Saving Lives in Healthcare: Trust, Teamwork, Tangible Outcomes
Show original YouTube description
Show transcript [en]
good afternoon um we have a very special session of I am the calvalry we are going to talk medicine medical industry medical devices and we're going to talk about systemic change that has happened over the last 10 years it is my privilege and Delight to introduce Dr Suzanne Schwarz from the Food and Drug Administration Dr Schwarz is nothing less than a National Treasure who has since late 2014 brought about more change as to Communications between I call the hacker community and Dogo Federal bureaucracy which has led to systemic changes in the FDA and other departments in the US government and so we just we couldn't be any happier to have Dr Schwarz here to give a couple couple introductory
statements um and then we we have a we have a a vast team uh from the FDA here to also visit so people will be spiking in and out it's going to be very exciting about two hours so buckle up here we go Dr Schwarz thank you very much um it it's really it's a pleasure and it's really an honor to be here and um and yes we did bring our entire posy or almost our entire posi with us um from FDA because this is a special moment um it is the 10year anniversary of the I'm am the Cavalry work and and so we're here from fda's medical device cyber security team to celebrate this
Milestone with you a little bit more just introduction in terms of context for me again my name is Suzanne Suzanne Schwarz and I'm the director of the office of strategic Partnerships and Technology Innovation at fda's Center for devices and radiological health and um I have to say thank you okay I have to say that I I struggled um for quite some time to collect my thoughts for this session because of really the enormity of this topic um where to begin what is it that I want to cover how to keep from Rambling and going down various tangential paths how to hold on to your interests and your engagement and isn't easy it's for me much like kind of um
taking a stroll walking in the woods and coming across these diverging trails and each of one of those Trails can take you down a very very different direction and yet really there is no right or wrong way to tell this story so I resolve that to navig at along this journey for myself reflecting over the past 10 years i' Ed the title of this session saving lives in healthc care trust teamwork and tangible outcomes which is really most befitting um as that can serve as my compass really orienting Me by breaking the title down into separate very manageable headings if you will so let's start with saving lives in healthc care uh this is for us in simply another way
to State our mission at FDA which is to proect and promote or Advance the public health and we do this through regulatory oversight of medical products in our case at the center for devices and radiological Health this is specific to medical devices and furthermore we take what is called a total product life cycle or tplc approach meaning that our responsibilities begin at the pre-market submission phase and once we authorize a medical device to allow it onto the market our regulatory oversight extends throughout the postmarket for the entirety of the devic's use life so why is this important because a patient safety concern or a risk of patient harm may not necessarily manifest until years after a device has
gone onto the market despite despite meticulous pre-market review which includes careful thoughtful clinical considerations of what we call the benefit risk calculus and parenthetically let me just add here that there is no such thing as a risk-free medical product I don't know if that comes as a surprise surpris to the audience but it's important to state that right um the key is for there to be a thorough vetting of risks meaning we have to be able to and the manufacturer needs to be able to identify what the risks are to fully understand the implications of the risks to patient safety and appropriately reducing risk to an acceptable level through different means through different types of controls that
may need to be designed into the product or in the after products on the market other types of controls to be put in place depending upon the environment the public depends upon FDA to uphold these oversight responsibilities so that there is in what we call regulatory or legal parlament a reasonable Assurance of safety and Effectiveness and any erosion in public confidence in the safe performance of medical devices can perilously lead to breakdown in the Public's trust and that includes all of our stakeholders patients and their loved ones caregivers Health Care Providers and yes security researchers such as yourselves for more than 10 years now security researchers have called attention to device vulnerabilities that they've identified conducting impact and variant
analyses and at times announcing their findings at black hat and Defcon much to the dismay of the medical device industry evoking consternation within the healthc care ecosystem and worrying patients who rely upon these devices for their health and well-being to say that trust was fractured between device manufacturers and security researchers and between security researchers and FDA would be a gross understatement trust simply didn't exist in those years leading up to 2013 2014 I know I was there much work would need to be done together to begin laying a foundation upon which trust could then be built reflecting back there were so many facets to undertaking this challenge but I think the Common Thread that runs
throughout is starting from a place of empathy active listening creating space for hearing different perspectives giving voice to the security research Community with in with a deep understanding that that indeed we seek a common goal to keep patients safe from harm yet FDA historically had not had any explicit authorities within the realm of cyber security of medical products we regulate there was a lot and I mean a lot for us to learn and to delve into regarding our understanding of risks associated with cyber vulnerabilities identified in medical devices we didn't even have a dedicated medical device cyber security team let alone a program we essentially stood up in 2013 a nent effort within our emergency
preparedness and response program of which I was the director at the time to start us off getting up to speed on Cyber even whilst our program was most accustomed to dealing with all other natural and human-made disasters including chem bio rad nuke threats infectious outbreaks associated with medical devices and explosive events now we needed to drill down and learn what was happening across other parts of the US government on this front including interacting with Department of Homeland Security getting to know all of the great initiatives that were being launched out of ntia and the Department of Commerce nist Department of Defense FTC FC FCC just to name a few of the various agencies for which various work
streams were already happening or were well along the way in cyber security for which we really had had no prior visibility and this was what we needed to do in order to move from what had been what was really a very reactive posture to a proactive active stance we needed to develop coordinated response plans and while we were learning ourselves we also needed to raise awareness within our own sector of healthc care and public health imagine trying to do all of that at the same time when you're first trying to really understand exactly the state of the ecosystem to complicate things at a more macro level the prevailing thinking at this time across the healthcare
ecosystem and therefore across the healthcare Public Health sector of critical infrastructure with that these are theoretical vulnerabilities merely relegated to the hypothetical Arena no one would ever even dare to exploit these vulnerabilities and cause deliberate harm to patients there was a palpable undercurrent of dismissing serious cons consideration of identified devis vulnerabilities and advances that would happen in this space clearly would have to occur through a mindset shift across the culture of the healthc Care ecosystem and that would necessitate baby steps or as Josh likes to say you have to crawl before you walk before you run and teaming up with I am the Cavalry empowered us to take those steps developing what I've often called
over the years a hull of community approach engaging all of our stakeholders Josh and Bo mobilize the security researcher Community via I am the calary to meet with us at FDA on several occasions and to maintain open lines of dialogue so that together we did enable the culture to evolve and supporting one another to attain the common goal of safer medical devices where cyber secur is not neglected and so doing we've experienced important tangible outcomes along the way before my team actually comes up to introduce themselves and to fast forward then to the most recent tangible tangible outcome which was indeed years in the making I want to First highlight some important Milestones along the way
that led us to the present in which I am the Cavalry has been our partner and collaborator so while it's true that 10 years ago I am the calvalry it's your it's I am the calvary's anniversary it's also fda's anniversary of 10 years since 2013 when we were confronted with some uh issues around medical device cyber security and um initially issued our first draft uh pre-market guidance in 2014 though we convened our first FDA public workshop on medical device cyber security and very much in the spirit of collaboration of creating h of community of recognizing that everyone has a part to play that there's shared responsibility um here this initial public Workshop was co-sponsored by Department of Homeland
Security with whom we had already begun a fair amount of work as well as with the what's now called the healthcare ISAC at then it was the NH ISAC the National Health ISAC that occurred at the same time with our release of the pre-market guidance as final that was our first guidance really um on the pre-market management of cyber security medical devices and it was there at uh in 2014 certainly that I have very clear memories of both uh bo and Josh attending the workshop and being part of what was actually quite amount of friction tension um within the room among various parties in 2015 FDA issued its first safety communication on Cyber on a cyber
vulnerability of a medical device specifically an infusion pump and this vulnerability was discovered by a very prominent security researcher who in years prior I don't think he ever dreamed of having exchanges and interactions and working together with FDA but we had really turned the corner and um in so doing working together with this security researcher and as well as with the manufacturer we did Issue what again was the very very first safety commun communication that called out a cyber related vulnerability of a medical device and I can remember to this day Al because I was sitting in my office at FDA on the white out campus all the and I had not attended uh besides or any of the you
know hacker conferences but because this was such a pivotal or trans formative moment um I was patched in by phone not by Zoom or any by virtually but literally by phone um into the room to talk about this moment this release of the safety communication and what its implications were as far as the work that we take seriously in the area of medical device cyber security and more than that how much we value the security researcher community and the importance of what this community brings to as a contribution to the um to the ecosystem in the betterment of Public Health and protecting patients going to move along into 2016 and because we were definitely making
