IATC - Health Care is in Intensive Care

ah thanks everyone all right it's going to be like SeaWorld here okay I'm going to wear not wear my mask while I'm talking but that means like these first two rows are the Splash Zone at SeaWorld okay so you can't be here uh you'll get wet all right uh I want to start off right off the bat I have a trigger warning I'm going to be playing an animated video of chest compression so not that big a deal shows the heart shows some animated blood vessels running through okay and then I'm going to be showing an approximate 2-minute audio clip of someone in a medical emergency it is very distressing um if it has people um very sad in a chaos

type situation there is um someone that's very very sick so U I'm going to just straight out here tell you there's a trigger warning for that if you are adverse to something like that I would strongly recommend you either leave for the first portion of the talk or um just take that into consideration okay uh I'm Christian deth at here at at hacker summer it's my 20th year at defcom this year it's kind of crazy I just thought about that I am old as hell now but most people call me quati when uh for the summer consons uh I'm an assistant professor of emergency medicine biomedical informatics and computer science uh at the University of

California San Diego I also co-direct the center for healthcare cyber security we just launched that this last year we'll talk a tiny bit about that at the end all right so I worked in the emergency department in the Imperial desert uh for the last three nights and I was very sleep deprived um sh shifts are about 10 11 hours I saw a lot of patients a lot of sick patients and I'm driving back and I started thinking to myself about this talk and i' had already prepared some content um but I think it was a combination of sleep deprivation too much red bull and uh the fog on the mountains between the Imperial desert and San Diego where I

kind of came to this thought about reflecting a little bit on my life and I know you all probably oh here it goes a talk it's an autobiographical talk those are the worst no no hear hear me out for a minute this talk starts when I was uh an early teenager uh I played a lot of computer games built some computers but a kid down the street uh really got me into the hacker scene so this is um this is me playing open Capture the Flag a long time ago at Defcon I loved it it offered the hacker Community offered something to me that nothing ever else did is and an excuse to explore a

curiosity that otherwise is forbidden you know and the authority of it of like don't do this because that's improper just kind of went out the window and you could couple that with really hard problems that require creative problem solving that to me was like the secret sauce so I just Dove head first so most of my early teens are all kind of growing up in the hacker Community never thought it'd be a job um it wasn't called infosec or cyber it was just like hanging out with your friends and uh you know hanging out in terminals then my uh early late teens early 20s I went to college and I was a philosophy major and I thought really hard about

not having a job um I could think very deeply about that and uh to make to make money my hustle was I did uh Network small networks for uh back then there was a really thriving uh sector it was Mortgage Banking prior to 2008 yeah it's a lot of Mortgage Banking places opening up and you know what they uh just like proved out they didn't really have a lot of Scruples on who they hired so they'd hire this kid with no real IT background other than just I could put together networks or whatnot so so one my network cabinets but mes are kind of close all right no judgment so I did uh the network hustle for a lot of small

Mortgage Banking companies but I really wanted to drive an ambulance who here has ever really wanted to drive an ambulance raise your hand the rest of you are lying the rest I don't know about the cop thing man but I'll tell you I really wanted to drive an ambulance okay so so I was like all right uh I'm going to go get my EMT so one summer I went and got my EMT because I wanted to drive an ambulance so I take my EMT course I take my test I go to the ambulance company afterwards I said hey I want a job and they just laughed at me and they said how old are you and I said

I'm like 18 and a half they're like we we never let you drive until you're at least 21 you cannot be employed by us I was like I wish they would have told me that before I took the class so the only job I could get as an EMT was at an emergency department that was an emergency department Tech I show up and it's like my first week of orientation um seeing some crazy stuff I've never seen before and it was at a hospital in Tucson Arizona it's called St Joseph's Hospital it's still there today and uh it's a moderate sized Community Hospital I bet you many folks in this room would probably go to a

hospital just like this if you ever had an emergency Nothing Fancy no University stuff I don't do heart transplants or El vads or crazy Cancer Treatments this is your bread and butter Hospital in the country we're going to talk a lot about today but I saw something in that emergency department my first week that like I mentioned I'm driving over the mountains for my shift and things went crazy and I thought about and it was the first time I ever saw a code a cardiac arrest in the emergency department I have to my life ever since I don't think I've ever been more inspired by a 20-minute event ever since why it's a chaotic Symphony right it's

