when it breaks down and it causes cancer it causes infectious disease the TR trauma associated with a high impact motor vehicle collision they recognize that your spleen not working because you're bleeding to death it's been fractured in half that system that is supposed to work is not going to work and this is where it's failing this is what I'm going to do to intervene it this is what I'm going to patch okay but that's kind of more oh well everyone just patches how's that really the hacker ethos

well Physicians Implement treatments to circumvent disease that's exactly what we do every day we recognize that there are ways around problems and we think innovatively we see where these vulnerabilities are and we attack them we fix them Etc doctors do the same thing with their treatments they recognize that cancer some cancers work a certain way they involve certain genes uh they recognize that chemotherapy will work for some of them radiation will work for some of them a combination of it they figure out the problem and they fix it okay they recognize what's broken just like you guys out there so take that understanding when you try to engage them say unlock that hacker within that

healthc care provider talk to them about this system of care and re and say put it in their put it in their purview say what would happen if that machine broke over there that machine that's delivering a very potent medication that's keeping that very sick patient alive what would happen if it broke well the patient would die do you care about that of course doctors care about that everyone cares about that well that device that we're talking about is incredibly vulnerable to attack let me show you how and let me show you with just a little bit of work a little bit of effort how someone with a very very bad um Spirit Soul I'm not a very

religious person myself but that person can screw SC that up can hurt your patient and all of a sudden they're going to care about it okay and they might not care about it to say I'm going to go and take some course work on um cyber security I'm going to learn about this to be able to contribute meaningful to the technical conversation but what they will be are advocates for you in the conversation with the people who can change this and for the reason of the last thing I'm going to remind you that this is why I'm thankful for the opportunity to speak here with you but I want to make sure that all of this conference all of

this talk all these tracks we talk about all these awesome things that are happening we cannot forget why why there are so many people in this room that care all right it's because of that tiny little infant that's seven days old that's surrounded by insurmountable odds if you can look around that look at one two three four five infusion pumps all of which have drug libraries that are reminiscent of the hospah Haack Telemetry units drug Delivery Systems ventilators that breathe for this tiny little infant okay they already have the disease the breakdown in their physiological processes that they're fighting against the last thing they need is for one of these systems to fail because it's wind running window

NT and no one's looked at it for 10 years and the vendors have forgotten about it and the biomed people say it works it's too expensive to fix it we haven't gotten money to do it we don't have another bullus of money until the next cycle we're already striving you know we're already struggling to take care of the patients we have right now with the medications they need this is a hard problem okay but this is why you're here hopefully this is why you're paying attention it's because you recognize that this is what matters and let's strip away for a minute the term the patient that's what I say I say I see lots of patients every

day I saw patients last night till 2 am. and that helps me cope with the fact that sometimes it's hard to think about them as people because a lot of bad stuff happens to them okay they are people they are your daughters your sons your mothers your grandparents they're you and we all know more than anyone else on this planet this is problem is going to get worse the next generation of doctors grew up with cell phone with smartphones glued to their hands and they see the solution to every single problem out there with as an app or another medical device the next Generations of doctors and entrepreneurs in the medical sphere are going to push for this even harder

it's going to explode we recognize that we are not going to be able to fix this problem unless we start doing something now and it's just the right thing to do okay I really appreciate this time this opportunity again thank give it up for the calvary awesome