Cyber Safety Disclosure

okay so we actually are expecting Josh to show up at some point halfway through this and he was supposed to moderate this so we're kind of winging it a little bit to start with we're gonna do some introductions and then talk a little bit about kind of each of our roles in kind of safety disclosure and what our experiences have been and then kind of take it from there my name is J Radcliffe I am currently a cybersecurity researcher at Boston Scientific who makes medical devices and my big experience with this as a patient I am a type 1 diabetic and have used medical devices of various types for a long period of time probably the last 20

years since my diagnosis and I have a very intimate relationship with medical devices and their safety because I depend on them every day to keep me healthy and to keep me alive and it has incorporated that into my career as somebody who is a medical device hacker is somebody that looks at the safety and security from a software and technology perspective of medical devices and that's that's kind of my role in in this field and in the in the industry hi i'm suzanne schwartz from the FDA FDA Center for Devices and Radiological health and before I talk about the FDA really what I wanted to do was take a few moments on behalf of FDA to recognize to really

acknowledge the work that I am the cavalry has done over the past five years and to really state how important the contributions are that all the security researchers have given have contributed to the medical device ecosystem we highly value that work it is extraordinarily important to advancing medical device cybersecurity and moving the ecosystem along and so we want to congratulate iron the cavalry for that work we look forward to ongoing efforts particularly in that shared mission space of safer sooner together so with that just a little bit of framing around background of FDA's work in medical device cybersecurity our emphasis has been very much on building the community on really building that collective and that collaborative atmosphere and it's

as a result of really trying to do that kind of convening and giving every stakeholder a voice a seat at the table that our ability to formulate policy has gotten to where it is at present and when I speak about formulating policy I'm talking about the guidances that we have published for both the pre-market side of cybersecurity in other words prior to devices going on the market as well as throughout the rest of the product life cycle post market once the device is actually in its clinical use but this has been a very arduous journey and one that we at FDA have been learning as we go along with all of our partners and there have been you know a

fair number of hiccups and challenges along the way very much a part of what does it take to mature an ecosystem to mature the sector in an area that it has been very at a very rudimentary level as of at least a few years ago and granted we've seen a fair amount of progress but it's more than just taking the tools that we're able to deploy out of fda the tools out of our toolbox but rather what does it take to change culture and what does it mean to change hearts and minds and to really bring everyone together and that's where utilizing the research community has been so very very important and a good example of that has

been in the coordinated vulnerability disclosure space so that is a really good illustration of how FDA came to really understand the importance of manufacturers and others adopting disclosure policies and making those policies public and available and transparent to to researchers and other identifiers and to have processes in place for intake and handling as well so a while we have seen some good step some good progress forward with respect to adoption of disclosure policies and coordination around vulnerability disclosure there's still a long ways to go but then we can talk about what some of the difficulties and challenges are as we continue with this panel but I'll hand it over now to Nina hi can you hear

me you can't hear me can you hear me now better super good okay so I'm gonna hold it like this and look awesome the whole time good no cam yeah okay so I'm Nina I own the DEF CON biohacking village and one of the things one of the medical devices that I work on is the electronic medical record which in my eyes is the ultimate record sorry it's the ultimate medical device but it's not actually considered a medical device my main issue with it is that it's built on a lot of antiquated technologies and this year with the bio hacking village what we decided to do was to build it out so under normal circumstances last year the

year before that the year before that it was a lot of security talks everything was someone up there giving a presentation and last year we were looking at the situation thinking this isn't the whole ecosystem this is not everything that happens with medical so how do we make this better and how do we make it whole so what we did this year was create a medical device village along with the talks and a wet lab so building all of that out it gives the researchers a better idea of how medical actually works and you can get your hands dirty and touch everything and get in there deal with talk to the manufacturers get better insight into

what they're doing how you can help things like that so just touching on what you said some of the challenges that we have normally faced are is trust how can the manufacturers trust us as hackers information researchers to give them the right information and how do we how do we get them to trust that we're giving them the right information so that they can maintain the integrity and the safety of these devices so since we don't have a moderator my question back this way is as a patient and as part of Boston Scientific how do you guys deal with that and then how does the FDA further accommodate things like that well from the Boston Scientific