10 people coming together immediately with a common purpose sometimes not even communicating with one another but knowing exactly what to do sometimes screaming at each other sometimes disagreeing coming together to try to save a person's life and I had never seen anything close to that in my life before and I said I want to do that went to medical school because again you can't make a lot of money as a philosopher uh not the money is the the end all be all but and now Josh is a philosopher too but it's true uh and I saw that cardiac aress well I gotta go Gotta Go to med school went to med school and I I made my whole

research Focus Cardiac Arrest I studied what happens when your heart stops chest compressions putting in breathing tubes in feed people shocking them I did a bunch of research to try to figure out what could we do to make it more likely that this person who is dead is going to come back to life and there was one particular project that sticks to me to this day and it was started off with a regular meeting this big wig fancy academic guy great guy Ben barbar uh he says hey I got a project for you but it's a lot of work I said okay tell me about it so I need you to listen to like a thousand recordings of 911 calls where

someone goes into cardiac arrest and I need you to timestamp when they recognize when the dispatcher on the other end recognized there was a cardiac arrest when they told them to start CPR when they told them to when they stopped doing CPR when they shocked I need you to listen to these thousands calls and record every single one of them for what happened and uh I did that I did it over uh two and a half years of medical school over a thousand calls recorded all that stuff a bunch of papers came out from it um and hopefully it made a big difference but I'll tell you that that'll drain you right that'll really eat at your

soul the thing about CPR is that the person's dead you haven't stopped it from happening you didn't give them blood pressure medicines you didn't treat their diabetes you didn't treat their cholesterol something catastrophic is happened now and you're just trying to make it less bad and the way you make it less bad it's by pumping on the chest as you begin compressions you are creating an artificial pump and doing the work of the heart manually with each good effective compression you are building up pressure in the system which will move blood around the heart and up to the brain it does take time to get the blood moving with CPR so it is very important to push hard and push fast to

build the pressure up which keeps blood going to the brain pushing down at least 2 in allows for the heart to be squeezed and blood to move out pushing at a rate of 100 to 120 compressions per minute is all right you're like am I taking a CPR class what's going on here when your heart stops the clock starts no blood flow to your brain between 0 and four minutes probably a little damage higher risk from four to six 6 to 10 maybe you don't walk again after that maybe well you probably don't make it but maybe you don't feed yourself maybe you're not awake you don't recognize your friends and family can't move your body so every minute

matters going try a thing I've never done before I got a little U timer here I'm going to say that to 4 minutes to signify the time at which if we don't do anything you don't restore some blood flow to this patient's brain things are going to die I'm going to hand it to you if you're okay with that and then when it dings just send it to someone else put it to four minutes and we'll just keep going okay everyone just kind of pay attention to the ding because four minutes goes fast this is the recording I was talking about earlier so last minute on the trigger warning okay okay what's the problem there uh my husband he's going to Kino

he I don't know if he's breathing right now okay see chest is falling and Rising it is a little bit but he's turning blue what's your last name mat Baker b a k e r all right and you're on cell phone yes yes Matt come on honey Matt look how old is he ma'am Matt 39 39 yes Matt honey you got to wake up Matt can you get him where is he right now ups bed okay is there any way you on to the floor on his back uh he's on his back on the bed I'll try and get him up okay are you there by yourself so my my dad came over okay see

if you can get him on the floor on his back and we'll start CPR okay come on come on mat come on get him on the floor all right all right all right come [Music]

on okay okay okay

how we doing I okay ma'am I've already dispatched you three units I just want to try and on the floor so we can help him okay's on the flo he's on the okay what I want you to do is I want you to tilt his head back a little bit tilt it from the chin and put your hand on his forehead and tilt his head back no can you do that let go let go if they want me CPR and to do it

CH anyone know how long that was you know anyone else 4 minutes that was 2 minutes 2 minutes gone halfway to the brain starting to die and we haven't even started that's no nothing wrong with the night one dispatch or or the person I'm just giving you guys the facts that minutes matter okay I thought I came to a hacking conference wow I also promise I'm not this much of a bummer in real life uh but we're talking about serious stuff today I think I got five or six takeaways for you guys today one we've already learned CPR do it 2 in at a rate of 120 about 110 120 okay hard and fast come full off the chest

good job you learned something today if you didn't already know that number one modern medicine is critically dependent on connected technology not a little bit I we get around without it we are critically dependent on it I'm 37 I trained um in medicine and I've never used a paper chart ever never done medicine where I to write things out on paper it's all on the electronic health record it's all using connected medical devices that connect to our Network it's all using third party cloud provider stuff now it's all using um web apps on your Internet to do paging even when things are literally like minutes matter like I mentioned we use poter care ultrasound for instance

to take a look at a patient's heart to know if I have to do a or b and if I don't know that I might do something that kills the patient put a little science to this there was a study done and this was this is almost 10 years old four minutes it's a study that looked at uh emergency department doctors and they had some people follow them around for a whole shift eight hour shift and they measured how much time they spent doing various tasks and you can read it above but if you didn't look or if it's really hard to see give an idea of how much time they spent putting stuff into a