progress with I in the Cavalry and the security researcher Community recognizing the importance of what additional information and understand understanding we glean at FDA from the work the important work that's being done we participated in a request for what was the Digital Millennium Copyright Act exemption the dmca exemption um for security research to take place on medical devices again with the driver the motivation being protecting patients and um and this also was in some ways another kind of inflection point in terms of being very public in recognition in a letter that was sent to Library of Congress that FDA um endorses the exemption to the dmca um and that really opened up a lot more opportunity
for the kind of collaboration we were going to be having with the security research Community this is definitely coming back to building trust and understanding how to communicate in a way that we understand one another and that we are you know empathetic towards what where you know each party really is within the ecosystem and what our responsibilities are further in 2016 you know be as we were kind of moving along from a policy perspective we had issued first as draft and then finalized our postmarket guidance h on Cyber security and managing cyber security of medical devices that are on the market and I I have to say that a lot of the approaches and the policy and the guidance was very
much informed by the work that we were doing with I in the calvary with the security researcher Community collectively um in understanding exactly what you know what was really within the art of the possible how important it is to be able to identify vulnerab ities assess them in a prompt Manner and deal with them in terms of reduction of risk also in an expedient manner as possible and all of that helped inform the approach from a policy perspective that we took for post Market we in addition convened a public Workshop um with that guidance as well and and I know that my my friends and colleagues here uh were very active participants on several panels and in
discussions in that Workshop that again helped inform the finalization of that guidance a very integral piece of that guidance was the concept of coordinated vulnerability disclosure and the importance of having policies and processes in place that manufacturers should have as a best practice as a recommendation in order to ingest information around vulnerabilities process analyze that information and then appropriately disclose that information and um and that work was also further informed you know by all the ntia initiative in which I the I Am the Cavalry uh Community was heavily involved in as well one of the other pieces that kind of came out of our own learnings as we're kind of going through all of this
journey um in and I think this was 2016 although you know it may have been a little bit earlier may have been a little bit later we posted on our website a myth busting fact cheet um and we did that because we kept on getting these queries um from healthc care providers um as well as from people in general saying oh you know um uh FDA you know we understand cyber security is optional it's not you know um it's you don't have to have cyber security and medical devices also um providers were telling us that uh provider organizations were telling us that they cannot they are not permitted to provide updates or patches or fixes to identify
vulnerabilities because that would desertify desertify invalidate the certification of a legally marketed medical device and you know and so Gathering a lot of these um myths um it was important for us to speak the truth um and to provide that not only publicly on our website but to furtherly arm um the healthc care providers with those facts that they can take back to the manufacturers and if they were having issues to bring those challenges to us as well but you know again a lot of all of these these activities and items that I'm mentioning um they don't happen in a silo they don't happen in a vacuum they're all informed by the learnings that the FDA team was um you know uh was
going through as as well as the collaboration that we were doing with the entirety of the community um recognizing that yeah this is evolving we're evolving along at the same time and as we learn and as our you know uh understanding of where the concerns are sharpen um and become clearer then we'll be able to address those even better in the 2016 through through 2017 time frame um you also had what was a mandated a requirement that was put into statute um by by Congress um for HHS the department of um Health and Human Services to convene a task force a task force um that would study do an appraisal of the health healthare systems the healthc care you
know sector at large from a cyber security perspective and Not only would it do that initial landscape analysis but in addition to that it would come up with a set of imperatives or recommendations that would then further strengthen um and address the you know the concerns the exposed areas within healthc care that um were drawing attention um of Congress and others and we at FDA because we were heavily engaged on this really from the medical device side were in a position to be able to nominate um a subject matter expert to participate in this important task force and um it was clear to us that someone who is bringing um uh uh recognition subject matter expertise and such
respect from the security researcher Community was really going to be critical to have on this task force and and Josh Corman served on this task force which culminated in the issuance of a report in 2017 much of the pieces within that task force that addressed specifically needs on the medical device side are ones that we have um in some way shape or form undertaken further study of or further execution of as part of the work that we have continued to do moving right along um and so 2018 well 201617 I I know I participated here as well um in uh the uh the summer you know hacker camp and um it's always been um great um exposure for me and for members
of my team the members of the team then are different than the members of the team that I have with me here today um but we are a growing um and a uh a very very strong team um 2018 as part of socializing um the work that was that is being done on the FDA side and furthering to build trust with the i in the Cavalry and security researcher Community we had the opportunity to uh you know to provide support as well to the medical device hacking Lab at Defcon and this was a small lab um and it would be um it would be an Omission to not mention the fact that there have been
medical device manufact facturers who've really been on the Leading Edge um and have really spearheaded much of the effort in medical device cyber security who raised their hand and volunteered to bring their devices to the medical device hacking lab and to you know and to be very open towards having researchers having hackers come and really try to penetrate right and try to hack into these devices um this you know was another real turning point for us to the extent that my Center Director Jeff shuran would go to different meetings among medical device manufacturers like advamed the Trade Organization Medtech meetings and he would speak to the press and he would say when questions would come up around medical device cyber
security he'd say my answer to you to companies is you need to hire a hacker and hire a hacker became like really you know the the phrase of um uh you know that that would appear in some of the press um but it just goes to show the capabilities um that a community that um a community can rally together can mobilize and with the you know with the right um uh you know motivation towards protecting patients towards making devices safer um and better protected that you can really bring about transformative change now I haven't even gotten to like the really really big change yet but this just kind of just as a footnote shows you along
the way how important it was for us to bring into our community of collaborators and stakeholders a group that we previously had no contact with in years prior um and this community became a very strong voice and an important voice as part of the work that we do in developing policy and in the daytoday identifying a vulnerabilities disclosing those vulnerabilities and um and communicating them you know to to patients and to the public in 2018 we released um an updated version of our pre-market guidance remember the guidance I mentioned back in 2014 well obviously there's been so much Evolution happening within the medical device cyber security space and we were learning as we were going along that we
had made a commitment internally you know to ourselves that this is not static this is a dynamic area and as we continue to learn we're going to continue to raise the bar and our expectations of Manufacturers are going to be be raised as well well and the contents of this 2018 guidance um really reflected that it reflected it in in areas such as transparency reflecting on the concept of what we called then cyber security bill of materials but we were drawing from all of the work that had been done through ntia on software transparency and a software billing materials recognizing that this you know is um is a very critical aspect of being able to manage risk within
medical devices and there were many other parts you know trust transparency and resilience were kind of the three legs of the stool that I talked about in terms of um that particular guidance um and and that was released as draft we also convened a public Workshop in early 2019 for discussion of this guidance again using that kind of a venue for soliciting feedback soliciting perspective on what's what's in the art of the possible what's feasible what's not feasible aside from the public comment period that occurs every time a guidance goes out um and um it was important feedback that we received from really all you know all stakeholders within the ecosystem including the security researcher Community which we took into
account and incorporated as we look to develop future guidances we also this isn't even in my notes but I'm remembering it as I'm reflecting um we also issued in 2018 a medical device Safety Action Plan which Incorporated within it um a huge section on medical device cyber security and in that that section we highlighted the importance of you know not only the collaborative nature of what we were doing but we were at that point already recognizing that there are going to be some areas some Gap areas where you know what the FDA probably needs to have explicit legislative regulatory authorities in order to require certain aspects of medical device security coordinated vulnerability disclosure was one of them that we
called out software billing materials was another area that we called out another one was that you know medical device manufacturers in providing their premarket submissions to the agency need to be able to provide data and evidence to support that the device can be patched and updated and still function safely and effectively so it was really drawing from everything that we were experiencing both on the premarket side as well as on the postmarket side with some of the challenges around Legacy as well that convinced us compelled us in many ways to socialize this within the medical device Safety Action Plan and um and and this was you know an important kind of also Cornerstone document because it is the first place
where we talk about the fact that we are considering seeking these additional authorities these additional requirements what was really exciting in 2019 just to go back there for a second is when we had our public Workshop to review the 2018 guidance we also announced the launch of the weart hackers initiative and we had spent quite a bit of time in the months leading up to the workshop to this launch working together with I in the calvary working together with the medical device manufacturing Community to identify manufacturers who were going to be courageous who are going to be you know willing to kind of again be leaders of the pack and to also to raise their
