IATC - HHS Task Force (Panel) - Josh Corman

and welcome to our healthcare panel and I am the cavalry track at besides Las Vegas our panel will be moderated by Josh Corman he will introduce the four panelists himself as a reminder these talks are being recorded and streamed so please when we get to the question answer session please raise your hand and I'll run a mic over to whoever has the question and if you can silence your cellphone's and we need to thank our sponsors and my little paper disappeared so I we had Amazon and Vera spray source of knowledge opportunity and I'm missing wine and I can't remember which one it is thank you thank you to our stellar sponsors and here's Josh Corman all

right hey long time no see and sorry we got a little crunched in the last one but we're gonna make all these videos available and answer any questions there's also an ABC Nightline piece on that we wanted to do that to set some stage for what's going on with medical device security with disclosure with how we're trying to create a visceral experience or learning for hospital administrators physicians nurses so we can take it from a belief that we'll be okay and prepared to knowing where we need to to shore up and be more resilient and this is very aligned with something we've been working on for a year so part of the sisse act of the computer information sharing

act or the depending on who you ask this passed in December 2015 and most of you know it is the information sharing act that allowed safe harbor for information sharing in the private sector one of the provisions in one of the sections called for a one-year task force for healthcare cybersecurity across the sector's Healthcare is a very varied sector with device manufacturers pharma bio hospital delivery organizations all sorts of stakeholder groups so they asked for a one-year task force there were 21 task force members I'm probably in a flip to Emory to outline the constituents in the process and while we couldn't bring 21 of them to hacker conference in DEFCON we brought there's five of us here

represented and we published this report on actually a little after wanna cry but we had hoped to really put some uncomfortable truths in front of Congress HHS stakeholder groups and be honest candid forthright on what we saw the situation hopefully have some actionable recommendations for a short-term mid-term long term but we went for it we didn't pull punches we we went really far down the rabbit hole on certain things that are wicked problems like workforce like legacy technologies like the disparate rates of change in the economics of how long these devices are used and while we didn't think we solved everything we said you know maybe no one's gonna read this because health care is such a partisan topic but when

something really really bad happens we want them to be able to have something actionable and a blueprint for making things better and you know the good news bad news is with the near miss of wanna cry we we had that compelling event and the reason to look so I did a lot of the exposition in the last section and if you weren't here for that I apologize but we did record it mostly I want to hear from these guys because we put supposed to be a year long task force I think we went more like a year and a half it feels like and we I kept making the joke that the health care task force

was hazardous for our health but let me introduce some of our esteemed colleagues on this in in this order Michael McNeal is from Phillips very forward-leaning on things like corn a disclosure to voluntarily put out producing software build materials etc it was a very strong voice of a large device manufacturer Rob Suarez from Beadie also very strong voice we pulled him in at some point in the middle and it was a tremendous addition jumped right in didn't miss a beat Emery shoe lac from HHS was the co-chair from the government side and Jackie Munson from Sutter Health was one of our voices of the clinical risks and challenges and Emery why don't we start with you for as

one of the co-chairs and as the government voice here on the process approach and any opening remarks you have yeah again Emery she lacked from the Centers for Medicare and Medicaid Services just to kind of give everybody a little bit of a around after the legislation was released in December of 2015 we really step back and try to find you know a diverse set of people who can really represent you know range of the industry we wanted you know providers we wanted insures we wanted you know a whole gamut of individuals and we really kind of settled on 21 because we really thought what you know there there's the ability of having too many people there and too

many voices where you can't get anything done too few voices where you're not really getting all the perspectives done but we kind of you know felt that 21 people really represented the story of the organization and we really look for people who had strong connections with the industry we wanted people who had representation not only for their organization and which share the perspective of a large organization or smaller or a small organization but we really wanted people who have a great understanding of you know what is who were leaders in their trade groups who were representatives we didn't want executives from the trade groups we wanted practitioners we wanted people who were doing security every day

because too many times when we talk about security in the industry we talk with CEOs well you know the CEO may very well not have done anything in security ever or may not have done security you know in the last 20 years we really wanted kind of an engaged workforce that is really going to kind of you know change the language so we really settled on 17 you know public partners who were really going to be able to move this conversation along and we had four bream the government we had NIST DoD DHS and HHS I was the HHS representative and our role wasn't really to shape and form the consensus of where these recommendations

and these activities were going we were there to make sure that you didn't misrepresent or mistake a position that you were doing so if you had a challenge and it was a regulatory body you've got the right regulatory body if you were trying to come up with recommendations in terms of where to go with guidance you know it's like you can name a specific organization with HHS but you know in reality let's maybe we can bring that up and just you know Lou in that up a little bit to kind of talk about that so you know what we looked at as we looked at 17 people who really had a great visibility into the organization

