Home > Appearances, Cybersecurity, Healthcare > Stratigos CEO keynotes H-ISAC Medical Device Security Workshop

Stratigos CEO keynotes H-ISAC Medical Device Security Workshop

November 1, 2020

Stratigos Security Founder and CEO, Beau Woods, was invited to keynote the Health Information Sharing and Analysis Center (H-ISAC) Medical Device Security Workshop, on October 29, 2020. The event brought together representatives from healthcare providers, medical device makers, and the security research community.

Beau’s keynote focused on the need to work together collaboratively, in the face of a society that sees itself more divided than ever, facing many of its hardest challenges in living memory. The full script of this talk is available below.

Health Sector Information Sharing and Analysis Center (H-ISAC) 

Workshop – October 29, 2020 

Keynote: Coming Together – Why and How

Beau Woods, I Am The Cavalry

If you’ve never heard someone connect washing machines to cybersecurity, you’ll hear it today. 

As I was preparing a background for this Zoom call, I ran across a quote attributed to Eleanor Roosevelt, “do one thing every day that scares you.” I’m really going to put myself out there with this talk, so I think this will count as my one scary thing today.

Introduction

Hello, I’m Beau Woods. I think I know many of you on the call today. For those I don’t know, hi, it’s good to meet you.

For those who don’t know me, I’ve been in infosec, cybersecurity, cyber policy for about 15 years, starting at a small community hospital, so a lot of what I learned originated in a healthcare environment. I worked at the FDA as an Entrepreneur in Residence, defining a new pathway to market for Software as a Medical Device, called the Precertification Program or Pre-Cert. I have been a leader in a global grassroots initiative called I Am The Cavalry for about 7 years. I started up and run the Biohacking Village: Device Lab. And I run a small security consulting company. 

I tell you all that to say that a common success criteria throughout my career has been collaborating across very different groups of stakeholders, perspectives, and personalities. Having to do that often when others have failed to do so before and believed it couldn’t be done. 

This talk will touch on some painful and difficult subjects we’ve all been wrestling with over the past months and years that has left a lot of us feeling distant from each other. They affect me daily as I am sure they affect all of you, as well. I believe it’s harder than ever today to come together for common causes, even if you’ve spent your career transcending organizational barriers, as many of you on this call have. 

I think this group has a unique set of characteristics, principles, and values that gives me hope we will be able to do that. And I want to give you a toolchain I think can help improve effectiveness doing so.

A lesson from my apartment mailing list

When Jon invited me to address the H-ISAC and to choose a topic I thought was important right now, my apartment complex was in the middle of an uproar. Neighbors were at each others’ throats on an email thread.

It started when the building management wanted to do a survey about who had washing machines in their units. They can cause floods if the hoses leak, so they wanted to ensure they had the right insurance.

One person mentioned they also use more water and electricity, so they should have to pay a larger condo fee each month. We don’t have metering, so it’s all averaged out. Someone else, who has a washing machine in their unit, jumped in pointing out that the person who suggested that works from home all the time, using more power for lighting, heating, and cooling, so she should also pay an additional fee.

There were over a dozen emails flying around all day escalating the divide among neighbors. The gym costs extra to run, so people who use those should pay more. The pool needs a lifeguard and water and upkeep, so people who go often should have to pay their fair share. The height of this absurdity, in my mind, was when someone suggested they shouldn’t have to pay for the elevators since they’re on the second floor and always walk upstairs.

Finally someone new to the building jumped into the thread without accusing or confronting any of the others on the thread. They simply pointed out that we live in a building together and all want the same things. That it’s likely impossible to do what had been suggested, or that the cost would exceed the benefit. Their email ended, “I wanted to think we were better than this. Because I know we can be. We must be.”

These are neighbors who normally greet each other in the elevators and lobby, at the pool, in the gym, and in the laundry room. Yet they seemed ready to tear each other apart. I think we have all seen similar things in recent months – communities tearing themselves apart.

It’s easy to understand why collaboration is so hard right now

We are facing a global pandemic, watching the infection and death rates reach terrifying numbers – 500K newly infected in the last week week in the US alone and 500K infected in a single day globally. For most of us in this room it’s especially close to home, since we are working directly on COVID response developing and securing vaccines, PPEs, and treatments. While others may be able to escape by watching movies or do unrelated work, we face these issues all day every day. Yet we also see millions of people denying these statistics, the disease, and the science of public health we are working so hard on. 

And over the past few weeks we have watched over and over again, clips of a man die at the hands of authorities over a minor crime. Then seen dozens of similar cases that seem to paint a picture of a system of injustice from those charged with protecting the peace. Massive protests, some of them turning violent – clashes between people in the same community.