perspective you know we're just kind of starting this cybersecurity program there and you know it's a it's very interesting when they brought me in they gave me this large list of legacy devices and they said you know we need to make sure these legacy devices are safe but we also need to make sure that the devices that we're making going forward are safe and we're seeing a huge demand from healthcare delivery organizations they don't want to buy devices that are insecure that's crazy right they actually are doing their homework and they're asking lots of questions of us of how we are testing these devices how are we guaranteeing that these devices that they're buying are going to be secure not only now but

secure going forward for the next five 10 15 years even because medical devices are not something that are like your cell phone they don't get replaced every year and a half there's something that usually lasts a long time and that industry is used to having devices last for 10-15 years so when they make that investment they want to know that those things are going to be updated and secure going forward now this presents a large problem because there really isn't an operating system out there that gets support for 10 to 15 years and when we look at a lot of these new medical device technologies a lot of them are being built on the backs of

things like Android devices and Android devices have even a shorter period of time of lifespan you know you know the average lifespan of an Android phone or a tablet is about a year and a half and if you know anything about the medical device world it takes longer than a year and a half just to develop a medical device so it's a very big challenge to us as a manufacturer to build these devices and to make sure they're secure and supportable as they go out into the field as they go out into patients hands to make sure that they are indeed secure and stable and usable for that entire lifetime that their they've looked at so

to add on to that from FDA's perspective um let's start off from where our mission is which is to protect and promote the public health and so we look at cybersecurity of medical devices through the lens of patient safety recognizing that if there were to be and exploit to certain types of vulnerabilities of devices that could affect the performance of the function of that device then that patient's health can be in jeopardy that patient could suffer some kind of consequence or even worse yet it could be more than one patient it could be a number of patients or a mass number of patients so when we think about it from that point of view it's important for us also in a lot of

the outreach and the multi stakeholder engagement and the educating and the building awareness that we've been doing to really underscore those principles of what we're talking about here with regard to FDA's FDA's mission and FDA's a specific emphasis on assuring that these devices are not left with exposed vulnerabilities that can lead to the kinds of hacks or attacks can endanger patients coming back though Nina to to your question I think a lot of this is again focusing on building or creating an environment of trust of trust of respect and of empathy among different stakeholders and without those factors the ability to share information and to be transparent about sharing that information really just sort of unravels

I'm so that is really very much key to what we have invested a lot of energy and a lot of effort in doing and it's with growing pains there's no question around that we've seen some disclosures that have gone very smoothly and we are there there has been really great dialogue across the different parties and communication communication that's been very much aligned to the public and there have been others where there have been quite a few hiccups so I think the other piece that's really important to emphasize here as well is that it's not merely about the disclosure per se you know the disclosure is critical but built into that concept that's not the outcome the endpoint built into that is

really the means by which one gets to full management of that vulnerability and making sure that the vulnerability is being addressed appropriately from the standpoint of whether mitigations controls or remediation need to be put in place in order to appropriately again manage that vulnerability so a disclosure is certainly a mechanism by which to do that but I wouldn't want FDA would not want the industry and all stakeholders to lose sight of the forest for the trees here in terms of it's not merely about a checking the box exercise and disclosing did you want to say something cuz I have another question go for okay so one of the things that happens let's say you go to the hospital because

you're having a heart issue right they don't walk up to you and say okay here are all the pamphlets of all the Pacemakers we have here's their contact phone number for support you got about five hours let us know how you feel call them choose the one you want we're good to go we're gonna send you in to search right it's an emergency you have to be in search within three two to three hours to make sure that you're living so with that device is going to humans which don't get instant updates and patients aren't very fully aware of what these things are of what the devices are that are attached to them do you just know that the doctor gave it to

me it's going to work I'm going to be fine so how do we better ensure that is medical information security and technologist how do we better accomplish this and what's the educational process it's a good question I think that one of the things that I've seen a huge amount of growth in is the amount of questions that I get asked and the amount of enquiries that we get from medical professionals I've had some some recent privileges of being on technical expert boards with doctors and they have become a lot more aware of these things and I think it's because not only have we had some success in in media in talking about some of these issues publicly but

