Healthcare in Critical Condition

hello and welcome to besides Las Vegas for that I am the cavalry track this evening today we have Jen Ellis of rapid7 and Josh Corman of politics world [Laughter] remember sorry and hopefully we'll have Jay Radcliffe joining us from rapid7 too and these talks are being recorded so if you have a question if we have time for questions at the end if you can raise your hand and we'll bring the microphone over to you and please silent your cell phones and then we last of all of course we need to thank our sponsors very sprite fertility tenable Amazon and source of knowledge are all our stellar level sponsors this year so let's give them a hand and welcome Josh and Jen all

right thank you for being patient what a great day everybody have a good time today a lot of good content so we're gonna have two back-to-back sessions on healthcare it's one of the biggest concern areas it's a sixth of our economy it's one of our most exposed issues and in the cavalry we like to talk about you know that sometimes we're alerted to catch phrases but catch phrases stick especially with multiple stakeholder groups so we talked about wherever bits and bytes meet flesh and blood and if you think about all the areas that that could entail vehicles trains airplanes industrial control systems smart cities you know industrial IOT the one that keeps me up at night

the most is healthcare partly because there is zero learning curve required to hack Windows XP on unsegmented networks directly reachable from Showdown or from the internet so this exposes us to a bevy of accidents and adversaries that don't require much talent so you know Bo likes to say deliberate exceeding malicious intent is not a prereq it to harm and this was a talking point for a few years as we tried to prepare for a more resilient and trustworthy healthcare but now it's a reality with things like wanna cry ronica I was not intending to take out hospitals and thank God it had a kill switch in it and thank God it didn't do as much damage as

it could of and I'll show you some data science from ba Brutus a trap to seven as well as to how bad it could have been but that was not intending to hurt hospitals and yet without that intention it did really serious harm and you might have heard if you were here for Jessica's panel earlier when Congress asked for a healthcare cybersecurity task force for one year they did not know that 2016 was gonna be the biggest year in ransomware in health care in history in fact for the longest time it enjoyed relative obscurity as an industry in fact that was well before even Hollywood Presbyterians attack so I'm gonna show a few slides that we

showed in cyber med summit the general flow of this particular chunk chunk one of our two is I'm gonna show a little bit about why I think health care cybersecurity is in critical condition and not to wallow in the problem or admire it but maybe it's marked something in you where you have an idea of how to make it better or maybe it drives you to get involved or maybe you can do some sort of donation of your time to mentor someone in technology services at a hospital in your region or just get more involved in amplify the good work that others are doing but in this one we're gonna talk a little bit about why healthcare cyber screws in

critical in addition we also want to highlight the kind of coordinated vulnerably disclosure that focuses first and foremost on patient safety with an anecdote for how J Radcliffe Bratton rapid7 worked collaboratively with Johnson & Johnson and the FDA to make sure the right things happen in the right sequence to prioritize patient care over all other motives we really want to applaud and in amplify what we consider to be the the what we want to see is the default behavior and the number three time permitting and I think we'll have some because we booked it they couldn't be here but the two physicians that didn't matter whole thing with a bunch of us in Phoenix Arizona we did the world's first

clinical hacking simulations and tabletop exercises to see how prepared hospitals really are physicians really are and it was amazing so I hope to show some raw footage from some of that that you wouldn't have seen on ABC pretty decent piece nine minute piece on ABC Nightline but very superficial for how much stuff we did in those two days but I want to give you guys a treat we're gonna eventually gonna make some really nice curated voiceovers what's happening the medicine behind it the hacking behind it but for now I want to show you guys a treat for being here so in the in the third chunk of this we'll do so and then in the next hour especially since

we're slicing these up for the video we have several members of the healthcare task force that are here to answer your questions so a lot of the staging will be done in this session and we're probably just going to jump right into talking about that in the next session where we'll do proper introductions sound like a good flow okay so I will try to go quickly here and help there's hey J excellence all right so I'll try to do this in about 15 minutes I'm not gonna do a ton of slides you saw some this morning if you went to the keynote so essentially the thing that really scared me and and I mean really scared

me this is actually there were two events when we gonna be a little too transparent here there were two things that made beau and I decide to leave the comfort and safety of the private sector and go into bizarre think-tank land and public policy land policy not politics I don't like politics one of them happened I'm gonna go in reverse order Hollywood Presbyterian February of last year got hit by a piece of ransomware called Sam Sam and I spent a lot of my private sector career the last couple years focused on third party an open source supply chain risk things like heartbleed and this was a deserialization flaw in one java library in jboss in one medical

