Digital Disease

The Patient Safety Threat of Ransomware

A CyberMed Summit Webinar in Cooperation with The George Washington University

If you weren't able to join us, don't fret! We'll be posting this video soon. If you didn't register, drop us a line at info@cybermedsummit.org, and we'll notify you when the video has been posted.

If you were able to join us, thank you! We hope you had as much fun attending as we did organizing it. We want to hear your feedback so we can keep improving our logistics and content. Please complete this quick anonymous survey (~2 min) and let us know your thoughts.


John Riggi, B.S.

Senior Advisor for Cybersecurity and Risk, American Hospital Association

Natalie Sullivan, M.D.

Disaster and Operational Medicine Fellow, GWMFA

Arkady Yerukhimovich, Ph.D.

Assistant Professor,GW Computer Science Dept.

Kevin Fu, Ph.D.

Acting Director, Medical Device Cybersecurity, FDA CDRH

After a more than two year hiatus, CyberMed Summit returns to kick off the New Year with an incredible group of healthcare cybersecurity experts as they tackle strategies and solutions for the expanding threat of ransomware attacks targeting healthcare systems!

As we emerge from a global pandemic, hard lessons learned about the fragility of our critical infrastructure and its susceptibility to cyber attacks demand we work together to further increase the resiliency and safety of the systems and tools we use to care for patients. A recent spate of prominent ransomware attacks hitting hospitals and stressing regional health infrastructure have shown us that this problem is far from being solved.

Let’s get back to work!

Hosted virtually by the prestigious Cybersecurity and Privacy Research Institute at The George Washington University in Washington, D.C., this free-to-attend webinar will feature “chalk talks” and a live Q+A with disaster medicine specialist and cybersecurity researcher Dr. Natalie Sullivan, cryptography expert Professor Arkady Yerukhimovic, and Mr. John Riggi of the American Hospital Association.

Hosts

Lance J. Hoffman, Ph.D.

Professor Lance Hoffman developed the first regularly offered course on computer security in 1970. A Fellow of the Association for Computing Machinery and a member of the Cyber Security Hall of Fame, Dr. Hoffman has written five books and numerous articles on the topic, overseen the development of hundreds of students in the field, served on a number of Advisory Committees including those of Federal Trade Commission and the Department of Homeland Security, and testified before Congress on the topic. He earned his Ph.D. in Computer Science from Stanford University after a B.S. in Mathematics from Carnegie Mellon University.

Jeff Tully, M.D.

Jeff Tully is a security researcher with an interest in the intersections between medical technology and patient safety. His work on 911 infrastructure vulnerabilities, exploitation of HL7 protocols, and simulations of hacked medical devices has been featured at RSA-C, DEF CON, Black Hat, and in the national media. He is a co-founder of the CyberMed Summit, a clinically-focused healthcare cybersecurity conference, and during his day job as an anesthesiologist focuses primarily on the delivery of oxygen to various tissues.

Q&A Moderator

Christian Dameff, M.D.

Dr. Christian Dameff is an assistant professor of Emergency Medicine, Biomedical Informatics, and Computer Science (affiliate) at the University of California San Diego. At UCSD Health he was hired as the nation’s first Medical Director of Cyber Security. Dr. Dameff is also a hacker and security researcher interested in the intersection of healthcare, patient safety, and cybersecurity. He has spoken at some of the world’s most prominent Cyber Security forums including DEFCON, RSA, Blackhat, Derbycon, and BSides and is one of the cofounders of the CyberMed Summit. Published cybersecurity topics include hacking 911 systems, HL7 messaging vulnerabilities, and malware.

Chalk Talks

John Riggi, B.S.

Bio

John Riggi, having spent nearly 30 years as a highly decorated veteran of the FBI, serves as the first Senior Advisor for Cybersecurity and Risk for the American Hospital Association and their 5000+ member hospitals. Riggi leverages his distinct cyber, criminal investigation, and national security experience at the FBI and CIA to provide trusted strategic cyber and risk advisory services to the nations' hospitals and health systems.

His trusted access to healthcare leaders and government agencies enhances Riggi's unique national perspective on cyber and risk issues which greatly contributes to the AHA’s policy and advocacy efforts as a nationally recognized subject matter expert. Riggi represented the nation's hospitals in testimony before the Senate Homeland Security Committee hearing on cyber threats to hospitals in December 2020. This assisted in the passage of HR 7898, providing regulatory relief for HIPAA covered victims of cyber attacks. In 2021 Riggi's prominent advocacy encouraged the government to raise the investigative priority level of ransomware attacks to equal that of terrorist attacks.

Riggi is the recipient of the FBI Director's Award for Special Achievement in Counterterrorism and the CIA's George H.W. Bush Award for Excellence in Counterterrorism, the CIAs highest award in this category. Riggi presents extensively on cybersecurity and risk topics and is frequently interviewed by the media.

Clinical Implications of Ransomware

Natalie Sullivan, M.D.

Abstract

Dr. Sullivan leverages her experience practicing in an Emergency Department (ED) affected by a ransomware attack to describe the direct patient safety consequences. She reviews the vulnerabilities of the modern medical environment to technological system failure and the direct impact of a cyberattack on patient morbidity and mortality.

Bio

Dr. Natalie Sullivan is a Disaster and Operational Medicine Fellow in the Department of Emergency Medicine at the George Washington University Medical Faculty Associates. Her academic focus is Disaster Response and Emergency Management. She completed her residency at George Washington University. She attended medical school at Tufts University School of Medicine in Boston, Massachusetts. She will discuss her clinical experience during a ransomware attack on a local hospital system.

The Ransomware Menace: What it is, why it is happening, and what we can do about it?

Arkady Yerukhimovich, Ph.D.

Bio

Arkady Yerukhimovich is an assistant professor in the computer science department at The George Washington University and a core member of the GW Computer Security & Privacy Research Institute (CSPRI). His current research is focused on cryptography and cybersecurity, with a focus on using provably-secure cryptographic techniques to develop solutions for real-world problems. In particular, he has developed techniques for tracking fake news in encrypted messaging, efficient search over encrypted data, and techniques for large-scale privacy-preserving collaboration. Professor Yerukhimovich has published multiple papers at top cryptography and security venues such as Eurocrypt, ACM CCM, and the IEEE S&P conferences. Prior to joining George Washington University, professor Yerukhimovich was a research staff member at MIT Lincoln Laboratory where he worked to develop cryptographic techniques for DoD cybersecurity applications. Professor Yerukhimovich received his Ph.D. in cryptography from the University of Maryland.

FDA and Medical Device Cybersecurity

Kevin Fu, Ph.D.

Abstract

In May 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity. In this presentation, I will discuss the Food and Drug Administration’s medical device cybersecurity approach to pre-market regulation and post-market coordinated vulnerability disclosure with an emphasis on Software Bills of Materials (SBOMs) and threat modeling.

Bio

Kevin Fu is Acting Director of Medical Device Cybersecurity at U.S. FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). Fu is also Associate Professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel.

The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.

Fu was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing. He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org). Kevin serves on the Editorial Board of the Association for the Advancement of Medical Instrumentation (AAMI) on Biomedical Instrumentation & Technology. He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT. He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.