1
00:00:03,020 --> 00:00:04,710
So, hi, I'm Squiddy.

2
00:00:04,710 --> 00:00:06,530
I'm based in the Midwest of the U.S.

3
00:00:06,530 --> 00:00:09,750
and my talk is about security concerns of the medical laboratory.

4
00:00:10,310 --> 00:00:11,830
Next slide please.

5
00:00:15,100 --> 00:00:16,220
So, who am I?

6
00:00:16,220 --> 00:00:22,260
I'm a health informatics graduate student at IU, focusing on health information security and medical device security.

7
00:00:22,260 --> 00:00:31,500
I'm also a medical laboratory scientist with some phlebotomy experience thrown in as well, but I managed to get off the bench and I'm currently working in laboratory informatics.

8
00:00:31,500 --> 00:00:42,640
This talk is going to be about things that I noticed during my first year in the medical laboratory that concern me just a little bit and things that I would personally like to see changed or see improvements on.

9
00:00:42,640 --> 00:00:50,520
I'm going to focus a bit more on bringing awareness to the field itself and on some physical security concerns more than anything.

10
00:00:50,720 --> 00:00:52,920
It's going to be part of a two-part talk.

11
00:00:52,920 --> 00:01:00,500
I hope to give the second part one of these days, but I'll focus more on data transmission between lab analyzers and the EHR system.

12
00:01:01,500 --> 00:01:02,800
Next slide please.

13
00:01:04,620 --> 00:01:07,780
So first, what is a medical laboratory scientist?

14
00:01:07,780 --> 00:01:14,160
A medical laboratory scientist, in short, performs diagnostic testing on patient samples in the medical lab.

15
00:01:14,160 --> 00:01:24,000
We ensure specimen quality, interpret test results, log test data, controls, perform statistical analysis to verify accuracy and repeatability of testing.

16
00:01:24,000 --> 00:01:33,880
We also work with laboratory instrumentation or analyzers to perform calibration, maintenance, and validation and the troubleshoot instrumentation.

17
00:01:33,880 --> 00:01:37,180
We might help providers select an appropriate test to run.

18
00:01:37,180 --> 00:01:50,920
We have some more advanced education and training in areas like chemistry and biology, including microbiology, than some other healthcare workers like nurses, and we possess more of a scope of knowledge than someone who's more specialized in one area,

19
00:01:50,920 --> 00:01:52,940
like a microbiologist would.

20
00:01:52,940 --> 00:01:58,100
So some of us are specialized in areas like micro or blood bank with our core knowledge.

21
00:01:58,560 --> 00:02:05,300
So when your sample is collected, let's say you go and get your blood drawn, the nurse or the phlebotomist will send your sample to us.

22
00:02:05,300 --> 00:02:07,960
And from there, we perform testing on your sample.

23
00:02:07,960 --> 00:02:13,680
Sometimes this is manual testing by hand, and sometimes that testing involves laboratory instrumentation.

24
00:02:13,680 --> 00:02:15,740
Often it's a hybrid of both.

25
00:02:15,740 --> 00:02:23,260
These days, the lab is mostly automated, but there are still some smaller clinical labs that don't utilize a lot of instrumentation, depending on their need.

26
00:02:23,740 --> 00:02:27,780
We're also responsible for issuing blood products for transfusions.

27
00:02:28,260 --> 00:02:37,020
According to the CDC, an estimated 70% of medical decisions are based on laboratory test results, and 14 billion laboratory tests are ordered annually.

28
00:02:37,640 --> 00:02:39,300
Next slide, please.

29
00:02:39,940 --> 00:02:42,180
So how are we regulated?

30
00:02:42,240 --> 00:02:48,580
Centers for Medicare and Medicaid Services regulates all laboratory testing except for research performed on humans in the U.S.

31
00:02:48,580 --> 00:03:01,080
through CLIA, or the Clinical Laboratory Improvement Amendments, which regulate laboratory testing and require clinical laboratories to be certified by the CMS before they can accept human samples for diagnostic testing.

32
00:03:01,080 --> 00:03:11,160
The objective of CLIA is to ensure quality laboratory testing, and three federal agencies are responsible for CLIA—the FDA, the CMS, and the CDC.

33
00:03:11,480 --> 00:03:25,820
Each agency has a unique role in assuring laboratory quality testing, and I'll provide a link at the end with citations for a bit more information so that you can go and read a little bit more about how we're regulated, because it's very important information,

34
00:03:25,820 --> 00:03:29,220
but I think it's a little bit too lengthy for a 20-minute talk.

35
00:03:29,680 --> 00:03:30,840
Next slide, please.

36
00:03:31,620 --> 00:03:42,180
So getting into the clinical laboratory and what kind of environment it is, there are multiple departments in a clinical laboratory, and these departments vary by the size of the clinical lab and complexity of testing.

37
00:03:42,180 --> 00:03:46,500
For example, a laboratory at a major hospital will be made up of the following departments.

38
00:03:46,500 --> 00:03:52,780
We have chemistry, where we perform thyroid and hormone-level tests—things like potassium levels, lipid panels.