hand and indicate that yes they are going to provide to bring their medical devices and systems to to the conferences um at to Defcon in in the summer and that we' be able to kind of create what became actually a makeshift hospital with these devices residing in different areas of the hospital um whether it's an ICU or an o or a pediatric unit you know to have the appropriate devices there and for hackers to come in and to really you know experience exp erience where these devices work how they're supposed to work and are they hackable this was a um another kind of pivotal moment for us especially since we had the strong support and backing of
the FDA commissioner at the time Scott gotle who announced this uh initiative in his opening remarks at the workshop and who subsequently put it out on his Twitter feed um for you know for everyone to see that this was an important move for us to make and um and indeed I mean it was um it was quite um quite an experience to behold uh bo very much instrumental and really putting together this entire makeshift hospital um that um that really brought I don't even know how many people came through but it was pretty it was really very impressive throughout these years we've also been privileged and honored to participate in the Cyber Med Summits which had its inaugural event in Phoenix
Arizona back I I want to say 2017 um followed then by moving to San Diego and then recently in the past two years we've had the addition of spring Summits taking place in DC which are very much policy oriented because of the agent in Congress and policy makers here um they deserve a really extra special call out this initiative organized by two extraordinary esteemed colleagues doctors Christian DF and Jeff toly who really in collaboration with I am the Cavalry have brought a profound a profound level of awareness and acute tangible understanding to the clinician Community to policy makers and Industry in a way that had never been attained before there's nothing like experiential learning like sitting
through a Clinical Simulation there for an adult anyway there is nothing like that and that is the way clinicians actually learn as residents or as medical students and um it has a lasting impact so I look back on the years from 2013 to early 2020 as really kind of setting the table really setting the table for Monumental activities that were yet to occur and that culminated in fda's newly received statutory authorities as part of the December 2022 Omnibus yay well you'll hear more about that soon um so to take us through these later years I'm I'm stopping deliberately like right at the cusp right of you know right at early 2020 because it marks obviously a
very challenging time for this country for the world as we entered into the coid 19 pandemic and frankly you know for me in the work that I do at FDA at CDR r which encompasses more than medical device cyber security a lot of my attention actually needed to turn towards pandemic response as it involved medical devices to the extent that um I really couldn't be there to support the team and the team's work that had to continue with medical device cyber security especially given that there were on the rise already a lot of healthare ha cyber attacks occurring and ransomware and other types of you know software third party vulnerabilities and things that needed to be dealt with and we were also
in the midst of trying to finalize and draft guidance from 2018 that was still in the works so there was a lot hanging in the balance and and this is really you know where my team comes in and I I you know there is no words really for me to express my appreciation for this team for all the work that you have
[Applause] done because you you took the ball you know you took the ball and kept it going and rolling and you moved it to you know where we needed to go in in a way that um is just mind bogling I mean it's really impressive and um and I want to say say again and you'll talk about this a little bit we did not have the Omnibus then so we still did not have authorities and we had no Appropriations there was no team here there were like two people okay um managing medical device cyber security two people um so with that we're going to do this in a little bit like in shifts because I I do want to give Jessica
Wilkerson a chance to come up here and talk a bit about since she was newcomer in febru you landed in FDA February January 20 January but it like all right see you um but I I would like you for also to give some perspective on the work that you had previously been doing um through your work in enry and commerce and that's how we initially met um and you know provide that perspective before you kind of move into the work at um at FDA for which then also we'll bring up Matt and um and then Bo and then we'll bring the two of you our latest um uh newcomers to the team perfect um yes so as as Suzanne said I'm
Jessica wierson uh I am currently a senior cyber policy adviser in the medical device cyber security team lead at the FCA but um back in 2013 I was a fresh rced Congressional staffer on the Energy and Commerce Committee um and Energy and Commerce for those of you who don't know is the house committee um that has jurisdiction over Healthcare in so um at the [Music] time um for when I started with Congress I was actually I was I was a secretary I was answering mail I was answering phones um but I had a computer science background and uh there was just at the cusp at the same time that that FDA was really starting to see healthc care and
medical device cyber security issues so was Congress um and so I started to get pulled into more and more of the healthcare cyber security work at the United States Congress uh to the point that that eventually became my job and I think if I'm remembering correctly I'm going to look at Josh I think it was 2013 that that we met January 7th of 2014 apparently it's January 7th of 2014 might have been might have been that close yes yes um but again you know I had not been at at Congress very long I think I was maybe all of 23 years old um and and I remember we had these little meeting rooms that were kind of off to
the side they were like glorified sitting rooms and we met with Josh in one of them it was me and the chief counsel for a telecommunication subcommittee at the time and he started talking about something I was like what is it and I kept looking at my chief counsil I'm like do you understand what he's saying and he was essentially like let's make nutrition labels for sofware and this was right after heart bed and my she counts on like no we're not we're not doing that and like you're never going to convince anybody to do this that's going to be way too expensive the manufacturers are never going to go for it like what about all of these this
that and the other thing and we just and that was that was Josh I's first meeting I think I also brought up hascal at that time I think I made a a crack about how you know I would also love everybody to be programming in only functional programming languages but I'm never going to get that either um and so you know it it became a very interesting relationship because that was my introduction to Josh in a lot of ways and what had started as as this very um contained conversation on what would become Sofer Bill materials and and my rampant skepticism that that would ever become a thing and here we are um but uh
it it became much more than that because um at that time I think even more so in a lot of ways than the FDA Congress was not ready to accept the hacker Community as a resource um you know if you needed somebody at Congress you called a lobbyist or you called you know you called an established person who would get you their version of their expert who would come in and tell you what the answer was um but what ended up becoming so valuable to me at Congress was I could call Josh and or Bo and say hey I'm having this problem I need to know about this thing who do I talk to and he
would give me somebody and they wouldn't be a politician they wouldn't be a DC type they would be somebody who was a practitioner in the space usually very unpolished which I loved like didn't know the bureaucratic speak didn't know like the right phrases to use at the right times to sort of sell me on whatever it is they wanted they're like this is the way that it is you should do this um and what that ended up leading to in a lot of ways one was we started coming up with with good ideas of things that we should do you know we started at the same time a lot of the ways that FDA was and this was due to I am the cavalry
and the connections that that Josh and others had been making we embraced coordinated vulnerability disclosure we started bringing together parties to have conversations on vulnerability disclosure on um Legacy on uh I think we did we might not have done something on sofil materials but we started pulling these things in into the work that we were doing because we had a foundation finally we had people that we trusted we had people that we could ask um and it it really did I think accelerate and it began to feed off of each other I would take what Suzanne was doing at FDA and start to support it or build off of it at Congress um and I know for better or
worse I would send things to Suzanne at the FDA at the on behalf of Congress and essentially say hey congratulations you get to do this now because we've we've decided that you're going to be doing this um but it that that give and take and that acceleration between Congress between the FDA was so important because usually those two groups are are at loggerheads they don't want to cooperate you know the agency Congress is telling the agency to do something that the agency doesn't necessarily want to do um the agencies are doing things that Congress rather they did not but we had found this partnership and not only that we had found a shared group of resources in um
not only the hacker Community but the community that the hacker Community had created if that makes any sense so they kept touching different people within the industry and bringing them into this group of trusted this trusted Network that began to be created and it meant that you know sort of and actually I I if everyone will indulge me I'll tell a story so one of the first round taes that we had that was kind of that became my thing was on coordinated vulnerability disclosure and we brought together representatives from the medical device manufacturer community and I want to say the automakers with um with hackers we put them in a room together no press no Congress people it
was just them we we I think we did it like two hours everybody had a conversation we left and then I guess a couple months later a couple weeks couple months later two of the representatives ended up on the phone together didn't know they were going to end up on the phone together but it was there was a a hacker who needed to disclose a medical device vulnerability to a medical device company and the conversation started out very frosty because the medical device company was like who are you I don't want to listen you know this is not to Suzanne's point of the medical device manufacturers did not want to be dealing with this um but they recognized each
other's voices these two people who had been at this round table recognized each other's voice and was essentially like is they're like is that Colin they're like yeah is that Jen yeah and suddenly the entire conversation and the tenor of the conversation had changed because they the trust was already there these two already knew each other and could have that that approach and it became a very successful collaboration it became something that that ended where we wanted it to that it was a successful coordinated vulnerability disclosure and that would not have happened had the work not gone in previously to establish those relationships and establish that basis of trust and so I I can tell you
I'll start moving into some of the other things that I've done um because if we I I worked to Congress till about 2018 uh spent a year in the private sector with the Linux foundation and then went to the FDA in the early 2020 um and Susan zanna's not kidding when she says that it sort of ended up being something of a handoff where I remember I came in the pandemic had started to brew because it was it was Janu it was December 2019 when every the temperature started to climb in terms of you know this is going to be something I onboarded on my birthday so end of January came in like hey what do you
