Defcon29 & HIMSS 2021

It’s been a whirlwind week and it’s not over, yet. Defcon29 (aka “hacker summer camp”) was August 5-8 in Las Vegas. HIMSS21 (the Health Information Management Systems Society’s global conference) started August 9 and runs through August 13, also in Las Vegas. Temperatures have been as high as 108 degrees F. Both have been hybrid conferences with some online and some in person.

I volunteered with the Biohacking Village at Defcon29, which this year mainly involved monitoring the online discussion boards in case there was any inappropriate behavior. The in person things included villages regarding IoT Hacking, Car Hacking, Voting Machines, Cryptocurrency, Satellite Hacking, and a new group called Security Leaders. There were also some good sessions on Public Policy pertaining to cybersecurity.

I co-authored and co-presented a short talk at HIMSS21…

Cybersecurity in a Complex Healthcare Ecosystem
David Snyder, 42TEK, Inc. & Mitch Parker, Indiana University Health

Managing cybersecurity risk for supply chains with multiple vendors is complicated. Each vendor is clearly responsible for its own system, but who minds the overall end-to-end concerns? These concerns affect both products, such as medical devices, and services, such as telehealth platforms. Healthcare delivery organizations can have over a thousand vendors, many of which connect to the organization’s network. Cybersecurity attackers can invade a supplier’s network, interrupt service, steal information, upload malware, and even get into the healthcare delivery organization’s network to do damage, install ransomware, or steal information. In this presentation, best practices were described for assessing risks, avoiding cybersecurity vulnerabilities, and for network-connected vendors and business partners to maintain security. Special attention was given to hospitals and remote patient monitoring. Containerization, Application Programming Interfaces, and modern virtualization techniques were also covered.

This talk was based on the paper posted elsewhere on this web site.

Key takeaways…

  • equally important with designing, implementing, and maintaining online systems securely is the need to anticipate and expect failures and malicious attacks that will require response and recovery. Sure, cyber defense, but plan for cyber resilience [recover quickly]. Offline backups, emergency contact lists, contingency plans, legal and technical consulting standby contracts, and table top practice session are essential.
  • there is a shortage of trained cybersecurity professionals, so start investing in training for your existing staff while continuing to seek the expertise you need
  • <probably more – I may edit the to add items…>