Summit Brought Together Thought Leaders and Experts in Medical Cyber Security in a Unique Symposium that Featured Real-Time Simulated Attacks on Medical Devices
As medical technology becomes more sophisticated, the potential for malicious cyberhacking of medical devices has become real.
On Dec. 13-14, the University of Arizona College of Medicine – Phoenix hosted the CyberMed Summit for a second year with an immersive symposium designed to prevent these attacks by developing solutions to keep patients safe and medical technology secure.
“The CyberMed Summit is a multi-stakeholder experience, where experts from all types of organizations come together to go through simulations, tabletops and panels to really dive deep into the challenges of medical cybersecurity,” said Jeff Tully, MD, who founded the conference last year with Christian Dameff, MD, as well as Josh Corman and Beau Woods (pictured in order above) from the Atlantic Council. “We want the public to know that we are here, we are aware of the issue and we are working hard to solve this while keeping patients at the forethought of our minds.”
The Summit put attendees "into an immersive learning and experiential environment to see what we hope for, what we fear, what we have to offer and what we need in order to achieve our goals,” Woods said. “Bringing all these people together, really catalyzes action before it would happen. The things we are doing here helps drive the right amount of information to the right people to start making change.
The Summit, titled “Clinical Cybersecurity: Health Care’s Newest Challenge,” not only hosted international experts to discuss the issues, but also had them participate in simulated cyber crisis exercises in a hospital setting.
“The CyberMed Summit is really emblematic of the goals and the focus of the College of Medicine – Phoenix,” said Guy Reed, MD, MS, dean of the college. “As we sit here today, in this room together as clinicians, engineers, researchers and policy makers, we are aware that the very devices that we’ve developed and utilized to improve the lives of our patients may themselves be utilized by others for patient harm. We are proud to host this conference and look forward to the next day of conversations, information sharing and advocacy as we work together to understand these challenges and come up with solutions.”
The Summit featured several keynote and panel discussions with thought leaders in medical cybersecurity, including Suzanne Schwartz, MD, MBA, associate director for Science and Strategic Partnerships at the FDA Center for Devices and Radiological Health; Billy Rios, founder of security research firm WhiteScope; and Jay Radcliff, a cyber security researcher who hacked into his own insulin pump.
Radcliff discussed the vulnerabilities of connected medical devices through a live security research demonstration. To give an idea of the pervasiveness of this, Radcliff said tools like Shodan, which queries the Internet looking for all these types of devices, showed 15 medical devices connected that morning. Therefore, 15 people were connected to the Internet right then, probably not even knowing it.
“This is where the world is going,” Radcliff said. “These devices are using cell phone technology to connect patients with doctors and to the Internet to give them better care. As a diabetic, this is really exciting to me because this can improve my quality of life; but as we connect ourselves and we connect our devices, we have to do the diligence in making sure they are safe and they are secure when we put them online.”
The aforementioned clinical simulations placed unwitting physicians in realistic emergency situations involving sick patients. Participants witnessed in real-time the doctors' realizations that the high-tech systems they rely on to care for their patients are not entirely trustworthy. The Summit also included tabletop exercises, where attendees dealt with a cyber crisis impacting local hospitals. Working in teams, participants proposed appropriate responses and evaluated their effectiveness.
“This conference takes physicians through simulations where a patient’s medical device gets hacked,” Dr. Dameff said. “These doctors, that know nothing about cybersecurity, have to respond just like they would in an emergency room. What we’ve learned from this simulation work is that physicians don’t understand the risk, they don’t understand what’s going on and, furthermore, they are very ill-equipped to handle these situations.”
Doctors are more dependent than ever on medical technology to improve the lives of patients. Dr. Dameff said that he has never used paper medical records or even put an x-ray on a lightbox and, until a few months ago, he had never written a hand prescription.
“We need to make sure that moving forward, these devices are secure, they are not compromised and that people trust them,” Dr. Dameff said. “We don’t want to instill fear. Patients should not be afraid to go to the hospital or get a pacemaker; these devices are saving millions of patients’ lives and will continue to do so.”
The CyberMed Summit was founded by Drs. Tully and Dameff, both 2014 graduates of the UA College of Medicine – Phoenix. Dr. Tully is a board-certified Pediatrician and an Anesthesiology resident at the University of California, Davis Medical Center. He has researched ways to secure hospitals and patients in a new world of remote care, implantable medical devices and biohacking. Dr. Dameff is a board-certified Emergency Medicine physician and a Clinical Informatics fellow at the University of California, San Diego. He has researched security threats in health care infrastructure and medical devices.
Headquartered in Washington, DC, the Atlantic Council provides a forum for international, political, business and intellectual leaders to discuss international security and global economic prosperity.
The CyberMed Summit was sponsored by Abbott Laboratories and Medtronic. The two-day conference was organized by the UA College of Medicine – Phoenix and the Atlantic Council’s Cyber Statecraft Initiative.