want me to do like what here I am I finally arrived they're like we don't know like good luck um we we'll see you when we see like we go deal with this other thing and my fifth week at FDA we had a major cybercity vulnerability in medical devices it was several hundred medical devices impacted with an incredibly serious medical device vulnerability and I was just we had to figure it out and so um you know but the the thing was the work that had been done previous to my arrival at the FDA I meant everybody was already kind of prepared you know we could call up the Press team and they're like oh you got another cyber security
Vil all right and they like kicked it into like in year and we started talking to the people who we call them the reviewers the people who actually look at the files and and make the determinations of safety and Effectiveness and so on and they were prepared for it and they kind of knew what they were doing um and Matt was was really instrumental for that for me and you'll you'll hear from that lady later but um the the work had the framework was already there so even though we had several hundred medical devices impacted by an incredibly serious cyber security vulnerability in two weeks I don't know if any of you have ever tried to get the
government to do anything in two weeks um we had put out a a safety communication essentially saying this is a serious concern here's the set of recommendations here's what you do um and we had coordinated with so many different people we were coordinating with the foreign government we were coordinating with the security researchers who had found the original vulnerability with the Department of Homeland Security with the HHS and it it happened because of what had already been established um and so I don't know if you want to bring up Matt now or later but we can we can sort of talk about 2020 to to when we get the Omnibus um but it became something where
again these this was the these were the two it was it was me and this guy yeah that's it the dynamic duo is what I've called them aage centry director it's like y there they go yes um so our our cyber security budget from 2020 to 2023 was $500,000 mhm and I was half of that that's right I was half of that budget and part of that you were also detailed and part of it I got I got Borrowed by the White House for a year um which thrilled FDA to no end that they were pain to have me go work for someone else but um at least I negotiated half it's true she did she she she she won the AR
with the White House so good thank you yes but um but no it became something where you know I got to FDA and and while there were certainly some stumbling blocks of FDA as a federal agency there's ways that they do things that I was not familiar with I will tell you that Congress is usually a huge fan of just ignoring the rules that they make everyone else follow so I when you know when I was with Congress I called whoever I wanted I I sent people emails whenever I felt like it about whatever I felt like um and with FDA you know was a little bit different there's you got to talk to some people make sure
you you've checked all the various boxes um but we could take the foundation of what had been established and start driving it forward we didn't have to have the conversation with medical device manufacturers that cyber security was important because they already knew that they might not have believed it or they might not have been willing to fully accepted into their hearts in the way that we wanted them to but for I think at that point it would have been six or seven years they had been hammered over and over again by FDA you have to do this if you would like to sell medical devices in the United States you have to do this so I got to
come in and say you already know you have to do this let's talk specifics and let's go even further let's talk about Legacy devices let's talk about old outdated unsupported things that we know are still in use but can't be updated really can't be protected we talked about that I spent three years for those of you who know the health sector coordinating Council working with a group of about 65 organizations to come up with a big what do we do about Legacy devices report um and we also did it internationally um another member of our team who who isn't here uh LED work on that for internationally and so the the sheer amount of work that was done on
that we did something on vulnerability Communications about how do you communicate to patients because cyber security can be incredibly frightening to um to a patient if you you know if you tell somebody your device can be hacked well that's horrifying you know how do what what do I do do I do I need to go get the device removed do I need to stop removing the using the device um and so we've been able to from this Foundation of medical device cyber security is important medical device cybercity is patient safety you do not have a a safe device if you do not have a cyber secure device and I didn't have to rebuild that conversation that
conversation had already been built because of what Suzanne I am the Cavalry um had already done and so um I will talk a little bit about my White House Stu and then kick it to you um so 20 I came in 2020 about I think it was summer of 20121 sounds right when I went to so they established the office of the national cyber director some of you may have um heard from some of the oncd staff who are here I got requested to go what's called a detail um to to own CD where essentially you get Borrowed by another Federal agency FDA had the joy of continuing to pay my salary while I was working 50% of the time for um for a
different a different branch but um one thing that was amazing to see and amazing to experience at oncd was FDA was one of the few federal agencies who had such a strong cyber security program that we it were 10 steps ahead of a lot of our federal agency partners where a lot of them were sort of saying like we don't really we don't have any authorities we don't really understand how this fits into authorities we don't really understand how to approach this we got be like well would you like our guidance would you like our medical advice Safety Action Plan which includes our cyber security requests would you like our requests to Congress for the
past five years of please give us explicit cyber security authorities um to the point that we were briefing other agencies on our process to how to respond to vulnerabilities to how to respond to incidents because we'd done it and we'd shown that it worked and we'd shown that we could work with the our medical device manufacturer Community was which was a huge part because a lot of these agencies were convinced that their regulated entities would never play ball like you know we're we're never going to get them to do this um so a lot of them were a little bit afraid of trying I got to sort of say and I got to be the
representative to point to the fact that well we did it which means you can probably do it maybe not in the same way but you know there's there's precedent for it um and it just was an amazing experience to really be there and be able to put medical device cyber security on the White House agenda um and make sure that it was getting brought up to um to the you know the first national cyber director um we got to have a a big meeting where we brought in 10 Healthcare CEOs to meet with um meet with the national cyber director and the deputy secretary of Health and Human Services to talk about how important Healthcare cyber security was
and again none of that would have been possible had we not done the work had we not had the receipt so to speak of like why medical device cyber security and Healthcare cyber security was so important um and that really started in 2014 with a lot of the work that they did but um sure um I'm Matt hazet I'm the cyber security policy analyst in our office of product evaluation quality so I'm the only member from the FDA team here that is not in Suzanne's office um I created a position in adopted right I'm very closely work with them there's a lot of dotted lines on my work chart um but I created my position
in the office of product evaluation and quality which is our pre- and postmarket review offices as I saw an opportunity to try to further strengthen and build consistency in how we were addressing cyber security in the pre and postmarket Arenas I started in our um Pacemaker and defibrillator review group so I started out reviewing um back in 2015 2016 got involved in uncoordinated vulnerability disclosure processes um so I was on a very steep learning curve um quick aside I was assigned that task because I was working from home for the first time one of the first times and I forwarded the Reuters article to my boss at the same time she was given the report internally which
was me demonstrating interest and then my entire career changed um so be careful what articles you forward at work this one had a happy ending so far but um be careful what you forward um so that kicked off really me coming up to speed in cyber security work very quickly working with the people in um FDA that were tapped in on cyber security working with Suzanne and Seth and Brian fitgerald um the miter colleagues that we had working with us at the time um really coming up to speed very quickly and learning cyber security through bad security um basically honing my gut based off of well they said this is bad I now know that's bad what's good um
will someone tell me what that is um but essentially through that process got very involved in a lot of our postmarket vulnerability disclosures started get inv got um getting involved in some of our policy development efforts from the Lessons Learned um from everything that we were seeing at that time so working on the 2018 guidance um the vision for the 2022 building in a lot of that review experience um and the lessons learned that we were getting from the different review offices whether that was the pacemaker space the diabetes space insulin infusion spaces um we were seeing a lot and learning a lot and starting to be able to figure out what really we needed to
see um and that really starts to to show itself in in terms of the level of detail I think the 2014 guidance was nine pages I think the 2018 was 18 pages and then I think we're at like 47 um for the 2022 draft um so it definitely started to have more depth in terms of what we were looking at um I was asked to start um what we call our cyber security focal point program um so we have focal point programs different review disciplines across um the review offices um the first one was biocompatibility we have one in electromagnetic compatibility so areas where the agency wants to have greater consistency in how we're approaching a
particular review discipline um I started to lead the cyber security group started forming Loosely in 2019 um I quickly saw that it was a full-time job so that was how my position became created in OPAC um to really start focusing on really trying to build out consistencies so the reviews that were taking place in 2014 2015 may have been more of a checklist exercise of are the elements from the 2014 guidance present to then what we started to focus on as we started seeing more and more postmarket issues was incorporating those learnings into our pre-market review views of those various device spaces and really starting to try to build the consistency of not only what we were seeing in areas with
postmarket vulnerability disclosures but also feeding that in across the board to the areas that hadn't gotten the attention of the research Community how do we get ahead um and start preventing things sure so I um it may be helpful to give some examples of of sort of what we mean when we say pre so pre-market is people coming in looking to get approval to actually be able to sell things legally in the United States postmarket is you have been given approval now there's an issue what do we do um and so what we started doing is that in the postmarket side of the house we were seeing issues we didn't want to see them come up again we didn't want to be
