Day 1

08:15 AM

CHAIRPERSON’S OPENING REMARKS

As the demand for shared health data and interconnected clinical systems rises to meet quality and pay-for-performance needs, the use of personal and commercial IOT is also accelerating. Meanwhile recent very public cybersecurity breaches have helped galvanize the healthcare and technology industries, government and law enforcement while bringing cybersecurity to the attention of patients and the general public. We must together identify threats, solutions, and realistic paths forward to ensure not just our privacy and security, but the viability of our Healthcare Industry. This presentation will offer a summary and analysis of recent concerning and damaging cybersecurity breaches in healthcare, from the Hollywood Presbyterian Medical Center ransomware attack, to WannaCry, the Anthem Breach Settlement, the Equifax breach and the sale of Australian Medicare records on the web.
Michael Robkin, MBA, Founder & President, Xelnt Healthcare Inc.

08:45 AM

KEYNOTE ADDRESS: THE ECONOMICS AND ECOSYSTEM OF THE DARK WEB

An overview of the supply chain, ecosystem, and value propositions of hacking, virus writing, sabotage, and ransomware will from the “bad guys” point of view, along with strategies for proactively combatting cyber threats at their source.
Ron Williams, Chief Architect, IBM Security Systems

09:30 AM

KEYNOTE ADDRESS: MEDSEC VS. ST. JUDE MEDICAL: IMPLANTABLE DEVICES, VULNERABILITIES, AND THE LAW

In 2016, the security research firm MedSec and hedge fund Muddy Waters disclosed the presence of serious vulnerabilities in St. Jude Medical (SJM) implantable cardiac devices. In August 2017, SJM announced a historical recall of approximately 465,000 implantable devices. Dr. Green was one of the outside researchers invited to validate MedSec's findings. This talk will explain the technical aspects of the vulnerability and explore the long-term implications for medical device security.
Matthew Green, PhD, Assistant Professor, Department of Computer Science, Johns Hopkins University

10:45 AM

KEYNOTE ADDRESS: REGULATORY ADVANCES

The most recent guidance and advice from the FDA on Cybersecurity, Software Development, Post-market surveillance, and the collection of real-world evidence will be presented and discussed.
John F. Murray, Software Compliance Expert, Office of Compliance, CDRH, FDA

11:30 AM

US LEGAL AND REGULATORY FRAMEWORK

Numerous legal obligations have emerged for managing cyber risk for connected medical devices. This session will explore various cybersecurity laws, regulations, and standards governing design, development, deployment, and support for such devices. Learn about legal considerations for incident response and vulnerability disclosures.
Paul Otto, Senior Associate, Hogan Lovells

01:15 PM

02:30 PM

CYBER INSURANCE PERSPECTIVE

Speaker to be announced

03:00 PM

COGNITIVE DEVICES, INTERNET OF HOSPITAL THINGS – IOHT, SMART DEVICES; SAFER CARE

In today’s clinical environment, the myriad of device information can be staggering and are error prone; clinicians are struggling with what it all means. The sensor data available today creates an issue of data deluge along with false alarms that create overwork. With the advent of Cognitive computing, we now have the ability to create digital agents to address many aspects of this device information tsunami and opportunities to synthesize device data. Cognitive computing at the edge offers up the potential to eliminate false alarms, connect data streams for diagnosis, and engage in new models of predictive care. The cognitive agents can now live on the instrument, can combine with other systems, and create smart localized systems that provide continuous monitoring.  This self-assembling and cognitive collaboration enable smarter sensing and predictive capabilities not available today. In addition, with the advent of cognitive computing at the edge, we can enable smarter systems that can enable new security models. These devices, by bringing AI technology to the device and network, can create smart systems that can detect unusual activity quicker, react and enable ever-changing encryption and security models. This session will cover the enablement of devices, the cognitive networking and the security capabilities that can now be enabled in Healthcare and Life Sciences.
Chuck Parker, Global Healthcare Lead, Beyond Limits

04:30 PM

ON THE FLY CONTEXTUAL SECURITY RISK MANAGEMENT

With medical devices getting increasingly connected and cyber threats becoming more targeted and sophisticated, there is growing recognition of the need to secure these critical devices. But with the wide variety of systems and vendors on one hand yet extremely limited resources on the other, providers have a difficult time prioritizing the critical risks they need to focus on. To prioritize, they need to understand their inventory, criticality of every device and the likelihood of having a security incident. Further, since security threats change daily and attacks are moving rapidly, they need to have a real-time view into their environment. This session will focus on the challenges of implementing a mature and continual risk management program and will map out a path forward.
Shankar Somasundaram, CEO, Asimily

05:00 PM

BUILDING LAYERS OF SECURITY FOR IOT AND EMBEDDED MEDICAL DEVICES

Internet of Things (IoT) and Embedded Medical devices are ubiquitous within the modern healthcare world. Organizations are challenged to find ways of assessing these devices and implementing controls required by the prescriptive standards of the NIST framework. This presentation shall illustrate:
  • Vulnerabilities of these devices.
  • Ways of building layers of security.
  • How compensating controls can help meet framework standards.
  • Techniques that can be applied during manufacture to securing these devices before they ever reach businesses.
Erik Jones, CEO, Jacobian Engineering, Inc.