device and without intent without its specifically targeting in hospital how the Presbyterians shut down its its patient care and diverted ambulances now I don't know last time you're in hospital but think of the type type of things you do in a hospital right you see that the birth of your child maybe you're worried about you know is it going well other complications you might get hurt and you might be waiting for emergency care with a whole bunch of sick people and emergency room for hours and hours you might be saying goodbye to a friend who's dying there's a whole bunch of reasons we don't really want to be in hospitals you know you should avoid them at all costs usually bad

things happen there or sometimes wonderful things but what you don't want in those really tender moments and those really vulnerable moments is to have some sort of complication or delay and what we're learning as we start digging into this is degraded or delayed patient care absolutely kills people people die in hospitals every single day it's just a part of the emergency medicine it's part of surgery people die the question is how many more people die when there's degraded or delayed care and can you imagine being in that ambulance and bleeding or an eating emergency care and having to go up the street maybe it's a couple minutes this might be as good a place as any to put it in but our

physician friends pointed out in a New England Journal of Medicine study on the Boston Marathon and in this Boston Marathon study they did a year-over-year comparative analysis of the mortality rates after a certain period of people who had a heart issue that day and part of the challenges with the alternative routes for traffic it added almost four minutes extra transit time for the ambulance and that translated into a statistically significant increase in death so even though the Boston Marathon is great especially if you're a runner there's a cost to that and it's a cost we don't see an acute way it doesn't show up on the news but there's an increased mortality rate or death rate

so one of things I should clarify because some people online got mad from this morning when I mentioned it the concern is that when wanna cry took out sixty five hospitals and 20% of the trust is what they call it in the national healthcare service in the UK that's not one Hospital we get to go up the street that's a material impact on the total patient care for that country and to clarify the Trust's in Manchester UK were not affected it turned out but while we were flying to a different medical event when I saw the ariana grande bombings I got a lump in my stomach and asked is there are those systems back online yet so

luckily in that case they work but what that means is any sustained amount of patient care on any or all US hospitals will absolutely lead to delayed treatment delayed surgeries maybe they miss something a test or a scan they could have done and this is just something we shouldn't be messing around with it's one of our most important foundational services as a country and as a people right you think I'm a ver Maslow's hierarchy of needs you get the self-actualization on top of what's the bottom food shelter and safety and not only is this a mission critical part of our economy in our GDP it's also something we desperately need when bad things happen a hurricane a natural

catastrophe heaven forbid a Boston Marathon bombing so when we did have the task force I pointed out because Hollywood Presbyterian had just happened I flew down to our very first meeting on the same day the Boston Marathon funny habit was ending so everyone on my flight had a Boston Marathon jacket on and I was brought right back to the time when we ran Saurus Boston during the bombings and I asked the room of medical professionals who remembers the Boston Marathon bombings of course everyone did and I said who remembers why the death count was so low and the average citizen might not know this but the answer is it was blocks away from some of the best

medical facilities on the planet and the overall emergency response was impeccable it's it's being studied as in fact one of the reasons they did it is pre 9/11 they have been testing emergency response services in Boston for a long long time so they did a phenomenal job so one things I asked our taskforce was what happens if you do a Boston Marathon bombing and a Hollywood Presbyterian denial of service attack you know we need these services when we're most vulnerable and it's just too easy to do it so the two things that made us decide to leave our jobs was one when I saw Howard Presbyterian I showed that Ian and accidents can take out patient care

and then I asked myself what could trick do so some of you know that I research the rise of anonymous with Jericho for a few and when we did so we had some custom artwork made and one of the points we made was that anonymous as itself wasn't the interesting thing it was a blueprint that could be copied and perfected by others and you know if your flood radar is going off now just remember just because it's scary doesn't mean it isn't true and we meant that generically in fact when we wrote it there was no such thing as Isis we were worried about al-qaeda or some other lone wolf or some other extremist group but it's kind of