reviewed for the same problems so what how could we put something into the pre-market so that then you couldn't pass the FDA approval process without having address the concern um so I'll start with the one the first one I can think of and then I think you can give some examples so here here's a relatively recent one this one was from 2021 um Ransom are huge problem we all we all know that Ransom is a huge problem um what who knew um we had been thinking for a long time our nightmare scenario was remote multi-patient simultaneous harm so essentially that like you were going to have all types all of one type of medical device quote unquote hacked
at the same time and that was our ner um we had been waiting or expecting to see in these Ransom more incidents that Ransom was actually going to reach the device and was going to start locking up the device and denying patient care um we saw that happen to to a little bit of a degree in W to cry but not to the extent that we were sort of waiting to see well 2021 happens we have a medical device manufacturer who gets hit with ransomware on their corporate Network so not on their device network if you want to think of it that way and we're like all right well that's very unfortunate for them but not necessarily a patient
safety impact so we don't necessarily do anything yet and then we start hearing things and I think actually both of you called me separately and like hey you really need to look into this so I grudgingly start looking into it and they were right we absolutely did because what had happened is that there had been a design decision made that the devices in the hospital environments were 100% dependent on a customer facing cloud in the manufacturers environment so when they took the entire environment down to remediate none of those devices could communicate to the to the cloud and they couldn't get any of the information that they needed to actually treat patients so now we had denial of patient care
because of what had happened and so for the example of what sort of the point that we're trying to make of what uh it was a while yeah it was longer than we would have liked um we said okay we now we know that this is a problem now we know denial of care based on network inavailability is a problem and we put into we started putting into the review process and you can Matt can talk to this more um essentially like if you're G to have a device that's dependent on a remote capability part of the review is going to be explaining to us what happens and how your device continues to operate safely and effectively when that
network connection goes away um so what we start looking at is based off of our existing policy do we have a thread um to be able to ask and highlight a particular area of concern so we've done some reevaluation of what was in the 2014 guidance and we have some a lot of really good hooks um to ask more information in that guidance while it's high level um it actually addresses a lot um so we start to be able to look at some of those resiliency and availability considerations um so those are now baked into our review practices of being able to look for are connection dependencies to network to Bluetooth devices to Cloud interfaces and how are um devices
designed to address those dependenc in the event that the connection does down does the device fail safely does it fail securely in a way where you're still continue to have acceptable levels of device operation in response to that um so that really is how we continue to try to learn from what's happening in premarket from postmarket and start feeding that into our pre-market considerations should probably get to Fedora oh yeah we should talk about the omnus it's very important little bit so um Fedora uh sometimes sometimes referred to as patch is the Food and Drug we just looked at this Food and Drug Omnibus Reform Act was the specific part of the Omnibus that uh added additional authori as
additional requirements on to FDA and it included after five years half a decade of asking every year for congress um explicit cyber security regulatory authorities because here here's the here's the secret not a secret we told everyone this for a long time um of FDA we were reviewing for cyber security under what is known as our general safety and Effectiveness principles so our mission is safety and effectiveness of medical devices we said we and this was this was Suzanne um cyber security is part of that we said cyber security you cannot have a safe device if you don't have a cyber secure device the qsr and the qsr the quality system regulation which is the the overarching
framework for for how FCA um and medical device manufacturers ensure safety and Effectiveness across the board um but there was still arguments that we would have with medical device manufacturers and others about well you know yes there's a cyber security issue but it's hypothetical or it doesn't actually pose a safety risk and there was a not a gap exactly but there was a very strict connection that would have to be made between a cyber security thing that we wanted and safety and Effectiveness because that was where our authorities were coming up from we had to say this was a safety and Effectiveness issue in order to really drive it Forward under what we were doing and we weren't wrong
but it was it was a long conversation and it was longer than we wanted and it was more often than we wanted we would have to go back Matt's review folks would essentially start having these conversations with the manufacturers you need to do XYZ to shore up your cyber security and they say what do we um and so the the difference that came in in Fedora in patch in the Omnibus for us is it explicitly says we really cannot overstate how important and how impactful this is going to be for us and I think in a lot of ways already has been um you must have reasonable Assurance of cyber security in your device by law by law you must
have reasonable Assurance of cyber security in your device we get to look at it on the pre-market side you get to you have to prove to us before we even will give you legal marketing Authority that this device has a reasonable Assurance of cyber security and it's got a few different elements um You probably can rattle them off better than I can yeah so I'll let Matt talk to them but um it is it it really is it's we we we try to make sure that folks understand we were reviewing for cyber security we had an incredibly robust cyber security review process but this is an acceleration this is a such a strengthening of everything that
we were able to do before and it's it's going to be the next 10 years of of what we're able to do and what we're able to accomplish but if you want to talk a little bit more about sure um so with the authorities we were given the ability to review pre-market submissions for um devices that have conne activity to be able to um look for postmarket plans for making updates um for addressing vulnerabilities and incidents being able to review pre-market documentation for whether there's a reasonable assurance that the device and related systems are cyber secure um that's a really fundamental new aspect to being able to review against for the explicit aspect of cyber security um and the third main
element is the software bill of materials so we have a a this these new authorities that really give us a lot of ability to be able to look at greater details um and really look under the hood at what devices are um how they're designed how they're able to ensure cyber security and how that's going to be maintained throughout the total product life cycle for the device um so in terms of implementing those aspects we've made training available for over a thousand review and management staff um to be able to consistently look at the different documentation deliverables and assess whether those provide a reasonable assurance that the device is cyber secure um and we've been able to build
this out as a program where we'll be able to iterate on um these processes throughout um future guidance updates so we have kind of our ground structure fully laid out and built for the implementation of these authorities and we're just going to continue to evolve and mature um that program as we go forward and also look at where else um how else we'll be looking at these authorities as we go on so the requir requirements around making available postmarket updates making sure manufacturers are delivering on those updates um and following those plans and processes are all things that um we're going to be looking to make sure um are captured making sure that coordinated vulnerability disclosure programs are
stood up um and being used and monitored um so that cyber security issues are more timely addressed um and more routinely addressed um throughout the life cycle yeah and I think um I know we want to bring B up as well um but I think maybe the one thing that we haven't talked about that has certainly become my life lately um is you know we we are seeing and I I think this is where the security research Community the next iteration of I am the Cavalry or whatever the I am the Cavalry becomes um can really become part of the the evolution and the strengthening and and the advancement of of where we we planned ahead one as you heard you know
we have these new authorities um that the device has to remain secure over the the security life cycle which it already did but now we we can very explicitly point to that um and if there are issues we can now point to law that says that they have to be addressed and so you know 10 years ago we had people coming to us and saying hey here's a security vulnerability we'd like to see it closed please continue to do so um continue to come and tell us about it and even you know more so than that we have seen um more and more cyber incidents that are impacting medical devices and medical device delivery and Healthcare
delivery in general um and that's another area that you know we are are strengthening what we're doing and trying to get faster better more effective at how we respond and how the sector responds um but it's an area where you know the role of the security research Community like it has played over uh the last 10 years can really play in the next 10 years help us understand and how we get ahead of this problem how we continue to strengthen the sector to the point that um you know we we see less of these or they last less time or they have less impact um because of course you know you can I would love to get to the point where we
can have a medical device cyber security incident that we're just not worried about because the devices are designed resiliently we know that it's only going to last a couple of hours to a day or two days and everybody knows the steps and what they're going to do to respond um we're not there yet but I think you know over the next 10 years we'll we're going to definitely try and get there and we definitely um would want all the help that we can get in figuring out what that's going to look like uh but do you want to bring that yeah yeah um thank you thank you both um Bo why don't you come up and join us and um be great
if you could share your perspective on all of the you know the work that you've been involved in as part of you know this entire effort be great yeah sure um so we've been talking about uh 10 years of successes with on the Cavalry with the FDA and others uh and suzan and Jessica in particular took you back to you know 2014 uh but I'll wind back the clock another decade almost um I started my career working for a healthcare provider and uh one day uh the organization got hit with um some kind of a network worm uh I don't even remember the name of it at this point um the the authors of the
