Beau Woods used to be a hobbyist hacker and now he is a professional one. What used to be friendly pranks, like ejecting his buddies’ CD trays or shutting down their computers from afar, has turned into a crusade to make medical devices safe through a more altruistic form of hacking and a major effort to change how the FDA and medical device companies make security a reality. Today Beau is a cyber security advocate and Deputy Director and Safety Innovation Fellow of the Atlantic Council, and organization that focuses on the global challenges of tomorrow.
But 15 years ago, Beau was toiling in an IT support role at a hospital. A hobbyist hacker in his spare time, he spent most of his time defending his hospital’s IT systems from a wide variety of security breaches. Nearly every month there was at least 1 medical device breach and often there were more. Among the targets: imaging systems which would have malware popups during their startup sequence, telemetry equipment and fetal monitors. Sometimes these systems would be knocked out exactly when needed for patients. Clinical teams would frantically try to do 5-minute password resets while the patient lay there waiting for an intervention at a time when 5 minutes could really matter.
Oftentimes the IT departments would be deliberately design these system shutdowns to occur to prevent the activation of malware and other security incursions; unfortunately, these designs typically were built without a full appreciation for how this impacted patient care. In other words, the best intentions to minimize IT risk had the unintended consequence of driving up clinical risk. Think about it: when you’re sitting at your desk in the mosh pit of some Silicon Valley office and your computer goes down and you have to restart, it’s an inconvenience. But when you’re preparing for surgery or in the ER, a 5-minute interruption of service can become a life-threatening situation.
Fast forward to today and Beau notes that when it comes to medtech security, “Things have gotten better but they have also gotten worse. We often know what we need to do now but we fail to do it much of the time.” A key issue, Beau states, is that the IT department is charged with protecting privacy and data security at all costs. “IT teams must choose failure modes that are designed protect patient safety before privacy,” according to Beau. “For that reason, among others, there is still a lot of vulnerability in the medical device world.” He also notes that security is so hard in hospitals because the organizations are forced to prioritize between hiring more security experts or hiring more doctors – a tough trade-off.
Troubled by what he saw, Beau became a crusader, turning his hacking skills from goofs to good. A “white hat hacker” focused on the world of medicine, his work has culminated in the formation of #IAmTheCavalry, a volunteer association of hackers who want to do good by making medicine better and safer for real people, both patients and providers. This group, which includes security researchers of many stripes, has worked closely with the FDA and the broader HHS and medical device communities to design cybersecurity guidelines, spread awareness of the challenges among industry leaders, and catalyze action to make things “Safer, Sooner, Together.”
The ultimate manifestation of Beau’s work is about to commence. On August 8-11, the biohackers will assemble in Las Vegas at the DEFCON Biohacking Village, one of the many programs at the largest hacker conference on the planet. DEFCON is basically a sort of hacker Lollapalooza and some of the people who attend go by such monikers as Cereal, IceQUICK, Darkwolf and Tyrant. And some go by names like Beau and Dave. About 30,000 security researchers, hobbyist hackers (both black and white hat variety) and people from all industry areas come together to have the world’s biggest nerd party (NERDvana?). While there, they also engage in intellectual exchange, challenge each other to break into systems, learn and share ideas for how to fix things and generally geek out – apparently there is a fair amount of alcohol involved. Somehow, I imagine all the women at the conference look like Lisbeth Salander of the Girl with the Dragon Tattoo and all the men there look like Kevin Mitnick at the time of his arrest.
Starting in 2014, the suit-wearing part of the healthcare world started to show up, just a little. But rather than being focused on security and privacy in the world of medical technology, the effort of that time was focused more on the personal biohacking concept. Beau explained to me that the early days were about ways to transform the body with technology and what it means to be human, with a big focus on how the philosophy of transhumanism can improve our day to day lives . But today, there is also a strong focus on the importance of thinking smartly and broadly about the intersection of patients, devices and security. Yes, the guys with the funny names are there, but so are Becton Dickinson and Philips and Thermo Fisher and Medtronic, among others who probably do not show up with full sleeve tattoos and embedded biochips.