computer with data entry 40% of their eight hour shift is just them typing on a computer 16 or so percent if I remember correctly is actually interacting with patients some of that is talking with other doctors again on computers on phone lines using paging systems and then at during an 8 hour shift they clicked over 4,000 times on a mouse this is underestimating what it is now I want to repeat this study I guarantee you it's going to be like 8,000 clicks and we talked to patients for like a minute raise your hand yeah doctors even talk to you anymore no I'm sorry some talks I go through this whole lengthy discussion about what it takes

to take care of a patient that's having a stroke we go through the line by line we talk about all the different steps and it summarizes into this slide I'm not going to do that today other than just to show you guys that could be Cardiac Arrest could be stroke could be some other really really serious thing and they have to go all the way from their home to the 911 system to get dispatched from the computerated dispatch system of the ambulance company hopefully GPS is working and they can triangulate their position because otherwise sometimes they show up really late the facilities at the hospital Are all uh control systems that we've talked about whole

mattering of outdated uh elevators um Water Systems sanitation systems all of which we've talked at length today about how we're critically dependent on we use connected medical devices like CT scanners electronic health records Network connected medication dispensers and all of that has to work in perfect harmony for patients like the cardiac Aris victim that you just saw that you heard to have a chance all right hope you're a little convinced that we can't do this without all this technology takeway two they're increasing does anyone think they're not increasing do I have to science this a little bit does this really matter this is a paper that henah aess put out in Jam which is great it just showed Ransom

more attacks on Health Care their organizations this is actually three years out of date we're blowing past these numbers now it's way worse now but you can see that's a interesting Trend I just want to look at 20121 over 90 Healthcare delivery organizations hit now those are Healthcare delivery organizations not hospitals so it cuts both ways it can be Healthcare delivery organization that's not a hospital maybe it's an orthopedic clinic maybe it's something else else but one of those Healthcare deal organizations can be 10 hospitals and only count as one really underestimates it in some way oh 2024 has been a banger year hasn't it for healthcare cyber uh we had change anyone get jacked up on change oh

yeah I still owe a lot of beer to my team for that what said sorry sorry you're from change I'm from M oh Boo this man I'm just kidding I'm just kidding I'm just kidding we won't we won't throw stones we all live in Glass

Houses wow what an attack change was um made all this national news messed up a lot of your guys's months but I'm going to confess I've been doing Healthcare cyber for a while like over 10 years now I didn't know change exist Ed yeah of course it's one thing in your mind to be like oh yeah these critical dependencies and third party risk is an issue and there's catastrophic failures and all these things but like we do a great job of just ignoring that part of our brain don't we until something like this happens oh there are a lot more of these and the aftermath is going to be felt for years there was immediately Hospital

systems that like couldn't pay their bills they couldn't make payroll but what's going to happen later on when all those cascading failures of financial constraints another 4 minutes we're going to see closures of practices and I think eventually hospitals from this takeaway three all right cyber attacks I know I'm supposed to take a shot on I say cyber but I just had a lot of Red Bull and I can't start drinking this anyone hear about Ascension okay again another 2024 attack this big this kind of comes on the heels of change it's kind of a onew punch and what I want to impress upon you guys as a concept we're going to talk about a

little bit later but it's this not just are we critically dependent on thirdparty vendors things like change the plumbing of the digital infrastructure and back end of healthcare but uh we're consolidating Hospital growing a business are getting bought up things are getting more and more Consolidated and we're seeing more attacks like Ascension where it's not just one hospital or two hospitals that go down it is spreading across the country several States I have uh some social media grabs for you folks um for some so if you don't believe if you think this is all overblown and you think that this is [ __ ] and that we it's not just look at some folks comments on Reddit and

they never lie on Reddit this is accurate 100% but I feel like these are probably a little unfiltered realism here okay Cyber attack in largest Health Serv system in the country no one knew uh where the forms were thank God we have a separate sign out with our patients medications nurses are writing them down from memory this is a new reality we need to be better prepared I was just told the internet May out for days we're still on our previous owners Network and they're down in multiple States here's someone from Vermont they taught me how to paper chart in nursing school I'm [ __ ] oh sh I didn't get a clearance to curse did I all right that's

done sounds like a Cyber attack the electronic health record is completely down it's an absolute nightmare in the emergency department right now fortunately admin issued a statement that our care teams are trained for these kinds of disruptions which is interesting because right now I can't get a Tylenol in under two hours damn every Ascension hospital we just brought we just bought a trauma so this a patient that suffered a trauma to an Ascension hospital and the trauma team was freaking out because half the team didn't get the page or notification they're on paper charts handwriting orders and doing consults over their personal phones a man we got crowd strike you're probably happy that crowd strikes happened now cuz no one's matter