hard to deny that Isis has perfected the blueprint in the use of social media that for recruiting and propaganda and more specifically even though Anonymous globally had very very few hackers one of the hacking crews called team poison had a hacker named trick TR IC ke Junaid Hussain and the other thing that scared me is shortly after DEFCON 2 years ago he he was killed in Raqqa Syria with a drone strike first hacker ever killed by drone and I didn't even know it was in Raqqa we knew in general that he had gone to jail for hacking Tony Blair's web site but at some point after that he radicalized and started the cyber Caliphate when he was killed of all

members of Isis he was the number three most dangerous men according to our national security apparatus so this is a kid who wasn't a elite hacks or or the best in the world but he certainly knew how to use Metasploit or showed an or hacked Windows XP or go over SMB directly exposed the Internet which is essentially hospitals so back to my point about of all the industries that have safety-critical exposure the first thing I saw with hard Presbyterians thank God tricks dead the problem is there's not just one of them he recruited he trained there are others and they can be replicated again so the two of those things I said we've got a

lean in harder and faster and we got to get in front of this because if and when someone does a deliberate target on these very soft targets it'll be like the BP oil spill it'll be every night on the news we don't really have the staff training or functions to really separate and segment these things the blast radius and the fragility is just too high for a bunch of reasons so I'm gonna skip some of this and then other things happen throughout the last year everyone was talking about Mariah as an isolated incident and we'll never just depend on dying D&S and we can have other ways to handle this but if you abstract past the things that actually

targeted because they published their source code all it was looking for was a default username and password combo you could point it at anything and one of the things I said with the FDA and some of our HHS colleagues is there's nothing stopping the next Mirai from being comprised of medical devices many of these have hard-coded service passwords and are directly facing the Internet and some of these are small like a bedside infusion pump some of them are very large in very expensive multi-million dollar devices so some of these clever ideas our friends have like let's do a white worm to brick all these Mirai botnet nodes you might be breaking something connected to a human these are

not good ideas and it's not gonna be easy to fix so some of these the capital expenditure for that some of these things are really high and if they shouldn't be on the internet in the first place it takes staff and training to know how to properly segment these things so they can still deliver patient care so when I looked at Mirai didn't look at the current manifestation I looked at what might happen where this to find its way into not only on patchable devices in some cases but devices that you really just can't take offline you need to use them so this was a pretty scary thing and then Bricker bot didn't do much and make many

headlines where briga bots was not using this to turn it into a botnet or to send ddos traffic or to ransom anything it would find its node and it would destroy it so think of destructive malware on safety-critical systems so without cursing one of the things i used to say was you should focus on known vulnerabilities first I called this HD Moore's law said the power of a unskilled adversary grows at the rate of the Metasploit project so I said a known vulnerability is much more likely to be exploited and data scientist Michael Reutemann proved that it's about 30 times more likely to be exploited once once known and in some combination of Metasploit or exploit dB but now I say

something even more basic which is get your SOS right get your stuff off of show tin right because if you're naked ly reachable from any internet noise this is the kind of thing that might lead to to harm well within a couple weeks of us trying to publish our anti just task force report one occur I did just that you know an undirected mass in vector probably the largest aggressive worm that we've seen since so table right a long time a lot of people think we we beat the worms we never beat them they just got their motive shifted to profit and more discrete targets and avoiding provocation response so with would want to cry it was taken out pretty quickly

through the heroism and luck of one researcher who found one clever flaw and its kill switch and whatnot but 65 Possible's is a lot we got very very lucky and to their credit agent just spun up a bunch of responses and phone calls and pulled together the best and brightest and to gather actual actual information and it was a good fire drill for us to see if our house is in order but we have a lot more to do and I'm gonna skip ahead a little bit but just to show you how lucky we were that big orange block from this is from Bob Brutus rapid7 he scoured the internet safely not irresponsibly to find SMB

exposure the US had three hundred and thirty thousand exposed nodes now they're not all hospitals but a lot of those are hospitals in academia and if that research has lost its lost forever in academia they're really bad at backups now even though the u.s. by far had the most exposure globally per country relatively unscathed we had some hits but relatively unscathed we got very very lucky and I'd like to tell you when he keeps measuring this week after week I should have asked them today but we weren't shrinking very fast so even though we got lucky we didn't act like we got lucky so we part of the issues we just don't have the staff so I'm gonna end for this

