Since device makers apparently can't be trusted, medical professionals are taking emergency measures to keep patients alive. At the recent Cyber Med Summit, doctors put together a sort of hacker boot camp for medical professionals.
The conference combined talks with gritty (and sometimes bloody) live-action simulations in which doctors were faced with a new kind of medical crisis: figuring out if patients -- or more specifically, the technology that keeps them alive -- has been hacked.
During the conference, there were three immersive emergency exercises in which patient insulin pumps and pacemakers had been hacked and doctors needed to act fast to save lives. Josh Corman, founder of I Am The Cavalry and one of the event's co-founders, told Engadget that these crisis simulations made them realize the urgency of this conference.
"The three simulations involved an insulin pump, a bedside infusion pump and a pacemaker," Corman said in a call. "When the doctor found out after the exercise that the pump's tech failed in a certain way, she said if she'd realized that, she'd have just swapped out the pump." He added, "But we explained to her that it wouldn't have mattered because the libraries it was pulling from were hacked."
Some of these riveting scenarios transitioned into surgeries on excruciatingly realistic dummies. Seeing the "patient died a few times" in live tweets from the event is disconcerting, to say the least. Corman told us, "That's when we realized that physicians [implicitly] trust the technology they depend on, and it was really disruptive when the technology failed them."
"We knew that physicians would be able to adapt to certain things," he explained, "but during the medical simulations, we realized they're not trained for this."
Over 100 medical professionals, infosec professionals, policymakers, a few medical-device manufacturers, and a handful of law-enforcement officials attended the first-of-its kind event. (You can watch the keynotes here.) The results? Maybe you should make sure your doctor keeps a hacker on staff. Many at the Summit got a terrifying crash course and probably realized they need to add "hacking" to their list of possible problems to assess and diagnose.
The time of the doctor that hacks is here, and that's who brought the event together. Doctors Jeffrey Tully and Christian Dameff are physicians who also happen to be hackers; their first DEF CON presentation was "Hacking Humanity: Human Augmentation and You" in 2013. Tully recently finished a pediatric residency and is about to start another; Dameff completed a residency in emergency medicine and is getting ready for a fellowship.
"Doctors are hackers, they just don't know it," Dameff told the University of Arizona newspaper. "They think through the pathology of a disease. They look for weaknesses of the disease, of the system, just like hackers."
The pair made the Cyber Med Summit happen in partnership with DC think tank The Atlantic Council, whose motto is "Working Together to Secure the Future." The conference idea came at DEF CON in 2014, where they connected with Josh Corman and Beau Woods, both of whom are directors of the cyber statecraft initiative at the Atlantic Council. Corman explained that Dameff and Tully's talk that year was the hook to make the Cyber Med Summit happen -- a cautionary presentation titled "Hacking 911 - Adventures in Disruption Destruction and Death."
Dameff told press after the event, "When we know of the first patient that dies of a cyberattack ... you can't put the genie back in the bottle." He added, "It's going to usher in a new era of health-care cybersecurity where hospitals are going to be scrambling. That's not the time to do it -- the time to do it is now."
In talking to those who were there, it's clear that the Cyber Med Summit was a wake-up call, even for the researchers who put it together. Josh Corman told Engadget there's a silver lining on the horizon: The National Governor's Association is interested in replicating the event. "A huge percentage of modern health care is dependent on tech now, and they have not integrated security anywhere," Corman said. "We need to do this in all 50 states."