at you anymore they can just be mad at crowd strike okay changes it the news cycle huh some screen grabs from uh Reddit about uh crowd strike I swear to God I pulled this off of red I someone drew this in a hospital this this picture here is on the board where they're tracking patients because the systems that track patients are no longer available they had to go to whiteboards and try to figure out what patients were still in the hospital where they were and where they needed to go right so this was on a whiteboard and someone drew that picture underneath it they didn't draw it I think I mean of course might be a little funny there's truth in

that when the nurses and doctors on the ground go publicly to the media and I've never seen this with any other attack Ascension was the first attack I saw where we saw nurses and doctors talking openly to the media about patient safety issues essentially blowing the whistle but look at some of the other stuff they said our ICU Telemetry monitors are down so they can't monitor the sickest patients in the hospital go to the ICU their monitors were down I saw that the needle neonatal Intensive Care Unit the tiny babies was down in some of our hospitals that nearly broke me our monitor stayed up but we lost the ability to upload labs in our electronic

health record we can't compare comp EKGs four minutes cyber attacks degrade delay disrupt and Decay the digital systems that power timely life-saving medical care but enough with the stories and Reddit screen grabs let's go through a little data all right I'm a scientist I I think so I play one on TV maybe I think we got some stuff to show you would you believe it if I told you that there's not a single Paper published in a peer-reviewed journal that talks about what happens to patients at a hospital that's been ransomed would you believe that we have so many you're telling me there's not a single paper that went to a hospital that got ransomed and looked and see saw

what happened to their patients did they survive what happened to them there's none Global I'm sorry global global there's not a Single Payer reviewed paper in a journal published that talks about patient outcomes at a hospital that's been ransomed why uh are there lawyers in the room well it's lawyers lawyers lawyers I think is a big part of this let's just not all blame the lawyers why why we talking about lawyers it's the standard thing right you get hit you got to put out some Communications the lawyers they have to say it's a Cyber attack they're worried about lawsuits and whatnot but I think the big reason is that lawyers lawyers lawyers reduce the risk to the

institution let's not talk about it okay the other thing I want to bring up is that the way we figure out if patients get good or bad care is by looking at data that's in the electronic health record right so how long did it take for me to give a patient antibiotics that was really really sick if I give patients really sick with an infection I give them antibiotics really quickly they do better how do I know how long it took me to give them antibiotics I look at the time stamp in the electronic health record that's the logs that essentially well logs gone so we can't even measure in a lot of sense what happened to patients the

only thing that we have is the record that's scrolled on a piece of paper that no one can read is incomplete and was written literally in a chaotic

event would paper charts still have that though yeah paper charts might the CH paper charts are non-standard they rely on the person to record and they're often in incomplete and in in legible so we tried to go back and ask a hospital if we could look at their paper records during a ransomware attack and see what happened and what do you think happened they started laughing they started laughing that was pretty close but possibly all right so we did the next best thing this paper is born out of frustration I I've tried for years to measure this effect the best I could get is what happens next to a hospital that's been hit with ransomware okay

it's a paper we published uh last year and it goes like this in 2021 in San Diego there was a large anore attack I didn't say it and it got hit uh all their hospitals are in San Diego County they all got hit they were down for almost a month I'm I am employed at a hospital in San Diego County where two of our hospitals are literally across the street from those hospitals okay so I did the next best thing if I couldn't see what was going on on the other side of the street I measured what happened at my shop I measured the Ripple blast effect over to us tell you a story walked in on a Sunday to work my

shift in the emergency department walking up and there's a line of folks outside of the waiting of the emergency Department waiting to check in that hasn't happened since the throws of Co where I worked and I was like whoa something's up I walk in and I look as I'm walking back to the doctor's area I take a look to the right and there's a window shows the waiting room waiting's full I sit down with the other doctors say what's up they said there's a ransomware attack in town and all the ambulances are getting diverted to us all the patients are coming over to us cuz uh it's really busy over there we measured four weeks before the

attack four minutes measured four weeks before the attack four weeks during the attack and four weeks after and I'm not going to kill you guys with this but what happened to our emergency dep emergency patients number one we saw way more than them that's our census we saw 2,300 ambulances the month of the attack and we only saw 1,700 the month before saw huge amounts of ambulance traffic we admitted more patients more patients left without seeing doctors they came the wait was too long and they left more patients left against medical advice who said hey you probably should stick around and they said I'm out and they left even after seeing a doctor if you got admitted to the hospital you