section before we bring up Jen and Jay Jay and Jay hey isn't that funny Jenna and Jay yeah there's a lot in the taskforce I want to talk about in the next hour but we settled on a pretty aggressive first graphic and new way if she just in the room helped us make this with Doug but we said healthcare cypress trees in critical condition if you can't read the eye chart essentially there were about 13 or so unique challenges that we thought face modern healthcare but I'm gonna paraphrase the top five severe lack of security talent in clinical healthcare part of the issue is highly fragmented and privatized and geographically dispersed health delivery strategy in the u.s. just given how big

the country is there's statistics every year that we do know about how large these are so you have large medium small and rural the overwhelming majority fall in the last two categories of 20 or fewer employees or ten or fewer employees and you know 0 those are even an IT person the larger hospitals have staffs but without a census which we'd like to see you know a decent estimate based on other factors is about eighty-five percent of our health live organizations lack a single qualified security person when we talked to some of the ones that were considered leaders in their space and rural it was essentially a nurse that was also doing the QuickBooks and also had watched some

sans classes online a sans storm bikes and things online and we're begging us for can we get a three-day crash course on the CISSP or something like that and they were begging and then doing the best that they can not judging these organizations and there are such razor thin margins that there's no way they can afford one under the current cost structures but if 85% have zero people defending them and we're sitting ducks for these things you know I made a joke to Beau I said when we make fun of security by obscurity it's a punchline right we make fun of it but I didn't i sadly asked what if that's all we have and unfortunately a

Hollywood Presbyterian ring the dinner bell a lot of hackers started deliberately targeting ransomware against hospitals to the point where it became the top target of ransomware last year so number one there's almost nobody mining tells her who's gonna set up the firewall rule who's gonna do the patch who's gonna receive the in for garbey FBI Alert who's gonna know what to do with it if they got it this is a clear and present danger I don't think it's an overstatement we've been lucky but that obscurity is over number two is legacy equipment just a reality of the cadence of IT and these systems both office systems and medical devices through FDA or EHRs through a

different part of it HHS a lot of these things are Windows XP is the best case and there the light the time to live in the in the field is very long we must have gone down the rabbit hole in this for seven months on how wicked a problem it is to drain the swamp of legacy technology not only use XP past its end of life its successor Vista has been in a blend and we really don't have a robust way to fix this and we don't want to throw away otherwise excellent medical technology but from a security perspective this is essentially like doing surgery without washing our hands first so just like we have physical hygiene we do need some

level of cyber hygiene woven into the cost of delivery and connected medicine number three I say this would love because it was the road to hell sometimes is paid with the best of intentions but hit HIPPA introduced meaning will hip and high tech introduced meaningful use which tied reimbursement for medical technology to the ability receive and transmit electronic health records and this drove a level of premature conductivity in over connectivity and this is one of the contributors to why a single flaw in a single device has a blast radius of taking out an entire facility because it's incredibly hard for these brittle in poorly interoperable systems to be segmented or isolated without really knowing what you're doing and having

qualified staff which we don't have so this this is over connected to each other and to the outside world and number four because of that blast radius a single flaw on a single device can affect patient care as we saw with Holly Presbyterian initially for UK hospitals in November another four in January and then eighty five and a single day we want to cry lots of good news here right and then to kick it while this is a specific example for a vendor who will be here on the panel and actually the story behind this is quite impressive and I hope we get a chance to tell it but Billy Rios and some others found a single device had

1400 or more see bees in it and when you looked at it wasn't a medical device per se but it was in the clinical environment was past end-of-life you could come up with a bunch of reasons but the bottom line is when you look at any particular piece of medical technology it's not uncommon to see over a thousand sea bees in there doesn't mean they're all exploitable but as we know it takes one so let me tie this back together maybe 85 percent of our healthcare delivery relations don't have a single qualified security person on staff probably need a lot more than one they're trying to defend harder to defend things than we do in banks

which are more modern and better kept up to date they're over connected to each other and reachable from the outside world the single flaw the single device can take outpatient care and the average device gives you a thousand chances to do so I'd say we've got some work to do now the good news is we put a ton of heart and thought and work into that task force report and we've come up with some pretty bold ideas of how to turn the tide it's just gonna take political well a lot of public support and in some cases a lot of time so that's why I said this morning time is the enemy now we have some very positive news in the form