I also think that it's kind of creeping into their minds just because of the way the technology is running you know I mentioned cell phones and one of the new technologies that I'm seeing is the cell phone is going to be the bridge between the medical device and the cloud and that's how all of the data that the patient generates is going to be communicated and doctors are incredibly smart intuitive people they know hmm my cell phone drops calls all the time and does weird things and can get malware on it and now it's going to be responsible for doing things with these medical devices and I've got some questions about that because I don't trust my cell

phone to make credit card payments yet I'm going to put my faith in this cell phone in patients you know to keep track of pain stimulators of keeping track of cardio devices and cardio rhythm devices and we see this technology being used more and more and doctors are starting to question is this safe whereas before it was very abstract it was very proprietary where you had to be within six inches of the device to communicate with it with a programmer those are older technologies and now we're putting bluetooth into everything and these things are familiar to doctors and I think that we've done our part in helping to educate them but I also think that it's just the proliferation of

technology that they're familiar with and that they have questionable experiences with you know I think that all of us in the room can understand how maybe we can question maybe our cell phone not being the most stable device that we've ever used or our Bluetooth headset that connects to our phone or our car maybe that's not the safest and best way to go but there it's not to say that it's not safe but doctors are asking those questions to determine if the those types of devices are safe to use so I am seeing a lot more doctors asking questions about that technology and even though patients might not have the immediate decision-making capability whether to choose their device or not or

to choose to have that device have Bluetooth capability or not there's certainly doctors looking out for their patients safety in that regard so that's very encouraging yeah we're we haven't seen that significant in terms of progress with all across the clinical community but I think that you're seeing signs of that particularly in the cardiology or the cardio interventionalists and it is our plan to target other parts of the clinical community over the course of the next year in order to again better inform and better empower physicians around the technologies and so that they're better positioned to have that kind of an informed conversation or dialogue with patients we think that educating patients is really critical

here and that because those dialogues also are happening between the patient and the provider it is important that the providers feel a level of confidence and what it is that they're able to communicate and that they could put it in lingo and lingo in language that a patient can understand and can make together with their physician a decision based upon you know what's put in front of them in terms of devices so this is an area in terms of communications and better education that FDA working together with different clinical societies working together with various patient groups is going to be really important as we go forward I have more questions so shameless plug time I am

the Calvary does a cyber security summit they did one in Arizona and we did one in New York so where we talk about the emergency preparedness of medical facilities hospitals ambulatory centers things like that so I know you were involved in it are you know okay so essentially what happens is we escalate the situation you know at first one computer goes down you find out there's some ransomware and then by the end there's mass chaos havoc it's amazing you ever get the opportunity to go you should so what lessons can we learn from mass emergency medical downtime and how do we ensure patient safety with disclosure of ransomware and breaches from the hospital systems or the

military systems are you asking me I'm asking both of you okay that's a good question you know hospitals tend to be a little bit understaffed and behind when it comes to their IT technology and there's a lot of struggle that goes on in that ecosphere of even having a solid inventory of all the devices that are in your in your environment and being prepared for that is something that is a very scary situation because I don't think a lot of hospitals are prepared for it in my experience you know not only from you know from my years of consulting working at hospitals and working with hospitals you know it makes me very nervous to see you know the

amount of devices that go unpatched the amount of well I know we have a lot of devices I don't know where they all sit and I don't know how many are you know are vulnerable right now because we can't scan them we can't do that type of technology because they're impatient they're impatient use and devices that are 10 to 15 years old they don't react well to scanners and they don't react well to a lot of the modern technology and when you have somebody hooked up to a respirator or an infusion pump and you scan it and it decides to reboot and take five minutes to do that you might harm the patient and that's something

that I think that every hospital and every Medical Device everything everything in medical centers around the patient and making sure the patient is safe so that's not a risk that they're willing to take so they are often not as prepared which is why you see this chaos that comes up when you have things like well there's some malware that's spread across the entire Hospital unlocked up all the alert all the medical records so now we can't figure out what blood type this person is or we can't figure out what their diagnosis is and they might be in a coma so it's a very troubling situation and it's a very scary situation and that's why it becomes

really important to do exercises right to be involved in preparedness response recovery resilience exercises that focus on simulations where you have cyberattack of sorts or different kinds of simulations and scenarios we think that this is really very important and hospitals as part of their hospital preparedness programs do this for other types of hazards all the time what we need to do and what is happening actually is building that same kind of programming and exercising for cyber related functions too so do stay tuned on that because FDA has been working with mitre and with two states with New York and Massachusetts on pilots in terms of putting together what our playbooks for cyber preparedness and response that

will then be utilized even to exercise and to iterate around what the what the gaps are and how to shore up some of those gap areas but you know clearly we can't leave hospitals with the lack of ability to respond effectively if when they are hit by some kind of an attack yes it involves New York City as well so I'd like to talk about one thing real quick it you know since we're talking about disclosure I think it's really important to note how far we've come in disclosure seven years ago I gave a talk at blackhat where I hacked into my own insulin pump and at that time the state of disclosure was pretty chaotic I