waited longer to get a bed and if you were waiting in the emergency department you waited about 40% longer than you normally would just because there was an attack going on across the street what happened in the ambulances this is a graph that shows again four weeks before the attack four weeks during the attack and four weeks after the attack this is let me explain this this is the number of hours that hospitals in San Diego County are on what's called diversion that means hey we are overwhelmed um overrun out of commission we cannot take ambulances right now so this is all hospitals in San Diego we add up the amount of time per day that

they go on diversion and we represent it in this graphic and I'm again not going to kill you with this but look at that Spike one day at the height of the attack there was over 190 hours where hospitals in San Diego County were not taking ambulances anecdotally this is the highest rate of diversion that San Diego has ever seen not covid ransomware attack put our hospitals on diversion more than any other event in the history of US collecting this data and what happened to our stroke patients three out of the four hospitals were stroke centers people don't stop having Strokes because the hospitals on diversion they come to other stroke centers and we just got hammered with

Strokes ambulance after ambulance after ambulance coming because we're the only stroke center well there's a couple other ones but there's only a certain number of them left conclusion it's not what just happens at your hospital or your company anymore it's what happens in the community of the web around it as well the ecosystem is incredibly vulnerable and the Rel the resiliency is not there the depth to absorb something like this does not exist and this was an urban place that has over 10 hospitals in a single City if this is a rural Hospital in the middle of Idaho or New Mexico and it's the only place that delivers care with within 200 miles and that's the hospital

gets hit what happens to you when you get sick minutes matter we're almost up on another four minutes you have a cardiac arrest you think you're going to get effective care in the time needed when there's a ransomware attack going on the answer is no in my mind when I made this slide I I Googled full circle and this is what came up what do you think intuitive all right maybe I'll change that for next time we started out this talk talking about cardiac arrest and how I grew up wanting to help those patients that were having it and I grew up a hacker and I wanted to ask the following question I wanted to see what happens to

those patients that have Cardiac Arrest just like the one you heard that recording of with the same thing during a ransomware attack four weeks before four weeks during four weeks after you saw that video when we're pushing on the chest and building up circulation and restoring blood flow to the brain right that's going to give you more time that four minutes that 6 minutes that 10 minutes it can get prolonged if you do good CPR we can be giving some blood to your brain and so maybe you don't have as much brain damage maybe we can get you out 20 30 minutes we finally get your heart started again and you're able to come back that's the whole point of it CPR

helps us reduce the chance of significant brain damage will we try to get your heart started back up but there's another concept I need to talk to you guys about before I give you guys the punch line of this

paper another four minutes is that we might get your heart back we might not get your brain back there's a concept in Cardiac Arrest research called survival to favorable neurologic outcome I'm sorry I don't come up with these names I wish they made them more accessible but it basically means not only do you survive your Cardiac Arrest but that you have a favorable neurologic outcome it might not mean you're normal but maybe you walk maybe you talk maybe you can feed yourself all right so that's the goal if you have cardiac arrest high quality CPR we get your heart started back as soon as possible and hopefully we've saved as much as your brain as we possibly can I want to ask

the audience here before I show we're going to do a little hand raising exercise okay I want you to raise your hand if you think we can get folks back we can restart their heart after their heart stops 90% of the time raise your hand oh you guys are you guys are pessimists like me aren't you 80% 70% okay 60% 50% 30 20 10 okay all right there mattering starts about 60 and down uh in reality the ability for us to get your heart started back up is probably nationally sub 20% okay it's not like TV in fact if you go look at all one of my favorite studies is they went and looked at all

the TV shows like er and they looked at what their arrest rate when they get them back like got them back and they shock them and it's 90% in the TV shows they get them back 90% of the time when you ask general population most people think it's 80 90% it's because they watch TV we tell them the real numbers it's like like sub20 depends on where you have a cardiac arrest but it's sub20 is that even hospitals or is that great question it's allc comers so if you have a cardiac arrest outside of the hospital or inside the hospital but your odds of coming back if you have a cardiac arrest in the hospital are much much higher

okay much more 50 60 percenti high so good question but allc comers if your heart stops no matter where you are you're looking at pretty poor odds we looked at that in our ransomware scenario we just talked about what happened in 2021 and in our patients that we took care of that had Cardiac Arrest we had about a 40% chance of getting them heart started with favorable neurologic outcomes it's all comers in San Diego it's pretty good right so if you had a cardiac arrest in San Diego an average month we're rocking about 40% or so will get you back and you're going to have okay neurologic function at least what what was it during the

ransomware month we have guesses 10 five if you look real hard you can see it in the slide 4.5% chance it's normally 40 and just because there's a ransomware attack across the street your chance goes from 40 to 4 it's this paper yep it's this paper right here you guys can all look it up if you want 40% to 4.5% chance for the victim to be able to walk talk and feed themselves no patient care was affected yeah there Josh said no patient care is affected we know how can you say