network worm got eventually arrested and and extradited to the US and probably still in jail I don't know um but uh it affected our servers the first day and the second day I got a call from the natal Intensive Care Unit uh from some doctors there uh who said said hey our our fetal heart monitors are down this is the thing that that makes sure that the uh often premature uh babies um is able to get the care that they need when they need it you know in real time it it makes sure that uh the doctors the nurses the clinicians everybody knows what is going on with that patient uh and basically every 15
minutes those monitors were rebooting um so like hey look I know you just work on like computers and stuff but like I heard that some of these medical devices are computers and every time this thing boots up I see a Windows screen like can you help us it's like well I'll do what I can um so uh I ended up calling the manufacturer and the manufacturer just basically said hey look really sorry but um you know it's a it's a medical device we can't we can't change it I'm like yeah but I'm just asking you to get the malicious software off of it that it's already changed like yeah hands are tied you know the FDA they're the baddies
here um they they they told us that we can't put any updates on it or affect it or or it'll take away our certification I'm like I'm pretty sure that's a lie cuz I used this thing called Google and I found on the internet where I think it was 2003 you guys put out a communication that said specifically uh updates are safe they don't affect your certification status they like I don't know man I'm just reading for my script uh it's Frontline help desk um like I don't know what to tell you so was like all right well that kind of sucks um so uh went and worked with the uh the administrator of the hospital um
and got a a justification to go and fix the problem um so what that looked like was uh using the same exploit that the the malware used I hacked into all of these it was about 8 or 10 uh hacked into these medical devices uh dropped the patch killed the malware rebooted the box and it stayed up um and the doctors were able to get back to doing the thing that they did the nurses were in there monitoring the patients and saving lives um and I think that uh that it's a testament to how far we've come this industry that um I don't think any medical device maker would try to pull that today um have a very bad time it
would cuz I know who to call to call them um to set their record straight in no uncertain terms uh and um throughout that Journey from you know whenever that was I don't even remember 200 five six seven something like that uh until now um there have been a we've made a lot of progress I say we very inclusively because I think Susanna met you at a at an Atlantic Council thing in like 2013 um and uh we just started doing I am the Cavalry uh and I remember that uh it was you and who was the other guy that was there no it wasn't Brian it was uh it wasn't SE was it no it wasn't SE it was
Nick Nick Nick fer yes nicker so I remember we were sitting on like opposite sides of a a square round t uh which is a thing um and uh and just the openness and inquisitiveness that that you guys had to all of this like hey look you know we don't know everything uh it turns out this is one of those areas we've got to get better at so we want everybody's help to get better I was like this is really refreshing this is cool is this what government people are like um little did I know uh and it was it was really great to start those conversations that in um to start building that trust and uh and as
security researchers at black hat at uh Defcon besides were uh having these discussions about uh vulnerabilities that they had discovered and the lack of responsiveness from the medical device makers um to see the FDA kind of step up and say like it's not okay to have these things be perpetuated uh we've got to do something to fix it uh and take a stand um I think uh if it hadn't been you in that seat if it had been somebody else they would have just been like yeah I mean medical device makers know a lot about making medical devices I don't know a lot of hackers who know a lot about making medical devices we're just
going to like stick with the the party line um but I think you know for all of the success criteria and the reasons why I on the Cavalry has worked empathy understanding building trust listening uh I think you have those same things um and I wish that there could be a Suzanne in every agency
um there is not yet uh but but uh there are a lot more suzan like Folks at agencies today than there were 15 years ago 10 years ago um and I'm very happy for that uh to be able to do that I mean we didn't even talk about uh I worked at the FDA for a year not on Suzanne's team on another team um going back even farther to 1974 the food drug and cosmetics act where um part of that act is like hey look you have to build medical devices in a sterile environment plane room like make sure that they they're not infected well what happens if medical devices have software like wipe down the keyboard
like I don't know how do you have a sterile programming environment like that's kind of not a thing um and to be able to to then part of my job was to translate the 1974 act into modern standards of development um and what was really cool is is being able to we had a handful of medical device makers that came in some of them were better than others U more advanced and um or I'll say more uh in tune with modern software development practices um and then to be able to take and build on some of the work that uh Suzanne and Jessica and Seth um Nick had done Brian Fitzgerald too um had done uh was really powerful
to just take that and Port that into what was going to be a new Pathway to Market and talk to medical device makers who um some of them didn't even think about security when they were designing it designing their devices is uh surprisingly some of the ones who didn't think about security when we started talking with them like oh yeah how do you design software without doing that it's like have you heard of software Bill materials they're like no what's that and I explained it to them they're like oh yeah of course we do that everybody does that because they're like a little startup right and they looked around at their colleagues uh big huge medical device makers and the
medical device makers the other ones were like you can't that it's impossible like what this is like the complete opposite but I think that's symbolic of the transition that's being made uh in healthcare and medical devices um and I don't know I don't want to Ramble On too much because I know we want to we want to flip it so maybe I'll take the opportunity to to set up a pivot which is um this has been a success story working with the FDA not every industry has an FDA and as we've talked about in this track for a couple of days um some of them are uh lack a lot of the things that Healthcare and medical devices have
um in the absence of a suzan at every regulatory agency how can we take this blueprint and make it more successful is it even possible to do that or how can we take the Lessons Learned uh and build on those to make other Industries um help them come along uh maybe more quickly because they have a road map to follow um and you know to to overuse a tagline to make us all safer sooner together back to you thank you I want to thank you both I want to give my two team members who haven't had a chance to get up here and introduce themselves um as well you know one of the things things we talked about on the Omnibus is
the additional authorities um we also got Appropriations that allowed us to not only expand our team um and we have two recent members that have joined the team um but also to really create more of what now is a sustainable program in medical device cyber security so um start with you Monro I think you've been with us a little bit longer and then Arvin you can just provide um introduce yourself provide some background um you have an interesting story as well in terms of how you came to us um and um you know and and what is it that so I'm going to pose a question to each of you as well given you know that you've come in the
more recent time what is it that you you know if you could have your greatest wish or what you were Aspire for in terms of where you want to see things going you know um and knowing the current state what would that look like what would that be yeah awesome question yeah so I think actually this week um as we talk about anniversaries of both I am the calvary of the FDA program I think this week is actually my oneye anniversary at the FDA um so uh good to be there thank you um but yeah I kind of came from an interesting experience of um coming to medical devices and medical device cyber security it all started as
an undergrad student um boor in the summer uh that can lead to a lot of good things and can lead to a lot of bad things sometimes when you're a board undergraduate student in the summer um but I had the opportunity to work with a professor um who was doing research on medical devices and consumer products um and so we were doing physiology studies and I think I kind of had that technical brain somewhere of as I was working with them I was like there's a lot of potential security and privacy problems with these devices and so I think that just kind of planted the seed in my in my brain and so I had always been kind
of interested in policy and medicine and that technical side and so as I was trying to figure out what to do after uh undergrad I said you know where do those worlds emerge and so I ended up in public health of you know having that perspective of helping people working in the healthcare sector but also thinking about policy bringing those things together so I ended up in a public health program and as I went through graduate school I kind of kept being interested about this technology side so I ended up working for a a contracting company and worked a lot with military Healthcare facilities uh ended up going to HHS and worked in the chief
technology officer's office for a while working on digital health issues um and even had a little side jut over to the forest service to work on policy issues but throughout this entire time there's always kind of that medical device aspect you know at the back of my brain of that such an interesting area where you impact patient lives every single day um and it has all these you know different challenges that all merg kind of in in one Nexus and so I eventually ended up um at siza where I worked in the National na Risk Management Center and got to work not only on Healthcare issues but kind of critical infrastructure issues as a whole and do
a lot of interesting risk analysis there so I really enjoyed that experience of kind of you know honing the craft to thinking about Healthcare as critical infrastructure and I think some of my cic colleagues probably got annoyed after a while I was still always interested in medical devices so I I remember in one situation we were uh going a little side tangent here uh you know we had some extra time and so we were proposing some projects on thinking about you know critical manufacturing and raw materials and they're like great that's a perfect topic you know go down that path I like but what if we think about it in the context of medical devices and they're like oh my goodness
like what are we going to do with you and so there was always kind of that that thread of being interested in Health Technologies that I had um and so when my my time at at siza came up I was uh nearing the end of my graduate program which and grad school is a product of a really good cyber Workforce training program the Cyber Corp program scholarship for service that's run out of the National Science Foundation so I had the opportunity to kind of be this weird person of being trained in public health as a graduate degree but also having that kind of cyber course side of you know being a potential future leader in cyber security um and so kind of as I
was in that role I ended up um through some connections uh coming to the FDA as a fellow and um this is a lesson to all students uh in the first five days I was at the FDA um at the end of the week they asked me would you like to interview for a job here so I'd barely even been there for a few days but they really spoke to you know then you know the interest that I had to the topic and um you know and I could immediately see within those five days of the you know the team that I was working with and the people that were here at the FDA um so I