didn't feel comfortable enough going to the manufacturer to disclose that before my talk because I knew that their reaction would be to sue me and I would never get to do the talk and people would never get to hear about the vulnerabilities that I found in my medical device that was seven years ago today and just I mean last year I disclosed the same type of vulnerability to a different insulin pump manufacturer and Johnson and I was able to do that very comfortably and go to them and say I found vulnerabilities and they said great we have a vulnerability intake program and we want to work with you and make sure that we address these issues

correctly and safely and it took the process took us over six months but the end result was me as a researcher coming out with the manufacturer and saying these are the problems that were identified these are the solutions to get around it and patients should not be overly concerned with the day-to-day operation of these devices and if they feel especially threatened like if they were a president of a country or if they maybe were unwilling to take those risks I I kind of call I don't like to use the term tinfoil hat people but these risks are very low probability but very high impact you can turn some of those features off and not have that risk

present in your life and that was impossible seven years ago it was completely and totally impossible and because of the work that the FDA has done because of the work that the cavalry has done because of the work that a lot of researchers and medical device vendors have done we've reached a better state it is not perfect it is not something that you know we can just say great we're done with it you know we don't have to do any more work on this there's still a lot of work to be done to make it better but man has it come a far way and as a researcher that makes me a lot more comfortable doing my

disclosures in doing my research we've even gone as far as to getting exemptions to the Digital Millennium Copyright Act to make sure that researchers that are doing good can do the type of research that's needed on these medical devices seven years ago when I did research on my own medical device I had to do it with one hand tied behind my back because I didn't want to risk going to jail that was not part of the plan and I wanted to make sure that good guys had as much ground to explore and to research as the bad guys did or as adversaries did and now we've reached that state where we can do that type of

research without having to worry about prosecution under the Digital Millennium Copyright Act now we still again is not perfect we have a ways to go with things like the CFAA and other types of legislation and laws that might impact a researchers ability to do research and to disclose but again we've come a long way and I want to recognize that we've come a long way and things have gotten a lot better from that perspective I couldn't agree more and and we really make a point of applauding the behavior of medical device manufacturers that have engaged in coordinating disclosure and really in being able to work in such a collaborative manner with researchers and with government agencies in terms of

being able to communicate like that I think that where we want to be you know in terms of setting goals for the next 12 months is to see even greater adoption across manufacturers because we have more than a handful I'd say we have two handfuls of manufacturers that are champions in this arena they are really at the leading edge and they've really put themselves on the line I have to say with regard to disclosures because the media or the press doesn't necessarily understand or perceive right now that making those kinds of disclosures is actually a sign of greater maturity and of transparency and those manufacturers often do get dinged and and pointed to as being the ones that have

vulnerabilities when we know that every one every manufacturer every product every medical device has vulnerabilities so one of the challenges that we see as we go forward in this next here in this next phase actually is trying to get a better grasp on what are the hurdles what are the perceived obstacles what's hindering medical device manufacturers the the bulk of them from actually adopting these policies and participating in coordinated disclosure and as we get a better understanding of that we'll there are going to be various white papers and play books that are being put out by different groups within the healthcare sector to try to help address this issue from different angles so that again

hopefully by next year at this time it won't be 15 manufacturers of the thousands that you have in the ecosystem but there will be maybe I don't know you know maybe a hundred or so that would be really nice to see I have a question for you Nina I didn't know if you wanted to talk about what kind of protections that you put in place in the biohacking village for coordinated vulnerabilities that are disclosed or that are found during the during that process it's more of a boa question though is the lead on the medical device village so I'm gonna hand it to you turn it on always okay I'll go stand in your eyeline better

yeah so we spent about 18 months working through how we're gonna do the medical device village this year at biohacking village and they've gone through some pretty great pains to make sure that we strike a good balance you know one of the things we don't want to be is something like the voting village was where you have a bunch of bad actors you know the medica the voting machine makers don't want to improve the security their devices they see them as secure enough already and so the voting village had to go out and get a lot of negative press we want to work with people who are doing good things to get positive press out of it so shifting the mindset from