We hear stories of families who have lost their income and their homes, with nowhere to find shelter or safety. Meanwhile we are told that the economy is doing great when measured by the wealth of a very few, in the stock market, GDP, and other macroeconomic indicators.

We have seen small differences in perspective wedged apart by those we expected to represent us and lead us to a more cohesive society. One that can address some of the largest social, public health, and economic challenges we have faced in many of our lifetimes. 

For me at least, this has ripped away comforting fictions, replacing them with hard truths. I hardly recognize the society I live in. The one I have heard and seen on my screens doesn’t seem to be the same one I believed it is, has been, and that I know it can be. I imagine many others, including those on the call today, also feel the same way.

And I imagine that, like me, many people feel scared. Feel frustrated. Angry. And hurt. As someone close to me told me, “hurt people hurt people.” It’s true. When we’re hurt, we look upon each other as adversaries instead of allies. Causes us to start fights instead of finding common ground.

We are pushing ourselves apart from each other, as societies and communities, at a time when we desperately need to come together more than any other in living memory.

As my neighbor said, we must be better than this

With this as a backdrop to the workshop today, it would be easy to fall into these now-familiar antipatterns and see ourselves as divided even though we’re working together toward a common set of goals – improved patient care and better outcomes for the globe. 

Now to be clear, I’m not suggesting we can avoid these issues or pretend they don’t exist. They hit us in the lizard part of our brain right at the top of our branstems and trigger instinctive reactions that short circuit logical thought. These feelings and emotions spill over into our work.

Instead, we have to recognize them and work to overcome them. We might treat this workshop and other H-ISAC collaborations as a microcosm of the change that needs to happen across society. And I think this group and this community is uniquely poised to do that.

The healthcare cybersecurity community has a unique perspective

We daily fight against mostly invisible issues – viruses and adversaries – that can cause harm and spread like an epidemic – issues that we see, yet others doubt. To fulfil our roles, we have experience building support to address issues like the ones we face societally today. From convincing Legal to invite hackers to test our equipment, to getting investment in new capabilities from business units even in an uncertain future, to showing leadership the fruits of small successes when we have them. We’ve done all of this during times when many of the issues we raised seemed like distant or unimportant ones to the people we are raising those with.

And over the last 8 years I’ve seen the ecosystem go from isolated silos to high-trust, high-collaboration networks of willing allies. This wasn’t easy, and it didn’t happen overnight. But we’re doing it. It took leadership from a lot of people in a lot of organizations to make it happen. And we are making it happen. Many of those leaders are in this room today.

H-ISAC is an existence proof. 5 years ago, who would have thought a self-described hacker would be giving a keynote here? I wouldn’t have.

I’ve seen this spirit of camaraderie and orientation toward a common goal when organizing the Device Lab within the Biohacking Village over the last few years. You’ve shown it with #WeHeartHackers, a collaboration among the FDA, security researchers, and the medical device community to address potential issues in medical devices and to learn from each other. The healthcare cybersecurity community has been crossing organizational boundaries for several years now. We have shown that the healthcare cybersecurity community CAN be better. 

I Am The Cavalry started in 2013 with a realization that “The Cavalry isn’t coming. It falls to us.” That sometimes leadership is just being at the right place, at the right time, with the right approach. I say to this group today, “It falls to us,” to lead and to show others how.

Thoughts on building a better toolchain 

I frequently read multiple books at the same time, or in spurts. These are often unrelated to each other, like a book for work, a novel, and a biography. 

I read 5 books in the past few months that surprisingly all converged on a similar message. After I saw the pattern and method I’m about to describe to you, I couldn’t unsee it. These, seemingly unrelated books are:

  • The New Solution Selling – about sales approaches
  • Zingerman’s Guide to Giving Great Service – from the wonderful bagel shop you’ve enjoyed if you’ve attended Archimedes in Ann Arbor
  • Non-Violent Communication – on arbitrating difficult situations, like Middle East peace accords
  • Never Split the Difference – on hostage negotiations
  • Meditations, by Marcus Aurelius – probably the biggest wild card in here, by the famous Roman emperor and Stoic philosopher

Like all tools, this ones here are imperfect yet it can be useful. They may also seem obvious, and I’m sure many of you do some of these things as second nature. I’m an introverted misanthrope so I can use all the help I can get. 😉

While each of the steps in this chain has value individually, they’re strongest when used together. I encourage you to give it a try today as you’re talking with others at this workshop, and even at home. I was pretty skeptical when I started reading about these tools at first, but people responded immediately when I tried it out. You may feel a bit awkward at first, though if we all try them out together we can support each other through the learning process.