never ended up leaving I ended up staying at the FDA um but it was a really good experience and I think I'm kind of a a child of of two different truths of one being um that medical device cyber security Healthcare cyber security cyber security as a whole is really uh a product of having multidisiplinary people involved so whether it's Physicians Public Health practitioners Engineers attorneys um you know all the other people that are involved and so I think you know that's you know kind of the Village People of the FDA team but also an example of you know cyber security as a whole um but really kind appreciated that truth but I came from
that background of um you know being in those interested in those different areas and that really becomes an asset when we think about dealing with patients in these impactful kind of topic areas and I think the second truth is how impactful engaging and and uh having mentors and going to events like this can be I don't think Josh or or Bo know this but the way I got to the FDA was through a cyber meded Summit one of my professors um it was at one of the one of the ones one of my professors said you should go to this event and so I went and got to meet um some different people and I eventually met Kevin Fu who
was working at the FDA at the time he said why have you not worked here yet yeah um and so it was just one of those examples of where I wouldn't be at the FDA because of an I am the calvary event and so I think it's you know it's a good example of you know kind of how those things not even just when we talk about you know the really substantial impacts of thinking about you know legislation and and and policy um and the impact that both the FDA and IM the calvary has made in those spaces but also that that small impact you make with individual people of that student that walks up to
you after an event um you may spark that interest in them or you may have that opportunity that's just perfect for their perspective or for their skills their expertise area um and so I think that's a good example as we kind of celebrate the I am the calvary of um where you can kind of not only bring your different perspective but also kind of facilitate uh that that growth in others and you know have that next generation of both both the Cyber Workforce and kind of uh leaders in in public service so yeah that's kind of my deal and I'll pass it over to my colleague Arvin who can I just want to say I mean I love that I love that story
but and I should say and we also know gems when we see them okay so you know not everybody gets a gets a a request for an interview after five days a unique scenario certainly but I think those gems are in are in many other places so if you know uh how to look for them and and identify them and take action when you see them I think it's the lesson we probably learned from that but yeah don't let it be five days uh hi everyone my name is Arvin es scander I uh I am I was honored to be join uh joined this beautiful team at uh about 10 months ago so I'm very very new
in to FDA and also to the healthcare I uh my background is computer engineering electrical engineering and I was working for patent at Mark office for 14 and A2 years um where I was uh out of college 2008 it started uh patent office and I was working purely on networks and uh networking applications and then my wife at the time she was working at FDA my brother-in-law L uh later on joined FDA and uh was work seeing these two very Enthusiast in medical devices and all that so in 2010 I decided to come to FDA and obviously I wasn't successful I was in the gym yet uh so I went back to school got my masters
during the end of my uh master program at GW I uh saw a very very big need in cyber security and patent office and that's how I entered patent in cyber security field and I was working on uh pure networking applications and then all the cryptography stuff that came in all the AI stuff that started to pour in and later on in 20156 time frame all blockchain stuff came in and I was the one of the many a few uh people who knew what blockchain is and how that works so a lot of applications came to me and uh blockchain stuff and excuse me fast forward to 2020 with a pandemic had and we all started working from home and I'm
working on this table my wife is on the other side and she's working 17 18 19 20 hours a day working on this uh new Co test stuff and uh first eua that came from of course she was a manufacturer that that time she was at BD company and this uh Co test that they were uh developing and EA for that and I see her so eager and so so passionate about what she's doing I said this is the time I need to get out of here and do that in is a pandemic time and I'm not doing anything in public health um I issued over 12 uh 1,200 patent applications just to make companies
richer so no impact on uh Public Health whatsoever so um again fast forward in 2022 I had the privilege of joining in this team thanks to Linda uh boss and uh in October of 20122 I switched to FDA and since then it's been wonderful I've been uh working with uh as wonderful Jessica Matt uh Suzanne and afon and Monroe and our colle back at home we have two colleague at home uh we have Lisa who joined after me and uh tly who is uh who has been with FDA for a very long time she was the lead reviewer now she's with us uh so it's been great journey and keep learning and part of stuff that I'm working on and passionate
about it's the artificial intelligence and effects of artificial intelligence on medical devices how we can use AI to secure medical devices and later on uh uh bringing the aspect of quantum Computing and how Quantum can help us and the bad news about Quantum is the encryption system that is going to break so postquantum encryption that is we being standardized by end of probably next July by Nest all the hash based lce based uh encryption system that are coming to make everything more secure for us so it's been a quite a beautiful nice Journey for me okay thank you both well and we actually used up a fair amount of time in this session wonderful yes I don't know if if is
there time for a little Q&A or folks in the minutes so we do have time for we do oh I turn my light off you want to use mine I think I can fix it we do have we do have some time for questions and while the rest of you are thinking about questions I have a question for the honorable doct s um it's been quite a journey right over the last 9 10 years can you uh can you share with us your thoughts you've seen a you've seen a lot right sure what what is in your heart for what your organization should be doing in the space as it relates to security research and the calvary over
the next 10 years what is what is a 10e plan look like for you going forward you're saying yes ma'am good question I I think what resonates with me a lot um is although I'd love to be selfish and continue to cultivate the relationship with the I am the calvalry and security researcher Community for work that we do and I am very selfish about that I think the notion and um I don't know if it was Jessica that point to that but the notion of really like paying it forward and um really being able to think about how what we've done can serve uh perhaps as a blueprint for the broader public good right um in other
sectors um and how can we help do that um it's it's perhaps aspirational um it's maybe a tad outside of my FDA Mission because I've got a lot on you know to deal with in terms of FDA but to the extent that it's for the betterment of of you know of humankind in terms of other sectors and drawing upon really being able to identify what has been you know the what has worked and why has it worked um and potentially looking towards how that might be applicable to other areas I think that you know that's that's exciting that resonates with me um we certainly have within our own space of healthc care and public health
as a sector the broader Health Care cyber security Arena to deal with and so even broadening it out out that Circle to outside of medical devices to other medical product areas to other parts of what is consistent within what what is included within healthc care is of Interest as well and it's in areas where we've already started to try to assert influence um internally within the agency within FDA as well as with our uh sister agencies at HHS um and I think that um there's definitely opportunity for the Ina calvalry Community to perhaps be a further you know driver in some of these areas um you know I I think that um it would be
um disingenuous for me to say that yeah you know the FDA we came along we've done all this and yes we've done this with I am the Cavalry and the researcher Community but there was a fair amount of the prompting and the pushing and the driving that was coming from security researchers knocking on our door um and that becomes an important driver um [Music] to Bringing about change to Bringing about that kind of transformation um and there are certainly other areas um within the medical product space and Beyond within healthc care that I think um if as members of the security researcher Community taking up that cause you know mobilizing um and doing so with empathy
and what we've talked about there is opportunity to help partner and bring about change thank you for that um so there's an opportunity for people to identify questions I don't see any questions so taking the moderator privilege I'm going to ask a really hard question um are all the questions for me well for for you and the team so team je Jessica okay there is a question um okay so we will get to your question next but moderator privileges so ransomware is a Scourge and I recall seeing very recently a slide that indicated in the last year 700 hospitals in the last five years 200 hospitals have closed they're not going to reopen what are the options for the FDA
HHS other government entities sisa National Guard to bring these little Community Hospitals it they're they're in a tough spot right CU doctors don't want to live there it the economics are really hard they're not going to probably find you know each hospital going to find two or three or $500,000 to up their cyber security game sure so as you've thought about it Jessica I know you've thought about this what what do you see as being maybe a recipe for how the government can can partner with local communities to bring about some type of resolution to this current Scourge yeah I'm gonna have Jessica respond since she's taking a seat at the table I have come back um yes so I I
think there's a there's a couple of different elements to to this right because if you think about a hospital and and getting hit by ransomware or a cyber incident um in in general there's a lot of different pieces and For Better or Worse we have a very fragmented regulatory system here in the United States and who has what parts um Can can be very complex I think on the FDA side of the house our biggest goal is with the new authorities with the acceleration of our program the growth of the um the team that we have that less and less medical device cyber security risk exists because we are catching that risk before it actually
manages to get into environments so medical devices are just more inherently secure and securable over time so they are not going to be um the source of the problem or they're not going to be affected uh is is our end goal they're going to be resilient to cyber threats I think um to what Suzanne was saying about the the evolution of you know we have benefited from the security researchers Community uh expertise uh and advice over the years I think what we're starting to see is um because of a lot of external pressure not necessarily from the security research Community but from others um the rest of healthcare is is starting to see that they need to