one of exposing bad practice to really an educational learning environment a safe space for collaboration for trust building for understanding and empathy is our goal so to that some of the things we put in place are like labeling for all the devices so you know here's the disclosure policy or here's a link to the disclosure policy or you know this device is not on the market anymore it's for educational purposes only or you know bringing in the medical device makers themselves to help set up the lab to run it so that they can be literally face to face with the person finding the issue so you cut the threshold to reporting to almost zero we've done a

number of things like that I think that some of the biggest breakthroughs that we've had are the medical device makers themselves who some of them proactively reached out to us when they heard about it they were like hey we want to be a part of this like how can we come will you let us set up in there and like talk to folks like yes so I think that's emblematic of the industry change that it's not just us who has to put the protections in place which we have done a lot of but it's also the industry themselves wanting to lean into security rather than lean away from it and there's other things we've done like

working with some of the disclosure third-party disclosure groups who are able to triage some of those vulnerabilities art Mannion's going to be there from cert CC and help with some of that we've got some good informational materials that were going to give out that give you a good clear pathway to reporting issues so it's not just hey find something and then go you know out to the media we've got at DEFCON generally this year there's a ban on recording and we took it a step further we said we have a for press it's default deny by exception only will work with press to come in there because we want to make sure that the story is

right and accurate and not sensational and overly dramatic you know nobody wants a bunch of fun out there least of all people who are trying to build trust in the industry and in the ecosystem so that's a lot of the things I'm probably forgetting a few of them because my brain is kind of fried like right now planning this for the past few months great Thank You Josh you want to join us no no you heard it's covered okay yeah if you got a question sure the vulnerabilities equities process do you explain that for everybody

FDA has not had this ability nor has HHS on the vulnerability equities process so you know I the concept behind it and and Sean you may be in a better position to explain it than I can but the concept behind it is to make sure that with respect to vulnerabilities that were they to be exploited could be you know highly catastrophic from the national security perspective that those vulnerabilities be maybe kept within very constrained circles within government and that and you know in certain cases of the manufacturers would not be aware of those vulnerabilities and that they can be used even potentially in an offensive manner as well

but yeah I just wanted to throw those three little words out there yeah so how do you envision the federal versus state versus local role in word in managing risk caused by ulnar abilities and not just medical devices but IT systems and hospitals generally so obviously the FDA has the most market guidance but how do you see States coming

so from a response perspective you know this is where our working on what we're calling this regional playbook becomes important in that you know there there is infrastructure there's response infrastructure that is in place at HHS's level of the assistant secretary for preparedness and response what's known as a spur and a spur has connections you know in to the states through what are called like regional coordinators and those regional coordinators also cross into the different states public of health departments as well as with hospitals as well what we're proposing is that that education has to and that linkage needs to expand to get beyond what are all hazards types of responses for which that aspirin network has been

set up so that the parties that would be engaged from a response standpoint really understand what it means to deal in the moment with a cyber related type of an attack as well so it would leverage that kind of that same type of a network what we've done also through the work thus far in building a playbook and in reaching out to States is to have discussions with those states departments of public health as well as with various parts of you know the regional coordinators there and with the hospitals just again taking even lessons learn from there but and leveraging those

I yeah I would say so it's just knowing what you do for the National Governors Association I would say beyond slightly beyond the coordinated vulnerability disclosure or the disclosure process what we're finding at least in the the we did the congressional task force for healthcare cybersecurity is you know but for the rest of the room one of things we found was while medical device makers were starting to add cording disclosure while we're decriminalizing research from the hacker community while Suzanne and her team are trying to improve the state of the art and the the minimum entrance criteria and ongoing care and feeding of medical devices the last mile seems to be the hospitals and one of these I think a

role for the National Governors Association or for the state and local is to try to drive things like our cyber med center where we did clinical hacking simulations the tabletop exercises with state and local government and hospital administrators to have a very visceral and palpable experience on how underprepared they are for this new form of weakness against accidents and adversaries so I wanted to see like a 50 state initiative or maybe go to the major cities in the u.s. that have some sort of Mecca around medical like Boston area Minneapolis and Cedar sinai in LA but the people that see themselves as leaders in this profession were they to start doing this because their governor

asked them to or their mayor got involved and took a personal interest in disaster recovery or preparedness or some sort of national security exercise I think it would create fertile soil for all the great work that you've already heard of today so I think their role is really to be a better receiver of the good information and to date we haven't really leveraged that because we at least from the calories perspective we found it hard enough to try to break through into federal government let alone 50 states or even more cities so it's it's very overwhelming to us we need guidance leadership from you but I would say getting that awareness level up may better leverage all the good work