that takeway four all right critically dependent and we're seeing more and more attacks attacks are harming people what's the future look like I'll tell you right now um You probably shouldn't take what I say without significant salt intake I know I'm a doctor to say that there's a recent met analysis that said salt deprivation diets don't really do anything so maybe you should take everything I say with a salt shaker instead of a grain of salt but whatever sorry Dr humor what's the future look like it looks like [ __ ] the first thing is that rural Health Care is collapsing okay so smaller rural critical access hospitals even some Community Hospitals in urban settings it is not looking

good and there are so many reasons why that's the case and there are no silver bullets to figure out I am not the expert that could give you a list of a of why this is happening other than to say there are huge financial pressures there are big Geographic shifts happening in this country of like population shifts there is in hugely spiking costs and the answer to so much of these rural hospitals closing is one of two things too bad or maybe they'll cut services to stay afloat maybe they took care of uh kids they had a pediatric Ward or maybe they delivered babies they had an obgy obstetrics unit but those never made money and they have to stop those to

keep the hospital afloat so maybe the hospital still survives but it's not really a full Hospital nearest care ends up being another several hundred miles away if you want to have a kid or what's really happening a lot is uh bigger Hospital systems are buying up smaller systems this terrifies me so so so much for a variety of reasons yeah maybe monopolistic stuff sure but I am looking at what happened with change I'm looking at what happened at Ascension I'm looking at what happened at UHS before and so when you buy a new Health Care System you take two more hospitals onto your network you're not going to use their systems you're going to put them on yours so all

of a sudden you are supporting the Dig digital infrastructure electronic health record connected medical devices and networks of 20 hospitals and if you get whacked with crowd strike instead of one or two hospitals getting hit it's 20 and this is just going to accelerate like we're not coming back from this it's an existential threat for so many of these hospitals and a lot of the answer ends up being consolidation the risk for catastrophic failure is growing furthermore I want to make sure we have some time for questions about this so I'm actually going to circle back a little bit at this at the end because I want this to be a discussion but a lot of what we

talking about today is about critical infrastructure cross- dependencies and failures what does a hospital use water for we talked a little bit about it if you were here in the last talk or two but let me just put it into perspective a little bit some of our Imaging devices cool themselves with water some more data centers that host our electronic health records in the cloud are all cooled by water our MRI machines some of them are cooled by water I won't be able to get uh I won't be able to characterize your tumor growth in your brain I won't be able to tell if you had a subtle stroke that I didn't pick up on your CT scan

that might matter really really matter that I get that MRI infection control hospitals are by definition cess pools right the sick patients go to hospitals that have the infections we work tirelessly clean floors clean surfaces infection control and core to that is water so you have patients that already have infections and not just around the-mill infections sometimes these patients another four minutes some of these patients have drug resistant infections you don't want to spread around sometimes they have tuberculosis sometimes they have vom myosin resistant andraus sometimes they have Clum defil and the only thing you know that kills that hand sanitizer doesn't do it you got to wash your hands lapse I might not know you're having

some emergent condition unless I do some blood tests one of the core requirements of a functioning laboratory system is water so it might be the difference between whether or not I find out you have a condition at all or maybe the difference between I find out you have a condition today versus two weeks from now and two weeks from now it's too late and on and on and on we're going to come back to this some patients have feeding tubes they can't eat food we got to mix the nutrition with water to feed them we need water to make the cafeteria function to feed all the rest of the patients in the hospital and they're too

sick to leave I mean it's terrifying to think about what that would do at one week two week three weeks we do not have the prepared amount of water to deal with that for two days let alone two weeks takeaway six the problems are very hard to make better quickly I'm going to make some analogies here I'm checking these with you guys you tell me afterwards if it doesn't make sense but talk about Cardiac Arrest what are your risk factors for having Cardiac Arrest there's a whole bunch of them maybe you're really unlucky and you have a genetic disease and it messed with your sodium potassium pumps in your heart I'm sorry that's really unfortunate maybe you

smoke Maybe maybe really old maybe like bacon like I do maybe you're super stressed out this kind of just looks like summer hacker summer camp in a slide doesn't it I'm just thinking about that now this is kind of like yikes okay well we're going to just gloss past that I I'm starting to think about this problem kind of like Cardiac Arrest we have so much so many issues going on with the security of our hospitals the technical debt the lack of effective cybercity Workforce the amount of money to fix some of these things and I kind of liken them to risk factors for catastrophic failure right just like having a heart attack and heart disease risk

factors how many of these does your hospital have right now for cyber right and then I kind of think about cardic arrest is the failure the catastrophic failure of the system and the Cyber techies maybe something like ransomware kind of talked about this already lack of Financial Resources lack of cyber security expertise Legacy systems including medical devices consolidation third party risk geopolitics and international law the economics of ransomware the list goes on and on but there are a lot of risk factors so let's think about this like Cardiac Arrest we can talk about all the problems and we can start working to solve some of all those risk factors talk about policy can train up a