of you know how do you solve world hunger by eating a sandwich so to speak of some really positive trends building on the great work Suzanne and her team have done to really hack the incentives and reframe the posture cybersecurity for these medical device manufacturers not one at a time and this is something I'll take an aside during our kickoff I said to the room four years ago I said I have no interest in finding and fixing one flaw in one device for one manufacturer we want to hack the industry I want to fix incentives with which these are done there are thousands of vendors there will be thousands more we have to think bigger and we have to

think like hackers we want we have class breaks I want to see class fixes and it's Suzanne's courage and her team have helped us look at the heart of the Hydra not the heads of the Hydra the the root cause is not the symptoms and I think we've got the medical devices put on a path sadly it takes six years or so for those that go through our indie and clinical trials and pre marker approval so we won't see the fruits of that for some time but I think that's on a good path now we want to shift our attention to the clinical exposures that we have and while we did this for us focus it's

a global supply chain and many of these issues are equally shared by our allies elsewhere there's a few unique benefits and challenges in other countries but at this point I'm gonna pause we're gonna show a success story of how putting patients easy first allows for the best and brightest of our research community to work with the best and brightest manufacturers trying to do the right thing and Jen please come up Rondo pause for Jen NJ while she's setting up we can distract did someone have a comment I thought I promise I will answer that during the HHS task force panel we went really down the rabbit hole on that one including a cash for clunkers and some

procurement guides for new devices but I'm gonna hand it Jennifer right now okay so I'm generous I'm empathic Jen I'm at record 7 apparently as of this morning I am officially Commons hero that's me so many places in new

[Music] is this better I could speak like this is super comfortable do you like it I mean I could pinch my lip Ivo how about the univille can we make this lock is it gonna be weird like I'm gonna break into song which nobody wants trust me okay so yes I am here to talk about the Johnson and Johnson animus OneTouch ping disclosure but really what I'm here to do is talk about my love for Colin Morgan and J Radcliffe thank you apparently it's been a day of talking about heroes I love you too okay so basically what happened was I believe that a year ago Colin was here not here he was downstairs and he was talking

about the cavalry track and he was talking about his journey at Jan J where he had basically had this epiphany of cyber safety issues in medical devices and had decided that he would frankly take on the Herculean challenge of changing the culture at Johnson & Johnson so that he could build a vulnerability receiving and handling process which is just an amazing thing for a person decide to do and then actually achieve and so the thing that you didn't know was that while he was talking to you about that we were working with him on a vulnerability disclosure and in fact what happened was after two years of Colin rolling this incredibly large cumbersome Rock up a hill he had got to the point where

Johnson Johnson had agreed to a vulnerability disclosure program which he was building and a week before he announced it we we knocked on his door and said cooee we've got something to tell you so this is the story of how that process went considering that we were a week before he was ready to unveil it and we were the test case and and just to give you a little bit more context those those many of you may remember that this time last year we were probably two or three weeks past the Med SEC disclosure hadn't happened yet okay so all right okay so my memory is a little dusty so what happened was we disclosed to them and then about I think

a month after we disclosed min-suk happened and we were like oh [ __ ] we don't want to be associated with anything with that so this is Joe Radcliffe and what a what a fine figure of a man he is this is a shameless shameless plug showing rapid7 on The Wall Street Journal this is Jay talking about about the disclosure and the point of this slide and I'm gonna come back to it is to show how we got to this point this is this is the positive outcome for all concerned and I'm gonna talk about how we got there and why it's a positive outcome so very quickly and I am NOT technologists and there'll be

lots of people throw things that mean particularly Jay but just very quickly the way that this works and and for those of you who don't know which is probably not anyone in this room but Jay is diabetic and he has a very personal stake in this kind of research a about six years ago you think you did the Medtronic research he researched an insulin pump that was attached to him physically at the time and found some bad things and so I think since then since Jay has made the decision to to take injections rather than an insulin pump his doctors probably urged him a number of times to go back to a pump and so Jay thought you know six years of

past let's have a look and and see what the technology is doing today so he looked at the Animus OneTouch ping and the way that this device works is there's two pieces to it as you can see in the shiny picture there is the insulin pump itself which connects to you physically and then there's a remote control which communicates with the pump via radio frequency communication and the remote control basically will tell the pump when to release insulin it's a sort of automated process and so J in the course of his research discovered that with the right skills and the right technology you could intercept or spoof those communications to either you know pause insulin delivery or or push your