05:30 PM

INNOVATIONS IN SECURE IOT MEDICAL DEVICE APPLICATION SUPPORT

Many medical device companies now have applications servers that require support and also upgrades of application software. Devices have evolved from standalone devices to modern complex IT systems. The traditional way to provide this support is by either on-site service or by the use of a VPN (virtual private network). On site service is costly. The traditional device service model for devices doesn’t work with modern software deployment architectures. Healthcare institutions are often reluctant to provide VPN access to a vendor without a lengthy legal approval process. Some institutions refuse VPN access. Hospitals face legal/liability/regulatory/quality barriers to enabling vendor access to their systems (both the vendor product, and hospital systems that must be accessed to support the vendor’s product). For example, hospitals often deny vendors VPN access because of privacy, legal, compliance reasons. Security of the network is the highest priority of the institution. Security is a high priority, but can never be perfect. Security is a trade-off between convenience, cost, support, etc. New support/service models in the industry that look to address these issues are discussed and compared.
David Hoglund, Founder & CEO, Integra Systems
Day 2

08:00 AM

CHAIRPERSON’S OPENING REMARKS

Michael Robkin, MBA, Founder & President, Xelnt Healthcare Inc.

08:15 AM

PANEL DISCUSSION: IOT FOR HEALTHCARE: NEW THREATS, NEW VALUE, NEW SOLUTIONS

This panel will discuss the expanding threats that come from the adoption of IOT both within and beyond the walls of the hospital. Topics to be discussed include:
  • Threats from unregulated products
  • Trust and Integrity
  • Social Media
Moderator:
James Crimens, Managing Director, Accenture Security

09:00 AM

LIVE DEMO OF A MEDICAL DEVICE REPLICA HACK

Mike Kijewski, CEO, MedCrypt

09:30 AM

THIRD PARTY RISK MANAGEMENT FOR MEDICAL DEVICES

How to perform automated and low-lift third party risk management (TPRM) for medical devices – hospitals and health systems manage a myriad of devices across their multiple facilities but are usually unaware of what risks are present in their devices. Shahid Shah, a cybersecurity expert and medical device software architect, will show how to manage third party risks assessments across multiple med device vendors so that it almost eliminates the scoring and ranking work on the health system side and pushes it to suppliers.
Shahid Shah, CEO, Netspective Communications

10:30 AM

LEVERAGING EXPLOITS TO MANIPULATE CARE WORKFLOWS

Presented by organizers of security research concept IoT Village, this session delivers live demos of exploits against biomedical devices, including patient monitors -- a piece of security research that was recently featured on a CBS Network On Assignment segment. The presentation addresses the impacts that such exploits could have on the delivery of care, and the correlating impacts to patient safety. Attendees will leave with actionable insights on how to remedy similar underlying security flaws across all connected devices.
Josh Domangue, Associate Security Analyst, Independent Security Evaluators
Kevin Thomas, Associate Business Analyst, Independent Security Evaluators

12:00 PM

PANEL AND AUDIENCE DISCUSSION: WHERE DO WE GO FROM HERE?

A moderated discussion to collect ideas, solutions, and advocacy topics necessary to improve the security of the Healthcare Industry.
  • Healthcare has unique security and safety requirements and diverse stakeholders; Medical Device Manufacturers, the FDA, Government Agencies, Hospitals, ONC, Physicians, Suppliers, and Payers each have different security roles. This panel will discuss their boundaries and where there may be gaps or overlap in the responsibilities or capabilities of the major stakeholder groups.
  • Discussion and debate on security and privacy from the patient’s perspective: Do privacy breaches impact the patient/provider relationship? When does security become a safety issue? Who owns the patient’s data? Who should?
Moderator:
Joseph Ternullo, JD, MPH, President, Society for Participatory Medicine
Panelists:
Deepak Ayyagari, PhD, Associate Director, Technology Advantage, Boston Consulting Group
Lesley Macherelli, Senior Advisor, Brigham Health International
David Whitlinger, Former Executive Director, Continua Health Alliance & New York eHealth Collaborative
Additional panelists to be announced

02:00 PM

OPTIONAL POST-SUMMIT WORKSHOP

KNOW THY ENEMY: SECURING MEDICAL DEVICES IN THE HACKING ERA

Presented by the security research organization behind the seminal study Hacking Hospitals, this interactive session is designed to help medical device manufacturers better understand the adversarial perspective in order to develop systems that are more resilient against attack. The workshop is a highly interactive combination of lecture style and group exercise modules. Content areas to include:
  • Threat modeling
  • Trust modeling
  • Secure design principles
  • Exploit demos
  • Actionable insights
Workshop Instructor:
Drew Ogle, Team Lead, Independent Security Evaluators