great connectivity in the organizations across the field to kind of really raise kind of the issues and concerns at Josh hat and we had you know some great feedback across the set of the sector to kind of you know highlight the challenges that everybody was facing and I think what you do is you could we come out and we had you know kind of a roughly equal balance of recommendations that were kind of directed at the public sector and an equal number of recommendations which were directed towards the government and it really states the fact that you know there is really no one solution here you know I think we hear a lot of you know gosh

there's a whole lot of things in this in this report well yeah there are a lot of things in this report and what we want to be careful about is that we're not saying you have to absolutely do this one item and you're gonna be good there's a lot of things that we can do and I'll let everybody talk about you know things that know they really champion and what we're looking for out of the report is you know champions in each of those areas so we can move these things forward knowing that you know we don't have unlimited resources we don't have unlimited time we don't have unlimited you know staff available to do

this how do we make this happen and how do we prioritize this you know the the workforce itself was really just a starting point for the conversation and how do we move that forward so I'm gonna let everybody else talk about you know their perspective on it but really you know this was really a collaborative effort to kind of identify the challenges facing the sector and see if we can put something a little bit more concrete a little bit more tangible around that people can act act on before we leave you you had some good statistics last time we spoke about it wasn't just 21 people thinking they're smart even though we're well represented we did a lot of outreach we took

briefings from trade associations Center do you remember how many any of those stats or the process you know him you do so effortlessly but yeah because last time I ruined but we we did think we were supposed to do four meetings in person I think we did five I think they're supposed to be a day each we ended up doing about two-and-a-half to three days each we were supposed to just do those and phone calls in between we did weekly phone calls and subgroups I think to a person we just took it is a really serious responsibility but one of the things we got may be criticized for a little is we don't want to just hear from you guys

maybe you're detached but we did thousands of discussions with large small medium rural hospitals individually collectively we did a reddit poll we did a bunch of surveys so we tried to hear from other stakeholder groups as well who wants to go next I'm sure so well one of the the keys from from my perspective and we talked about you know kind of some of our passions number one I did bring as as Emory said visibility from a lot of the other manufacturers because I was a part of AD Verma and on their consortium of cybersecurity one of the co-chairs also I was part of the nomination from Midas of all of the imaging organizations represented so when I came and had a

conversation a discussion as a part of the task force all that data Rob's a part of the the admin piece we took that information back into those particular organizations and had them vet the the feedback on that as a part of our assessment that went into to the overall recommendations as one of the examples from my perspective personally I've kind of been around the block on on this on a couple of different occasions you know thanks to a lot of work with with different sets of researchers kind of going back to Kevin foo in this rain tickets of space and in terms of the the Pacemakers and and the cardiac cycle I know the video and everything you said

they're excellently I also have a personal passion around that considering the fact that from my perspective my daughter just started and completed her residency emergency med so looking at the video that's her standing in there and any other patient or light that's coming in and it's real interesting being in this kind of a space and profession you know when we had want to cry I got intelligence from the hospital data just from the the share networks that they have as emergency room physicians of activities that was happening in Chicago even though she was in residency in Florida of when some of the outbreak was still only happening in the UK and we were experiencing you know

some of the the overall blue Bev screen issue so you you it intertwines with you in terms of having this and in an area from from a passion perspective me specifically when it came to looking at and some of the reporting I think you see the fact that the legacy as you pointed out is one of my major issues and and I've been been known to be quoted and stated you know and working with as much as I love Mike my customers to death from I help delivery organization some instances it is very hard you know to pull some of the devices out of their cold dead hands so that's everyone knows to that so it's

not a known and then the other piece for me obviously is around you not you have to know the ingredients of what the exposures are and so from a supply chain perspective when it comes to software you know Bill of material is an understanding open source and everything that makes that component that's the next for ray that I'm pushing hard on and that also was able to come out in in the report yeah there's some of you looked at the schedule tomorrow morning Daniel beard is gonna do a talk about how to generate many ways to generate software Bela materials and just for those people who have heard it 10 times today I don't know what that means

briefly if you look at the Hollywood Presbyterian compromise it was a single Java library JBoss version in a single device and the benefit of having that ingredients list just like in our food is if you here alert and you say this particular library is being attacked in hurting hospitals you can answer two questions very quickly am i affected and where am i affected the other use is that purchase time if you see these build materials you see there's a lot of known vulnerabilities in vendor a but vendor B has better hygiene you can make a much more informed choice references it's too expensive to buy a bunch of new pumps if you have no incremental budget whatever

pumps are gonna buy next we want to steer you towards better more defensible resilient higher hygiene devices so the Bill of Materials thing Michael's been doing this voluntarily and really being a leader on this front and we seem to have pretty broad support on that recommendation thus far all right who would like to go next oh I'll go next as a as the other device manufacturer on the task force and I think for me personally I think Michael said it very well from the perspective of a device manufacturer boss I think just in general anyone participating in the task force that for me personally the value in participating in the task force and perhaps my my strongest