Beau is more of a computer hacking guy, not a body hacker. And after a stint working as an Entrepreneur in Reside nce at the FDA and working with HHS on their Cybersecurity Task Force, he realized there was a real opportunity to use the DEFCON platform, and specifically the Biohacking Village, to teach people there are more consequential things to do at the conference than break into each other’s phones. His goal was to get people to bring real medical device products and engage hand-in-hand with hackers and security researchers to find the holes and fix them. if you’re wondering if there are enough things for these guys to work on, just take a gander at this page from the HHS Cybersecurity Task Force Report; it seems there are plenty of things to do.
Key: C = Confidentiality, I = Integrity, A = Availability, and PS = Patient Safety
Last year the Biohacking Village featured some older medical devices which are no longer supported by their original vendors (but that are very much in use out there in hospital land). They then let the hackers have at it, comparing the vulnerabilities of old and new products and while the device manufacturers and FDA looked on. The Mayo Clinic sponsored a “capture the flag” style hacking simulation competition. The long-term goal was to improve systems and also build bridges among the community members of all types. One example, they did some work on ICDs and found that it is possible to effectively encrypt the device, but the fix drops the battery life from 15 years to 3 years. Kind of a bummer if that ICD lives inside of you – what’s a heart patient to do?
The FDA has gone all in on this effort, working hard to be helpful rather than use this display of potential vulnerability against the medical device industry. They are catalyzing the discussion through creation of the #WeHeartHackers initiative, launched in January, which the FDA established with Beau’s assistance. The initative is focused on getting the whole of the medical device community to engage together in the best interests of patients.
#WeHeartHackers will be out in force this August at the DEFCON Biohacking Village, where there will be a 2400 square foot replica of a hospital with 6 rooms, each representing places of hospital vulnerability: Admissions, Radiology, Pharmacy, Lab, Surgical Suite and ICU/NICU. Hackers and other DEFCON attendees will check in to the admissions office, get their hospital bracelet (in order to make them feel more like patients) and work their way through the various rooms where they can test devices, try to penetrate the defenses that medtech companies have devised, and participate in simulation games where the hospital comes under hacker attack. Competitions are built around unlocking ransomware, finding security holes and reverse engineering system incursions in order to correct them. The prize? Glory and bragging rights as a hacker bad-ass or security researcher extraordinaire. Maybe they’ll throw in some Doritos – for some reason I assume that is the average hacker’s meal of choice.
At the Biohacking Village’s smaller event last year, over 1000 people wandered through in the first hour it was open. This year they expect far more and to be oversubscribed. The goals, if all goes well are to discover and fix new security issues for manufacturers, develop great IT talent who can help industry, create informational reports for policy-makers and investors, and to drive greater collaboration among those that make the medical device industry move effectively forward.
I asked Beau what it felt like to see this event grow to its more significant size and status and he said, “It is a bit crazy to see it go from a rag tag startuppy group to having the FDA as a host.” I also asked him if the arrival of the guys in suits changed the cultural zeitgeist of the world’s largest hacker forum. He said, “It can, but we work hard to avoid this. We used to have a spot the Fed competition – a good-spirited game where attendees would try to pick out the ‘incognito’ government guys, often easily spotted by their khakis, ironed shirts and perfect posture. Now we have panels like Meet the Fed where it’s all out in the open. It has changed the dynamic some. Not everybody loves it.” On the other hand, Beau points out that the group has stayed firm to what they believe in and the medical device firms have been very cooperative and engaged. He reports that he has a different perspective from some of his hacker peers, “It’s good to work with government and corporations. I see myself as an ambassador to foreign lands, though it is odd to see the clothing choices.”
I love the idea of these different communities working together, particularly in the realm of what happens in Vegas, stays in Vegas. It seems highly appropriate to think about such a broad array of participants working together in the hottest month of the year in the weirdest place on earth. I can imagine a craps table after hours made up of federal agents and pierced and tattooed hackers all screaming at the dice as one. And I’m glad they are doing it, because this is a serious issue. As medical devices inside the body become more and more laden with electronics, the stakes get even higher than they already are today. It’s great to think that people like Beau are on the case.
ps – for more on this and related topics, listen to this Tech Tonics podcast episode featuring Andy Coravos.