The following is a guest write up by Mitchell Parker, MBA, CISSP (@mitchparkerciso), and Executive Director, Information Security & Compliance at Indiana University Health. We asked Mitch to share some insights and perspectives on the DEFCON conference that just happened in Las Vegas. DEFCON is known as a hackers conference, so we wanted to share a healthcare CISO perspective on the event.
What is it?
DEFCON is the largest pure hacking and security conference in the US. It occurs annually in Las Vegas and over 30,000 people attend it and several other concurrent security conferences, including Black Hat, BSides Las Vegas, and Diana Initiative. It is considered to be the premier security conference in terms of content and technical acuity of the attendees. Some of the best security minds in the world present at this conference. A number of healthcare IT and security professionals also attend. This is considered the conference you should go to if you want to know how security works. Additionally, the presentations and materials are heavily vetted. This conference is open to whoever can pay the $300 cash to attend.
Why should you be there?
DEFCON is organized into a number of talks/presentations/demonstrations and villages. The village encompass live demonstrations, exhibits, specialized talks, and the ability to experiment with and hack on hardware and software along with others, including prominent security researchers. The Biohacking Village, which specialized in medical devices and healthcare, had live demonstrations and exhibits, actual medical devices for people to hack, and presentations and panels from a number of people in the industry. Researchers and security executives from multiple medical device manufacturers were present.
The most comprehensive and eye-opening exhibit was from the Nebraska Applied Research Institute, which demonstrated their Operational Technology Incident Simulator. This demonstration showed all of the electronics, networking, and telemetry present in a patient’s room. It showed how much work we have to do to address the inherent risks already present in our own facilities. This exhibit showed the complexity of supporting a patient environment, and that the scope of systems that support them is a lot more than just the devices we see. Environmental systems also play a significant part.
What will you learn?
One of the blind spots that we all have is the point of view of the populations that we serve. There are a lot of people out there who learn about the devices they have by searching on the Internet, watching YouTube videos, and collaborating with others. Many of them do not feel that technology solutions provided meet their needs, and will modify what they use to do so. There is often also a gap between our perception of device usage and security, and the patient’s view.
I consider talking with highly skilled people who know how to work past limitations to perceptively improve their quality of life to be part of what we should be doing. We need to understand how these devices are used in the real world, and take that information back to improve how we deliver services. This also gives an excellent view into how security can either be an assistance or an impediment, and whether controls we put in place are effective or not. Having thousands of people, including the creators of the YouTube videos that many of them watch in once place gives an excellent opportunity to learn more about how security really works. If you want to learn how and why people configure what they have to meet their needs, this is the place to learn it.
You can also learn a lot from many of the security professionals that attend. Security and privacy professionals from numerous healthcare organizations, government agencies, and medical device manufacturers are around, and most importantly, are completely approachable. We were able to have critical conversations with four vendors and peers at several institutions. We also spoke with security researchers and government officials whose work we cite and develop strategy, policies, procedures, and processes around. This is unlike many other conferences where it is much more difficult to approach them.
We had multiple conversations with security researchers who are doing new and cool things in the areas of medical device security, automotive security, voting machine security, and wireless security. There are many parallels between the work these researchers do and our areas of focus on medical devices and data integrity, data management and quality, and mobile device management. The researchers are very open, willing to talk, and inspired us to look at our own programs differently. As opposed to being pushed products, we had discussions on how products worked and the theory behind them.
When you are developing strategies on how to secure healthcare, it is important to know how it works. The best example I can give is the discussion I had with an automotive security researcher on how cars are moving from what is know as the CANbus protocol to Ethernet for internal communication. What I got out of my discussion with her is how that parallels how hospital rooms are moving away from proprietary wiring to Ethernet and Wireless for support systems, as the Nebraska Applied Research Institute demonstrated. This means that we don’t have to reinvent how we approach security across industries, and can learn from each other.
While it doesn’t advertise itself as such, this conference has a significant healthcare component to it. There are many great professionals and researchers to learn from, and the Biohacking Village was both incredibly informative and demonstrative. We also learned from actual device users how they use them, and how we can put security in place that protects data, instead of being an impediment. We look at attending these conferences and speaking with people to be part of our mission and values, as they help us understand the mindsets of others. If there is any takeaway that we have, it is that we would like to see more participants and medical devices at the Biohacking Village. We learned a lot there, and think that more participation will lead to better understanding and improved security for manufacturers, providers, and most importantly, those whom we serve.