that we've already talked about it's all so for that I live in New York and city so as far as the local state and national is concerned 9/11 happened it was really real thing and I'm not sure that we actually learned anything from that hospitals are 24 hours seven days a week 365 days how do you do an emergency preparedness exercise with a city that on a weekday of during rush hour during 9:00 to 5:00 has put seven million people in it how do you make all of that happen where people can get to a safe place or whatever the situation is so that's something else that needs to be addressed in big cities smaller towns

things like that and on the local level and then as far as the state of national it's like Josh says we just need to work up or down but we need to work on it

we have any other questions welcome Josh oh hi do you have some additional questions or topics you want to bring to the table since I don't know if it's already covered and you guys are also brilliant I'm assuming you covered it all someone tell me if this was already covered but I think the hardest part and one of the big risk areas we have is we you know I think it's good that we've get gotten more of a positive attitude towards an embrace or the value of white hat research or good guys I think some of us are jumping too soon to wanting it perfect and what we saw working with Alan Friedman and his NTA process is

that people are at different parts of their journey so while the the disclosure wars and debates are 20 years old for most of us a lot of these safety-critical industries are at year one and they have to kind of crawl then and walk then run and what we've been trying to do is get them on the crawl stage and then hope that there's a virtuous upward spiral that they'll add some more nuance or some better legal language or more safe harbor clauses and whatnot so I call it being patiently impatient and there's some people in the room that we've been trying to work on for a couple years to get them to do their very first coordinating vulnerably

disclosure template and it was really helpful in Commerce Department put their seal on it and it was really helpful when Suzanne before that said you know we really treasure the value of white hat researchers please start these programs and we are making strides but I think to get to that next level of adoption we have to get almost things like a product manager and looked at what are the use cases that are keeping them from doing so what's that but one little stuttering block because in a lot of these cases it's one little phrase in the NCI template that prevented them from having any program so you know what we started doing we said just cut that

line I would prefer you have it but cut that line get started because when you have your first program you have your first taste of success and when it doesn't explode then your internal confidence goes up and your internal political capital goes up and I think sometimes we're so frustrated that we haven't been embraced we want more than they're capable of giving us so sometimes going slower actually makes you go faster and I want us to have some level of relentless attachment to the goal of hike trust and high collaboration between researchers and bug receivers I also want us to have a pragmatism to us that gets us there faster sometimes you know slow is smooth smooth is fast

and we haven't really demonstrated that patience a little bit of patience upfront tends to start the process and then you can accelerate into the curve and I think we have a lot of proof points to that effect but that's kind of what I wanted to add it's like even I just started my own coordinated disclosure program now that I'm back in the private sector it was hard to get through the general council really hard but we got something through and I narrowed the scope down to maybe one product and someone could criticize that from the outside and say it's not perfect but I think that patient impatience when the first few disclosures were getting in right now

aren't gonna backfire people are like oh this isn't so bad oh I can see the value in this and then you can expand from there so we have to look at this as more of a marathon and not a sprint and I asked my hacker colleagues is don't be so purist about it and don't you know overplay that the trust we started to experience but helped people get where we want them to get by understanding where they are you know they had their current state we have a desired state we have to build a bridge from that current state desired state and it's often not one maneuver I think the people in this room know that they want to use the

empathy and the patience and I wanted to go a lot faster than many of us have experienced but I think if you squint that we have a graphic that new way made for us that showed like 18 parts of the US government in a two-year period enthusiastically embracing the value of coordinated vulnerability disclosure I said this earlier this morning but if you weren't here art Manion did a Senate testimony couple weeks back about the specter meltdown disclosures and both the the the chairman and the ranking minority both implicitly articulated almost perfectly and implicitly articulated the value of whitehat research they were actually critical of the response from industry and what a victory in a five-year span to go from

hackers or criminals to a gimme for elected officials in the Senate to understand the value of research so I think on the arc of history we're doing the right thing so I would encourage you guys to do is don't drop the empathy that got us this progress don't give up on the goal but don't drop the empathy that got us here I think that's why we built trust with Suzanne and her too and that trust hard-earned has turned into significant secondary effects where Congress is like we really like this maybe other parts parts of the federal government should do what Suzanne's doing so I didn't I hope that wasn't redundant what was previously covered but I think we're doing the right thing