1. Understand and Empathize. We attribute a lot of the success of I Am The Cavalry to leading with empathy. When a group of hackers can use this tool to influence billion dollar corporations, federal agencies, and legislatures, it shows just how powerful empathy can be to bring people together to address common causes and to encourage ourselves to grow.

I believe that all true progress starts with empathy – it’s a superpower you can practice. I believe that until everyone in a conversation is really heard, they can’t fully engage. Therefore, all progress that depends on their perspectives and buyin is an illusion without empathy. 

Right now we need to express ourselves more than ever, yet it’s harder than ever to feel heard. When was the last time you truly felt heard? And when was the last time you truly listened to someone with a drastically different viewpoint, without looking for your chance to speak?

When you really hear what others have to say, you may be surprised what you learn. When you learn a contradictory belief to yours, you may be able to reveal a deeper truth. When you reveal deeper truths, you can find breakthroughs that can satisfy more needs.

  • Adjacent viewpoints are an easy way to get started practicing, and you can build up to divergent ones as you improve, so start by engaging those you already mostly align with. Encourage them to speak and hold off on adding your own commentary. Instead, probe deeper to get to core beliefs. Where do they match your own, and where do they differ?
  • When I encounter very different perspectives I don’t agree with, I use an exercise to try and build empathy for that view. I imagine what must be true for them to believe what they do, and to come to their conclusions. See if you can surprise yourself with what you’re able to learn and grow from this process.

2. Reflect and Correct. Demonstrate that you heard what the other person said by replaying it to them. This is sometimes called active listening. Even if you know you don’t fully understand, give them a stake in the ground and invite them to correct you. This is a chance to probe the person’s feelings and thoughts, and to put yourself in their frame of reference. Ideally you’ll get to why they believe and act the way they do.

It’s OK to speculate a little to try and understand them, just be careful you’re not putting words in their mouth. You can frame your speculation by asking them to help you find the right nuance or framing the reflection as a question. I sometimes preface reflection by saying I believe it’s about 60-80% on target.

  • For instance, from Non-Violent Communication, “Are you feeling apprehensive because this toolchain seems like a lot of effort?”
  • For instance, from Never Split the Difference, “It seems like you are hesitant to try this toolchain because it might not work.”
  • Iterate before moving on. There are often multiple, sometimes seemingly-conflicting ideas. Sometimes the same ideas will be expressed multiple times. Especially in a charged situation, whether tense, emotional, or with baggage attached. Zingerman’s Guide and New Solution Selling emphasize this is a necessary step before others can move forward.

3. A Common Vision Forward. After you have understood and empathized, after you have demonstrated that understanding, describe what the world can look like working together. Start building trust where you already share common ground, like aligned perspectives or consistent framings. Look to satisfy needs, rather than compromising them. 

Describe what this common vision could look like and what it might take to get there. I emphasize this is a vision, so be as visual and tangible as possible. 

Look for easy ways to come to agreement where you differ. Small steps at first, larger ones as you know you’re in sync. Think about a three-legged race or a similar metaphor.

  • This isn’t a zero sum situation, and it’s not a midway point on a linear spectrum. You should both come out of it satisfying your needs without feeling you’ve given up anything you care deeply about. 
  • Collaborations that begin this way can be incredibly fruitful. For instance, I Am The Cavalry built followers quickly and inspired others to tackle hard problems in the same way. For instance, several people in the election security community modeled their efforts after what we did with the Device Lab and used similar approaches to bring together elections officials, security researchers, and equipment manufacturers.

4. You control your reaction. The most important tool. This is not a single step, it enhances all the others. While controlling your reaction sounds intuitive, is a profound and difficult thought to internalize. It’s a tenet of Stoicism that after a lifetime practicing it’s still hard. 

Coming to understand that you control your reactions is incredibly empowering, and this tool intersects with all the others, supercharging them. Initial reactions – like anger, insult, disagreement – are within your control and can overcome them to better get to a common understanding. 

When you have an initial reaction, especially a strong one, it comes from inside you, not from the other person. Recognizing the internal nature of your reactions implores you to investigate their source within yourself, unlocking your ability to truly understand and empathize with others.

Once you know the source of your reaction, you can more precisely frame other points of view, allowing you to reflect them fairly and contextualize. It also helps reduce time and inhibition to accepting corrections of your initial reflection.

Finally, this tool helps avoid unintended bias in building a common vision by allowing you to let go of ideas stemming from maladaptive root causes you found when trying to understand and control your reactions. It’s then easier to build a non-zero sum vision of the way forward.

Practice this toolchain in the workshop today. It will feel awkward at first, so I ask that everyone here agree to work together to practice these tools, without laughter or judgement. I believe this can help the healthcare cybersecurity community lead on the change we need to see to come back together as a cohesive society.

Thank  you very much for your time today and I hope this has been helpful.