Workforce we can do all these things and we should because the prevention is really going to pay off in the end it's way more coste effective to do prevention than it is to do response but we still do CPR because people are still having cardiac arrest and what's the CPR equivalent to a hospital under ransomware attack respiration I'm sorry restoration restoration yeah absolutely uh we are talking about hospitals that have all of these risk factors why do they have these risk factors you know we could talk a lot about right we're not going to change those overnight and we're asking for the same folks that work on under these constraints to restore their system as

quickly as possible the restoration side of it is incredibly important but it's not seven day Josh told me today it's like was it seven versus seven weeks finance and outage of seven days would never be tolerated and we get recovery back from Ransom more in the financial sector much quicker but it's seven weeks for health care why it's not because people are staying home and the teams that are at these hospitals um aren't trying their hardest i' I've been at hospitals I've been ransomed I'll tell you it's stressful they're trying their hardest they're sleeping yeah we need to go quicker we need to take that seven week downtime and take it down to seven hours that's what we

should be doing we should be it's not seven weeks seven hours we need to take out the part that's hurting patients if you have the teams working to restore these systems as quickly as possible and maybe we come and restore like replacement technology can I roll up to a hospital under ransomware attack and basically restore some of their functionality using a different system to bridge them yeah to bridge them until so that patients don't get hurt plan I'm sorry bu continuity plan business continuity plan absolutely I just in the last year and a half have been hanging out a lot with emergency managers and business continuity folks i' never had had previously there are a

lot of issues um with hospitals and their emergency managers and their business continuity plans when it comes to cyber but that's a great thing for folks in this room to do right they hospitals are generally pretty good at preparing for things like hurricanes tornadoes maybe power outages at least they have plans those are the hazards that they're used to right if you're at a hospital in Florida you probably have a pretty good plan for when a hurricane rolls through right I did a study it's not up here I can share it if you want we asked a bunch of hospitals where on their list of vulnerabilities they put cyber a lot of folks put ransomware high

on their vulnerability assessment then we asked them if they're prepared and they said no so I think there's tons of work we can do in the Emergency Management business continuity space to educate folks in the hospital space about cyber so all they know is what they see on CSI or you know what they see on the internet of the Matrix or something they don't understand it they don't understand how it works they don't understand how it's going to impact them and so that's a great thing for folks in this room to help partner with them to help educate them and help them develop plans that can actually be effective because right now a vast majority of

them do not and if they do they're probably

crap I I'm co-directing this new center where we're trying to figure out a lot of that stuff like we're trying to ask these questions What patients are at highest risk during a ransom or attack not just like of their information getting stolen but like is it the stroke patients is it the cardiac arrest patients is the patient that just got chemotherapy yesterday and we don't know what's going to happen to the white blood cell count in the next 48 hours is it the patients in the ICU that just had a heart transplant is it the trauma patients you know trying to understand which of these populations are the most vulnerable and what it would take to continue to

support them to the same quality and level before the ransom were attack us one of things we're working on what are the required Technologies and how generalizable are they anyone here kind of work in healthcare wants to raise their hand oh yeah yeah you guys get this keep your hand up if you still use paging oh you guys are lying oh yeah come on is anyone else that's not Healthcare use paging anymore what's the new paging Laura no doctors love pag doctors love pagers and they love faxing stuff still all right um I don't know the answer we definitely require faxing and a lot of people just say like fax it to me but uh whether not they

like it or not I don't know what other critical required Technologies and how ubiquitous are they you know I'll tell you what guess what you have a cardiac arrest in the field and they get you back the Medics come there they shock you they get you back in the field and they do a electrocardiogram they put some stickers on your chest and they take a look at the waveforms of your heart and they see that you're having a massive heart attack guess how they get the doctors from home to get into the hospital to fix your heart guess what they use what use pagers I'm going to repeat that you have a cardiac arrest cardiac arrest you having a

massive heart attack that cardiologists are going to come in and fix your heart are going to know about your issue from a page makes you feel like the paging system is pretty important don't you these are the types of questions and trying to map these critical Technologies and be like well the paging system better work or we better get off paging and get something better there are a lot of things we can talk about but you got to map it first and you got to see how ubiquitous is it if it's only in 5% of the hospitals then why are we about it we really got to go for the highest yield stuff some question over