potentially fatal dose not not not the best news all things considered so we decided to disclose which is the thing that we do and this is often how these things go it's not always the most popular moment of a researchers life a hand and with J and J we felt like there was the potential for let's say a lot of unknowns we we represent and we do a fair amount of vulnerability research we probably disclose somewhere between 25 and 50 vulnerabilities a year so we're not new to this we're not you know completely naive about how the process goes for every process is a little different and everyone has its own challenges with this one firstly there

was the fact that we were dealing with things that related to life and death and well J had experience of that at another company he we had never done that at rapid7 you know Java is serious but it's it's not often life and death and so that was one the second was ahead I don't know if you've heard of Johnson and Johnson but they're quite big and and you know rapid Evans growing fast and and really buy the stock but we are not on the same level so so that was a little intimidating and we knew that they'd have big expensive lawyers and we knew that they'd need them because often with Johnson Johnson when people knock on

their door and say hey there's a problem in your product they have all their friends with them and it's called a class-action suit and so we knew that there was a big chance that they would be at least incredibly cautious and possibly just sick some lawyers on us so those were some of the things that we were worried about but the the great surprise for me was the first call that we did with them this voice gets on and I'm doing what I do which you can tell is what I do is I was babbling and this voice says is that Jen and it's calling and it turns out like you and I'd met actually at a

roundtable that Jessica sitting over there at organize so thank you very much make you Jessica and that gave us a foot up because Colin and I had had the experience of meeting each other we had built some like basic level trust we were I mean we weren't you know besties at this point we hadn't sworn a blood oath but we had a like a little bit of mutual respect and we kind of understood that we were both in it for the right reasons and so that gave us an opportunity to kind of hear each other more openly which was good because you know typically they're not used to having people say hey we've come we want

to help we want to work through this stuff with you which is what we do when we do disclosures so because Colin and I had met and Colin was aware of Jay and his reputation and his credibility there was like a little foundation there of respect and I had I mean and still have a bucket of respect for Colin for all of the work that he's done at Johnson & Johnson rolling those big rocks and so like that kind of gave us that that nice foundation so we started working on the process together and and there was a lot of learnings you know they're dealing with a highly regulated environment which meant that we had the sort of

specter of the FDA high FDA and and we had had a prior experience Jade had a prior experience with his previous disclosure of seeing like the reaction that you can have with patients and we wanted to be very sensitive to that and try not to cause panic for people and so we were really sort of cautious with how we approached it and as I said a month in mid SEC happened and that was kind of an oh [ __ ] moment because you know we didn't a pretty strong example of what we didn't want to do we didn't want to cause that level of panic and confusion and upset so that gave us a good

template of what we're not to go along the way we still found some surprises so the punchline here is that Johnson and Johnson once they've verified the vulnerabilities made the decision to proactively notify their patients which is like a landmark moment and and the landmark moment for me was finding out that people still do that by post um so we then had this like amazing back-and-forth about what it means to disclose something and when something has become public and there was a little bit of Education not with Collin but with Colin's communication team about how it's not when the last person gets the letter hello have you met the Internet um and so that was kind of

funny and there were lots of like very late-night phone calls with Colin and I where I was basically just sharing my vast knowledge of profanity with him and he was very calmly taking it and and hoping that I wouldn't do this with his comms and legal team and again this is like a test testament to the trust that we build like trust will get you so freakin far and the only way to build that trust is really to come at it with an atmosphere of openness and honesty and and like really a desire to get to the right outcome and that was our guiding principle for us is to go back to our little kitty friend here who for

some reason just makes me laugh our guiding principle throughout it was we didn't want to freak the patients out because we knew that the worst possible thing people could do was like start ripping these things out their bodies like that would cause harm and so we wanted to like help people understand what the risk profile looked like here what the real situation was we wanted to avoid fudge and we we kept coming back to this guiding principle of what is the best thing for the patients because we took that approach we were able to find great common ground we were able to work together we work together with cert we work together with the FDA and I am sort

of speaking on behalf of Suzanne and Seth here but they basically said hey you guys are working together you seem to have it so like we're happy so that was great so because we took this approach it meant we were able to take control of the message we were able to communicate in a really productive helpful proactive way a calm neutral way and that meant that when the story came out and you know yeah obviously I was very pleased that J was on TV but I was also super pleased that the story here was that Johnson and Johnson was telling people Johnson and Johnson was taking control of this message and it was reassuring their patients and giving them pragmatic