motivation was really promoting transparency and collaboration when it comes to a vulnerability disclosure and general security awareness the reality is that as we've stated here there are there's a large number of legacy medical devices out in use today and the transition to newer more secure medical devices is not going to be easy yeah it's going to take time and effort and I think an easy and a way for us to facilitate that transition is to be transparent with the security issues that legacy medical devices have how do you secure something that you don't know and our customers health care providers caregivers patients are in a predicament when when you can't provide that type of information for them

is that's actionable and then on top of that promoting good secure development lifecycle practices I would say actually product lifecycle practices because some of it isn't even just about how you how you developed the medical device sometimes it's how you decommission the medical device or how you manufacture it and install it at a customer site it's it's a fairly complex problem that requires security throughout the lifecycle of these products and so I think that was perhaps my own personal interest in the task force and in passing we've mentioned coordinated vulnerable a disclosure programs a lot today there aren't that many yet and just to tie together a few speakers we had been pushing for Courtney and

Varma to disclosure programs since the beginning in fact in our five-star cyber safety framework and our Hippocratic oath star number two is basically you take help avoiding failure without suing the helper we call it third party coordination and in it the idea was availing yourself of willing allies that wanted to help you make your product safer without suing them and later Alan Friedman who you met from NTIA did a year and a half long voluntary best practices open forum and convening where we get a safety critical working group and actually wrote a template almost a Madlib that almost fits on a page where you can do your initial early stage not a bug bounty just a coordinated disclosure program

saying we will not sue researchers acting in good faith and this is a list right here the we keep a running list of who has one and I just focused in on the medical ones we have Siemens Philips Medtronic Dreier announced on stage here three years ago live GE Johnson & Johnson which you just heard from Jen Ellis how well that went just in time st. Jude Medical or Ryan Health Abbott and BD so for my part i always like to encourage good behavior if we please clap for the two vendors on stage to have them

hey I would say no need to thank me for doing the right thing right I love their attitudes okay so why don't we ship to someone who has to defend these indefensible that way I might be friends with them outside of here but from the provider perspective obviously we're our own worst enemies right now and that we really driven towards interoperability which is really important to our patients well balancing that with not having good security controls and we kind of went on steroids with interoperability with Meaningful Use and we weren't ready for that and we still aren't ready for that yet were in that phase where we're sharing data and I think related to biomed devices although I appreciate the

standards on the new devices there is no way that even a large healthcare organization like Sutter Health could afford to replace say all of our MRI machines we have 60 of them and at a half a million dollars a pop there's no way that I can go to my CEO and say we need to replace all of them so although I appreciate that we're fixing it going forward we have to find a way to fix it going backwards too because that's the only way that we're gonna really solve the problem the whole group collectively came up with I think some of the best recommendations we could to really solve it and they're interdependent all of

them are important I couldn't tell you no one over the other is being more important I think they're equally as important from the provider standpoint I think one we don't have a lot of money to afford good security controls yet we care about interoperability and providing the best care possible and we have lots of other things like lots of regulations if I want to as Sutter helped our physicians in California where we're a corporate practice Act which means we can't employ them I can't do I can't provide them the technology for free if I do that it's a stark banana kickback violation I would love to help them but there's really no solution to me helping them unless

there's an exception to the stark and Ana kickback so I have that ability so there's lots of challenges that were identified and just you know as health care providers as many of you sure know we focus on following the regulations we spend all of our money following all of those regulations and in doing so we don't have good cyber hygiene we're not actually addressing the highest risk because we're worried about the reputation the regulatory fines it might come with it so one of the things that I was really passionate about in the report is really looking at harmonizing those laws so that we can focus them on the ones that we absolutely need to comply with versus I think there was

like 2,700 laws in the various states that we have to sometimes look at to analyze and decide which ones we have to comply well that's really not what we should be spending our time doing we should be evaluating from a risk management standpoint what we need to address addressing our highest risk first and moving forward so we should have given this thing three hours we didn't how many minutes do you have left seven minutes and we're now getting to get questions from the previous one huh why don't we just let you ask your question from the previous on my okay my question was how would how do we do with the legacy like it's like she yeah you

guys are part of it with devices because even if they're not a hundred you know half a million dollar devices you still have the IV pumps you have to be under a bed hospital you'd probably have 400 IV pumps and they're not you know ten dollars a piece I'd see I'll try to take a first stab at that so I I'd say that it's going to have to take some sort of joint strategic effort with not just not just from a medical device manufacturers but also with healthcare providers or the customers of these medical devices at the table and figuring out perhaps to a certain degree opening the and and talking about the vulnerabilities that exist in legacy