the right way and we have to have realistic timelines on I don't think we should be arbitrarily patient but we should understand where our teammates are at and help them across that next hurdle is that redundant no yes I think there's a lack of clear communication on what constitutes a critical vulnerability and advice versus a vulnerability that's important to be aware of but perhaps is not as severe as some of the others that are out there and as somebody who writes about this stuff on a regular basis even I find it confusing to an unclear to try and figure out what's a serious vulnerability and what is less serious I'm curious what's being done to help clarify that

beyond well that's that's definitely something that that I had a huge amount of consideration when I disclosed my Johnson & Johnson work one of the things that I learned in this process when I disclosed the stuff in 2011 with the Medtronic insulin pump you know I just thought it would be a cool black hat talk that all my geeky nerd friends would enjoy learning about how I found out about this and when the media got ahold of it it became this really big thing and I got emails from all over the world from parents from doctors from hospitals that wanted to know what they should do does this mean I need to wrap my kids insulin pump in aluminum foil

does this mean they need to go back to doing shots does it what does this mean I don't understand what this vulnerability means I learned a lot from that and the second time around when I did with work with Johnson & Johnson I said I want to make sure that people understand what this means and I wrote a big blog post that got posted the same time that we did the disclosure and I said as a patient and as a parent I implore you to keep your child on this insulin pump if you're affected by this vulnerability because if I had to choose right now to keep myself or my my children on this insulin

pump even with the vulnerability I would still do it yes the vulnerability is bad but we have to realize that vulnerabilities and risk are relative I mean we take a risk when we fly to Las Vegas to go to this conference now some people choose not to fly some people choose to drive because that's a different type of risk that they're comfortable with but I think that making consumers more aware and more comfortable with what that risk and vulnerability means is really important and part of that's the researchers job I need to tell patients hey this is a really technical thing that's probably never ever ever going to happen to you but it's still something that we need to

be aware of and we need to fix I think we just got the five-minute warning but a small answer is tomorrow we have a art Manion tamil art mein from certain CC tamil are from DHS who's technically the sponsor of CPE which leverages CBS s myself some other folks we're gonna kind of drill into some of the strings and this is of that but one of the big problems is CBS s is kind of really not well oriented for the common bond but a scoring system is poorly oriented for safety critical use cases we tend to focus on remote code execution or loss of intellectual property as opposed to availability attack which might be a

fatality and some of these so it's not that you can't score properly with the system it's that they tend not to so we're gonna talk about and press upon some of those weaknesses and a much better answer to some of your question did you guys cover the sim Sabbatini because I think part of the answer to this might be what chairman Gottlieb is talking about symtab no we didn't we actually didn't get to talk about the safety action plan but as we move forward at the FDA in furthering the work that in building upon the work that's already been done we put out in the safety action plan that came out in April of this year some specific steps

that were looking to move forward with and one of them is this concept this notion of a public/private partnership model that would be that would bring together experts across multiple disciplines working in a trusted environment in order to evaluate to assess a vulnerability and to really achieve get to ground truth around that vulnerability and closer to real-time and this is in response to some of our own observations and learnings and quite a few them which have been public in terms of the timeframe that it has taken to really get to ground truth around certain very I would call them high impact your high consequence of Ollin abilities were they to be exploited so you know what this would do would really

allow for creating and in and that you have disciplines such as a clinical the clinical discipline the by imagine something the security engineering discipline really working together and having access all to the same information in being able to really thoroughly assess and comprehend what is the impact of that vulnerability and what is the exploitability you know of that vulnerability as well in terms of then helping support what needs to be done in managing that vulnerability I think that that is you know a really key piece as we move forward in that right now we're left with certain pockets where resources just are scarce in terms of being able to achieve that kind of ground truth certainly in a timely

manner so I got the sign that we're out of time please take advantage in the hallway though this is the start of the conversation at the end with Suzanne or set raise your hand so that's gonna be on the panel tomorrow about CBE and CBS s I just did I just did but you know if you have burning questions or topics on this I think the soonest said especially is there a hacker voice on the Simpson there will be all right yeah I mean this is a Z if you're here this morning if there's a pacemaker it's act do people get tired or is there a loss of life potential and and I think something like

this stands a good chance to get past the noise and the posturing towards actual ground truth so thanks for your time I think it's the end of the track today but please avail of the opportunity to very senior people in the FDA here to answer your questions and be good colleagues thank you [Applause]