here no yep able to share perspec

BG yeah so it's being brought up that there are a lot of there's a lot of consolidation in healthcare technology as well and electronic health records are basically operating system of healthcare you can't do anything with patients or Healthcare without electronic health records and there are only a handful of vendors so there are lots of these critical vendors that are highly Consolidated that have a huge risk associated with this um whether we're having conversations with them or not yes the answer is yes but it's not just them it's all sorts of folks and there's a lot of stuff I mentioned early I never heard a change before there I want to know how many changes are out there that I don't even

know exist a lot how do I know after I've gone and looked that I got them all there's no list there's no process there's no map we don't know Is it feasible to rapidly detect Hospital Systems getting hit with ransomware without having them tell us we talked about lawyers lawyers lawyers if I can find out that Something's Happened can I detect that without them really telling me because I want to go and help them now can I roll up with 18 wheelers full of hardened parallel technology that I can just roll out to any Hospital in the country and take care of patients just like they did before the ransomware attack or to a pretty decent standard I

can deploy within 6 hours you know do we need a national strategic stockpile of technology for that do we need specialized teams that can respond at the state and National level at that these are questions that we're wrestling with because right now hospitals are just left to their own devices not in a not in a bad way but they're just drowning and that's why they're down for seven weeks that's not why they're down for seven days it's because they don't have a lot of help and then yeah maybe we can dream up some 18 some 18 wheelers and pull this stuff out but is it is it a pipe dream how does it actually work you know

there's usability issues and stuff like these are the big questions of today and uh cool let's take some questions thank you all uh that was my first run at this nuke talk hopefully you guys liked it yeah all [Music] right um do you do you have an understanding or an idea or has somebody done research on what has caused hospitals to get hacked is there is there any data that that could be shared with other yeah around there's no no good data um there this this is a whole other issue but basically um 200 years ago if you had a cold and you went to your doctor they'd say like put some leeches on it

and here's some Mercury and like here's some Fox Glove to like we in my opinion are in the leeches bloodletting and Mercury phase of evidence when it comes to cyber security just broadly we it's all cult M personality it's all expert opinion it's all Frameworks without actual science so it's your answer just that's a meta answer to that it's just to say no but two there going to be a lot of vendors that tell you they have the secret sauce right and they're going to have a sweet deck and they're going to have like oh just buy our MFA and look at all these ransomware attacks going down it's all [ __ ] it's fishing it's fishing yeah

fishing yes yeah fishing is uh what it is now there's no good fishing interventions we can talk a lot about that too um but the answer is no I don't think we have evidence to say this is why we have a lot of people like me and other folks that'll give their opinions maybe it has to do with the fact that they have a lot of competing technological requirements of them they have to share data with patients they have to share data with anyone through certain apis they have to have a thousand different users or more like sometimes tens of thousands of users accessing the same information electronic health record maybe there's some structural stuff like that but to

be honest I think it has to come down with economics right the reason hospitals and things are getting ransomed a lot I believe in part and get no evidence it's because it pays to do it and if the market dynamics were different and the economics weren't there we wouldn't see nearly as many hospitals getting ransomed so in my experience uh it seems like this issue of not having proper cyber security precautions in place already is more a matter of financial constraints and so is there what what have you discovered about getting hospitals to step away from profit and move move it towards patient care um and also as a side note adequate Staffing um the conversation at the top

where the money is has changed a lot in the last 10 years I remember this was not an issue at all and now it's an issue but I don't think there has been a Menor investment we could talk about regulation as a potential mechanism for that there's a lot of discussion at the federal level here about minimum requirements for hospitals as a condition for Medicare stuff like that um I I wish I could give you an expert answer to that because the more and more I look into this problem the more and more I try to understand it the more complex it gets and there are things that I would never even begin to understand are the

financial constraints in some of these places that make me sometimes question something as simple as well just put more money into it or just hire more people it's like two things can be right at the same time like we need more money we need more people but we also need a new nurse practitioner to handle 150 diabetic patients who if we don't help them get their diabetes under control they're going to end up cardiac arrests and it's like seen often as a zero sum game I don't know how to break that vicious cycle because there's always going to be someone saying this is important this is important we're all cyber folks or most of us are cyber folks we think this is

the highest priority in a lot of ways it probably is maybe it isn't always and so if we're always crying wolf and we're always saying if we don't do this everyone's going to die I don't know how much longevity and real change we're going to have at the same time we got to show people the data we got to tell them that this is the risk to them and maybe the secret sauce ends up being you're going to lose $120 million at least if you get ransomed and maybe maybe that is going to be them the the financial motivation to change their minds it's going to be be some combination of strategy there is no one

way okay um please join me in thanking Dr