advice on what to do and that was a really positive thing and in the end we got really positive feedback we had patients and parents of patients who reached out to us and said thank you for taking that approach and for making it clear and for not causing panic and we we were also called an exemplar by the FDA I've only ever had that word used for me in the bad sense so say thank you I appreciate it so that's how we did it and if you have questions here is the obligatory auto slide [Applause]

okay and then we will do questions for all of us so don't forget your questions for Jeb that's one of the reasons that they're both my heroes okay so hopefully this will take back on okay so raise your hand if you were at the cyber med summit in Arizona pretty amazing huh let's try that again one of the the first principles we have when we're talking to policy makers about cavalry stuff is all systems fail oh [Music] maybe we are doing Q&A

she is in your back button idea the demo gods don't like videos either alright so I'll start explaining what this is we met on our very first anniversary of Def Con in the green room we met two med students Christian Dom F and Jeff Tully and they were presenting on hacking 9-1-1 and we said you guys are actual med students like yeah like you know how to hack they said physicians are hackers they just don't know it and we kind of put our heads together and said you know we really got to do something you know it took us too long we said let's do a clinical hacking simulation they explained that doctors train on a

regular basis give an HDMI I can turn these come on so what they explained is doctors trained on a regular basis for exotic things are gonna encounter a couple times a year but not every day such as pregnant woman comes in it needs a defibrillator there's two heartbeats so it's not a straightforward case but they'll train and the goal is that you know into their muscle memory and perhaps don't work perhaps they'll be better trained and conditioned to just take the patient and deal with it appropriately so what they do this with this is they use professional actors I don't mean from Hollywood but they use actors who know how to do this role most

of the staff is this is so unfortunate okay I do have an HDMI if you have one so they'll typically do a simulation with an actor and it feels very real it's using real equipment and real medicine behind it and they'll have like the two-way mirror and they'll have cameras and they'll use this to train each other so if you got some off hours you'll do a training simulation they also have these incredibly lifelike inexpensive dummies with different names like Victoria was the pregnant one I think was Victoria and these dummies they bleed when you cut into them they have a very similar flesh feel for the scalpels you do chest compressions it'll crack the ribs and

they do these to make it as lifelike as possible in fact one of our task force members Marc Jarrett from New York he said that there's actually also makes you go talk to a fake family afterwards when you lost their loved one so that you can get conditioned on how to break bad news don't do it so what we had this bright idea was let's do one of these with hacking and see if they can handle it because oftentimes when you look at all the various stakeholders in this group they're not a different look they're not the same level their journey and we've often heard from doctors that hacking wouldn't matter we're trained for this we just respond to the symptoms

and treat the patients and to a certain extent that's very true and it's very plausible what we wanted to do is test that not to prove them wrong which is to see what would happen so using real simulation protocols they're normally used to they actually publish these and share them so they've already written these up so they can be replicated by any other simulation in the country or in the world we decided to do two or three we ended up doing three guinea pigs where a physician would come in and all the nurses were and physicians were actually in on it to see would they notice it was hacked how would it would affect patient care

and what lessons could be learned from this I fear we may not have a video but I'll he still explain it all right so we did three scenarios one of them was a car crash came into the ER and they didn't bother to check not that they would have but they didn't check that the car crash was actually caused by an overdose of insulin from a hack insulin pump so the longer it took to notice that that was a root cause it affected how they treated this younger patient who was passed out and leave they seized and ultimately they did save the patient with some heroic measures but it was very jarring to them because they just

never crossed their mind for the differential diagnosis yay okay number two Thank You number two was the one that scared me the most they did but not immediately so there's things that we learned in the post-mortem for each of these we would have a session with the physician afterwards we talked through what happened they'd ask us questions we'd ask them questions is fantastic the second scenario was a bedside infusion pump much like the one that Billy Rios Donilon and became the first safety communication in history for purely cyber security reasons because it had an unmitigated pathway to harm and that one's scares me the most because it's in every single you know yard in the world

your NICU you'll see you know several insula you see infusion pumps connected to patients in this particular case if the the patient needed calcium blocker administered and they usually do a heavy push and then a drip over a certain amount of time this hacked device emptied the entire contents in one minute and caused cardiac arrest in this particular case to talk the one we picked as the guinea pig was a world-class toxicology specialist and knew exactly what to do in that situation but didn't realize it was a hack device so administered the cure with the similarly compromised device and we had a really robust conversation afterwards and she said oh my gosh I didn't know what's hacked if I knew it