take a very similar approach uh and so I can say because I've experienced this I've sat in on these calls and these experiences they're starting to look at not only from the cyber security perspective but from the same way that we do from looking at the whole of our authorities question um you know there's a lot of reporting that hospitals have to do um in order to stay certified with their different regulatory regimes a lot of hospitals live or die by billing private insurance and Medicare and Medicaid and if you think about it all of that billing takes place electronically and if you can't submit your bills electronically and if you can't get reimbursed you can't get
reimbursed for your Medicare and Medicaid for a couple of weeks that might be the difference between you staying open and staying closed so I there are conversations that are starting to happen that are not necessarily cyber security focused of you know can we look at other areas of relief and helping these organizations bridge that gap between having an issue and and being able to recover on come and come out the other side I think from a cyber security perspective um from a whole of community approach with FBI with szo with with HHS we're starting to look at you know kin say Ascend cyber Security Experts to go fix the equipment they don't have cybercity experts
themselves can we can we send them from the um the resourcing and the Staffing need you know we've talked about there's something called disaster medical assistance teams dmats I don't know if I got that um acronym correct but essentially can we have something like that for cybercity incidents can you send nurses and doctors and other Specialists who know how to operate without technology and they can still deliver care um you know how do we bring the entire force of the United States government to bear so that these hospitals are not on their own um with these kinds of incidents happen and and Frankly Speaking of trust building how can we give these hospitals and other
organizations a measure of comfort that they're actually willing to call and ask for help because I will tell you it's pretty rare they do not want to call the government because they're afraid that they're not going to receive help they're going to receive fines and they're going to receive blame and so um I think in a lot of the same ways that FDA 10 or so years ago was really starting to evolve um and and learn the art of the possible here I think that that's starting to happen I think um encouraging that kind of behavior on on the government's part to the greatest extent possible is is something that you all can help with um creative ideas
about how to bridge some of those gaps about uh ways to to help these kinds of Institutions recover are there things that are really going to help do that I'd like to ask you to uh continue on the theme that you brought up of sharing the wealth of information and experience with other Industries in particular uh been thinking a lot about the dichotomy between information technology and operational technology as the term is sometimes used talking about those programmable logic controllers and sensors and actuators that increasingly get entangled with the it Network and a lot of cyber security research and defense is focused on it networks but uh there seems to be aity of answers for operational technology
and I wonder if you can see any parallels in your experience or any advice that you can project towards this realm where you among the 16 critical oper uh critical infrastructure sectors there's you know you know quite a a a uh not mystery but uncertainty about how to proceed because there's recognizing there's vulnerabilities there we haven't had our kyoga River yet in those things but we may be coming close do you want to take that sure um so I think it's it's interesting that you bring up the The itot Divide um because it's actually something that we we deal with on a pretty regular basis because we are on the OT side more so than anything the Cyber physical side
medical devices thought of as as operational technology um and I will say again mostly because of the the way that the the last 10 years have evolved of the security research Community is finding vulnerabilities and responding to vulnerabilities in the medical device sector is is kind of just understood people just that we just do it um I think to the but one thing that I will say that that's an important element in in this May hopefully start getting out what you're thinking of but maybe a slight tangent we have actually run into the situation where sometimes the missed connection between trying to do OT and cyber physical research and vulnerability response and doing it is
that things that you can do in it you can't do in OT um and so you'll have research done or best pract we actually run into this with other federal agencies where federal agencies are proposing best practices that are it based and trying to put them in an OT environment and we have to say we can't do that you cannot do that you cannot put multiactor authentication on a medical device in an emergency room for example um and so I think part of it is one just an educational issue on the government side of the house of you know different Technologies are in different environments they're used for different purposes and you can have the same
computer in in entprise environment in a manufacturing environment in a healthcare environment and they can have three different sets of best practices and we we need folks to understand and and apply them in different settings so I I think there can be a translation issue where people on the OT side stop listening if people come with it best practices that that don't apply and on the same thing if you're trying to do an OT thing in an IT environment it becomes that issue but I I think maybe what I would say on the broader side of how do we get other critical infrastructure sectors to sort of recognize this I would say the biggest turning point for
me personally um this was even when I was still on College and and sort of coming into Healthcare cyber security is um understanding that cybercity is not an IT issue it can be but it can be a safety issue and I think the the really key part for a lot of regulators is making the connection between this is not an it we are not asking you to solve an IT problem we are asking you to keep people safe and so if you can make the connection between exploitation of this OT vulnerability can lead to this and that is going to have these safety impacts um you can generally I think get people's attention and understanding a lot more especially
I I actually have found it for example being very successful maybe say it a little cavalierly to time sometimes I'm like I don't really just if if it helps you just imagine that the hospital that has been hit by ransomware burned down or it flooded like you people know okay the hospital has flooded we're going to do this this and this the hospital has burned down we're going to do this this and this but somehow we still have it like breaks their brains when it's a cyber incident um so I think on on some of the OT side it's it's framing it as a safety issue it's comparing it to natural and man-made hazards of just
think about it like the the thing just broke you know that the bridge fell over now what um and then they can kind of apply their their usual problem solving sets to that and kind of work backwards to get to the missing pieces about cyber security I hope that answered your question I
don't it is
coming great I appreciate you bringing up uh a lot of those things I've dealt with a lot of hospitals and their response to most of these cyber security instances is cyber insurance it's much easier to mitigate the problem by paying for the response I mean they're used to doing this because they have malpractice insurance so when a doctor murders a patient they just pay the money so now when we have a cyber incident they just go and call the Cyber insurance company and they will decide if they're going to keep the hospital open or or if they're going to shut it down depending on which is cheaper how do you think we can start addressing this problem and improving
the safety of all the patients because that's what we're concerned about and I'm not concern I'm not convinced that the administration is concerned about that I think they're more concerned about the dollar amounts let me ask a question when you say in the administration you mean the hospital Administration CEOs and and you know I I think it a lot of this does come back down to really um you know the the Coalition building the collaboration bringing you know all stakeholders together to raise awareness and to educate on just what you're talking about of this being a safety concern or a safety matter cyber insurance is by no means going to be a solution or a
Panacea um that's not to say that we're going to you know that uh we are going to be able to completely get rid of cyber attacks or ransomware attacks ever occurring we know that that's a you know that's likely to be an eventuality but the answer certainly isn't to just you know kind of pay it out and have cyber Insurance the answer is to really again come back down to basic principles of preparedness for any type of an event um as as Jessica's talking about and that's I think why things translated very smoothly for us back years ago in the kind of programming that we had which was focused on other kinds of events and how
you're doing you're doing disaster preparedness or merer preparedness we're concerned about light you know loss of life or limb or patient safety and so that drilling down on that piece of it and there is so much that can be done right now there are so many resources out there there are so many community if you will or collectives to become a part of um that um we really would you know really need to encourage that kind of participation I guess I'm going to close this out yeah um I'll say a bunch more stuff in private but uh um I watched the Cavalry launch uh yesterday before my keynote and some things hit me and I
just want to share some of the hitting with you um in the bsides launch I said uh I have no interest in finding and fing a single flaw and a single medical device I want to hack the incentives to make them all safer and when we said that it was a moonshot mhm wasn't serious we had no idea if anyone would listen to us our your reputation was nobody cares about cyber security no one listens at Defcon I I told the room people will have to die first before they're going to listen to us they said well why bother and I said because when that moment comes I want to have the trust and the scaffolding so that we
could be safer sooner and have a prompt and agile response and they'll Return To Us instead of lesser people with lesser motives and lesser ideas and no idea where things would go but it's because of you you didn't wait 10 years for people to die you did the safy communication because it was the right thing to do we didn't have a moonshot to change and hack the incentives for all 10,000 medical device makers we have a patch act we did exactly what we said we would do and none of it would have happened without your courage and our shared common cause common purpose and common philosophy that it takes complimentary skills from a lot of different teammates
in this room and in your corridors and you didn't just make medical devices safer you set the pace and the tone for many of your colleagues in the White House in Congress internationally we wanted to make the world a safer place and you enabled 90% of that well we've done this as a team I'm humbled and I'm embarrassed by the compliments but um it's really been a very much a team effort and um it uh you know it comes back to the importance of bringing Community together it really does what we can accomplish when we work together so we're looking forward to what the future has in store for I'm the Cavalry and um continuing the work that we've
been doing even if as it may take on a very different face that's that's okay that's fabulous uh please join me in giving a hand for the doctor and the staff thank you so much
Related talks
52:55
9:00:47
51:38
56:34
2:02:44
27:02