products that are unsupported by the manufacturer or current products and what are the risks and considerations being being more open and upfront with you know the uncomfortable truths that all software has vulnerabilities all software and and so you know as a manufacturer and as a as a device company that's incorporating software into medical products you know we need to accept that reality and it's it's not a bad thing to have or find a vulnerability and software it's a good thing that you're searching for it in the first place right and then raising awareness to your customers on what they can do to minimize or avoid the risk altogether I can repeat it that's a good

point I think something that I've observed recently is that there is a cost to I think security vulnerabilities in general managing and managing I would say a good way to help raise the awareness to that issue is actually talking about the vulnerabilities in these devices and the kind of crazy things that have to happen from a compensating control particular know what and let me just say you know that's why I think it's really important when you look at the report that you know you don't just look at one section of the report because the reports to specifically address some of those issues we know that the communication is a challenge so there are recommendations on how do we start better communicating

those challenges and making sure that we have messages to say how do we message those challenges if you're a small organization versus a large organization how do we make sure that you know a security person can be see successful and start messaging those things better so you know if you focus just on a specific recommendation you may miss the bigger point is that the whole book the whole guy the whole the whole taskforce report collectively is about how do you move and change the culture and the ideas and the communications uh going forward I want to make you more whole than that too because this is something I think I spent seven months on this is fast so

we'll follow up on it later the first thing Bo said I don't pose in the room Bo had we were racking our brains on this Bo's like you know we have a cash for clunkers to get unsaved cars off the road it was an economic stimulus but it also made the car safer maybe we could even cash for clunkers and I bring it back to the group there was like oh that could be a great idea in fact some of the manufacturers may find it in their own interests to have to support newer safer devices maybe we'll come up with a program and then we said okay great let's drain the swamp and then Mayo Clinic and others said

yeah but I've got this multi-million dollar laser they don't make anymore and I'm gonna have to have this forever so about a third of my equipment that wouldn't help with okay so then we looked for a bunch of crap clever things that the CIA and that's in DES in another whatnot we find a way to handle those and then we say okay good let's drain the swamp and then we realize wait a second there's devices today with all of my heart I say this that are still able to get through the FDA pre-market approval because there's nothing prohibiting yet XP device today from getting through like oh okay so we'll make some recommendations about how to

make it harder to get an unsupported operating system through new devices great shut off the spigot strain the swamp band-aid the rest all set like I'll wait if there's one knows 12 comes out tomorrow we make a new startup tomorrow and take six years best case for us to R&D and get through pre-market approval it's gonna have one year of support left on it and the average clinical deployment is 18 years or for certain types of devices but this is never gonna work we have to you know the body in the sole have different rates of change that TTLs are different we gotta reconcile those so then we're like other alternate reference architectures do we

need higher assurance longer support OS is inappropriate to use a commodity OS and a safety critical system alright let's come up with some grand challenge DARPA thing we'll do a reference architecture we'll loosely couple you know the dictation is you'll have to have several OS updates throughout the lifespan of this thing all right we got that covered and then I get a call from a senator saying he's being lobbied heavily because somebody wants to use android kitkat in the clinical environment I said the only thing less defensible in Windows XP is android kitkat and then i call them my friends and they said yeah a lot of our new devices are on KitKat I mean on Android because it's

a robust ecosystem etcetera so they see these are wicked wicked problems and we didn't solve them but we flagged a lot of really cool stuff and we started pointing people to the Hippocratic oath as well because if you're not gonna get as much money whenever you're buying this year spend the money better not spend more money spend the money better and I think the work we've done was in and what not in the pre-market post-market means the stuff coming through the pipeline will be a little better and also the clinical simulations were part of that change of heart and the aha moment for some of the clinical administrators I don't think with it is for all of these and let me give you the

last glimmer of hope after 9/11 we weren't gonna throw away all the airplane jassi's in the world so one of the smartest things we did with the least money was steel reinforced cockpit doors so we're also talking to some people about could maybe make like Amazon Cloud speedbump that prevents SMB from just randomly hitting hospitals what are those and this is what I want this room to think of what are those steel reinforced cockpit door moves we can do to take out a large chunk of exposure and risk on the old stuff well we beefed up and improve the new stuff so we're we're fighters I think we saw some overwhelming things but to a person and

we'd never hit a roadblock and so let's give up in fact now that we've published report I think a lot of us feel like it's the starting line not the finish line but I don't only only got to one questions we're here all day tomorrow we're doing a clinical tabletop simulation that may or may not allow us to surface and experience some of this stuff but for right now I really want to thank some part of the task force here for coming to hacker cons and sharing some of their wisdom and perhaps some will be around for Q&A in the hallways and whatnot and we're all very reachable but for now please thank them [Applause]