was hacked I would have grabbed one from the next room not knowing that hacking the library's hacked them all so then discussions start getting into place of well what does the hospital do should they only should they should they do manual which is slower and fewer patients do they buy to different manufacturers such that anytime one goes out they have a backup does that double or complicate the training for staff so really interesting discussions were born out of that one and that one scares me the most because it's the most pervasive but the one that played best on television was the third one and I'm going to show you a clip from that time permitting which is a patient with a

defibrillator slash pacemaker so the ability to regulate the heart and administer shock if things went bad and this particular hack device the actor was the device was giving electroshock every minute and he screamed in agony and the physicians decided to slowly and carefully treat it but an interesting happens with the heart that I didn't know because I'm not from that world but essentially it's Russian roulette if you hit the shock at just the wrong point in the heart rhythm you cause asystole and they die so the patient coded the wheel and the dummy start giving chest compressions or cracking ribs they resuscitate the patient next minute hits screams again a couple more cycles they said what do we do and they're trained

to put a magnet on the chest because a factory default safe mode in the firmware that erases the programming goes to some healthy rhythm didn't work well why firmware was altered so the training failed them dies again I think the guy died four times before they essentially said you're gonna have to cut the chest so they wheel up you know the kid dressed up it cut it in the chest and just when you see a sigh of relief when they cut the lead wires very electric shocks in the surgical field very dramatic for television but very based in science he needs a pacemaker to pace his heart that's why he has one so the level of waves of this every single

patient was saved with heroic measures but none of them noticed it was hacked even when after we told them they were shocked they never would have asked for a diagnostic or forensics they would have moved on to the next patient patients die all the time and the overwhelming majority of the discussion was we're not trained for this and they're very good at doing differential diagnoses and looking for zebras as they call them but let me just try to show you a video before I completely run out of time okay this was an amazing experience and even though I knew it was happening because we helped design these things my blood was pumping the whole time

[Music]

[Music] it was having these shocking chest pains and happens about every minute he's time it happens if you like feels like my success is going to burst this is Jeff Tully Wonderware conspirators we gotta stop it I got a hard black I got a pacemaker and a shocker that I think it keeps shocking me oh my god I we're trying a show that doesn't have any day sir so what do you have a pacemaker put it I'm sorry you're giving an EKG and well yeah we could give him access everyone's in on it except for the position because we didn't want to demoralize them we did give them hints and nudges along the way

[Music]

all right swifty Billy Payne Wow oh stop back all right so thank you so much we're still working on the left yeah so when we can think now with weights with a fine instead of gentleman I'll pass so likely it's going to be an issue with your pacer leisure cardiologist

[Music]

so he's dying now whenever they go to a procedure they didn't the lights wheel in the dummy and they put the nectar on Mike if necessary they want the doctors to have to feel that the chest cavity crushed his doing chest compressions isn't just an effort of muscle you're actually breaking though and the physicians will tell you they don't feel like it's a simulation they feel like it's real [Music]

[Music] first impressions Garabedian okay the lead to the wires that password they're scrubbing I mean uh dressing up doctor main calm the whole time later you told us uh green tea was it's just like cutting the flesh leads just like it leads hearts in the same places it would be couldn't find the lead so I'm getting the hook well you can see how traumatic this could be okay so I will cut it there we need three of these they're powerful and that was just day one on day two we D tabletop exercises to show what happens if you were to Rance them a single Hospital in the City of Phoenix and then plural what's that

no so some of them were very seasoned we're gonna try to post all of these from the four angles we have but we think this kind of magical thing is only possible because relationships across so many stakeholders I talked about this morning hackers don't know all this stuff don't have the access to this stuff they don't have access to what we know we grounded it in reality it was powerful so with this I'm hoping people stay for this we can do questions for both of them but let's try to do our transition to get the task force members up here and do the introductions and sorry we had some AV difficulties all systems fail but I think this is one of

the best fruits this multi-stakeholder approach of empathy and Trust and I hope to do more these you want to turn this into a 50 state initiative working with governor's to pick which hospitals in which cities but the table tops revealed that we are wildly underprepared for even one Hospital going out we're just over dependent on these undependable things all right thank you to Josh Corman