39
00:03:53,740 --> 00:03:59,740
Immunology, for the study of immune products, like antibodies produced by the body in response to foreign material.

40
00:04:00,040 --> 00:04:04,600
Hematology and COAG, where your blood count is done and your blood cell morphology is examined.

41
00:04:05,340 --> 00:04:08,680
Microbiology, where we do some really cool stuff, like culture samples for E.

42
00:04:08,680 --> 00:04:11,440
coli and Salmonella—things like Pseudomonas and C.

43
00:04:11,440 --> 00:04:12,060
diff.

44
00:04:12,460 --> 00:04:16,300
Blood Bank, where we type your blood and issue blood products for transfusion.

45
00:04:17,500 --> 00:04:22,520
There's also going to be a processing and receiving department for samples coming into the lab.

46
00:04:23,360 --> 00:04:24,680
Next slide, please.

47
00:04:25,680 --> 00:04:28,900
The lab is occupied by various medical professionals.

48
00:04:28,900 --> 00:04:37,440
First and foremost, we have medical or clinical laboratory scientists, also known as medical laboratory technologists, who perform complex laboratory testing.

49
00:04:37,440 --> 00:04:49,200
We'll perform exacting tests, like molecular and genetic testing, and we also deal with samples that present unusual diagnosis challenges and select appropriate testing agents and methodologies for them.

50
00:04:49,200 --> 00:04:55,640
Becoming an MLS requires a four-year Bachelor of Science degree, part of which will be a clinical rotation in a hospital laboratory.

51
00:04:56,140 --> 00:05:04,380
For laboratory technicians, they're also supposed to perform routine testing in order to assist medical lab scientists and technologists perform their duties.

52
00:05:04,540 --> 00:05:09,340
Theirs is typically a less comprehensive two-year program, and there are certain tests they can't perform.

53
00:05:09,400 --> 00:05:16,980
But the truth of the matter is that sometimes they end up performing a lot of the same testing as we do, especially since there is a shortage of laboratory scientists.

54
00:05:16,980 --> 00:05:30,780
The other players in a lab are lab assistants, who can assist us in receiving samples and bringing them to appropriate departments, our phlebotomists, who perform blood draws for testing, senior techs and heads of departments, and the laboratory director.

55
00:05:31,220 --> 00:05:32,540
Next slide, please.

56
00:05:33,180 --> 00:05:40,540
So the key point here is that there are a lot of different workers in a lab working all at once and handling a large amount of patient data.

57
00:05:40,540 --> 00:05:45,200
Laboratory workers can also come and go, leave one lab and work in a different lab.

58
00:05:45,200 --> 00:05:50,620
But because there is a shortage at the moment, it's been difficult to keep labs appropriately staffed.

59
00:05:50,620 --> 00:05:57,180
Since there is such a shortage, employers are willing to hire techs who may be a little less qualified, still need a little bit more training.

60
00:05:57,260 --> 00:06:06,200
Because of the need for lab techs who can handle patient testing, new techs may have their training cut short a bit and may be thrown on the bench to handle testing a little earlier than usual.

61
00:06:06,200 --> 00:06:09,500
And so lack the training that some other techs would have received.

62
00:06:09,520 --> 00:06:21,520
So if we're looking at the appropriate handling of patient data, then right away, there may be techs who lack that training or who didn't receive a full training schedule who are handling patient information, and it can lead to mistakes being made.

63
00:06:21,520 --> 00:06:30,720
For example, a lot of the time, cell phone use, especially for things like taking pictures, is only permitted under very specific circumstances in the lab or not at all.

64
00:06:30,720 --> 00:06:36,180
I've worked at places where some use is allowed, specific use is allowed, or phone usage is not permitted at all.

65
00:06:36,200 --> 00:06:43,040
And not every tech coming in is going to know that or know that usage is limited to prevent an accidental breach of patient data.

66
00:06:43,420 --> 00:06:49,500
A busy lab and a shortage of staff means that techs have to be able to move between departments in a rapid fashion.

67
00:06:49,500 --> 00:07:02,500
We may put a sample down that we're working on and move to another department to complete a test, then come back, pick up that sample and continue where we left off, even when it's best practice to sit down and finish a test to completion before moving on.

68
00:07:02,500 --> 00:07:04,660
Sometimes it's just not possible.

69
00:07:05,120 --> 00:07:10,600
Sometimes techs working third shift, there may only be two or three techs working all of the departments at once.

70
00:07:11,980 --> 00:07:18,720
When we perform testing, we often resolve this testing in our laboratory information systems, such as Cerner, SoftLab, or MetaTek.

71
00:07:18,720 --> 00:07:29,060
And to do this, we have to log into a computer to access the software, which brings us to the next part of the talk, which is technology that resides in our lab, instrumentation, and our LIS system.

72
00:07:29,200 --> 00:07:30,360
Next slide, please.

73
00:07:31,140 --> 00:07:34,520
There are a multitude of laboratory analyzers for use today.

74
00:07:34,520 --> 00:07:44,900
For example, if you've checked out the medical device lab at the Biohacking Village, you'll see the ID Now, which is this middle picture on the bottom here, and that's used for point-of-care COVID testing.

75
00:07:44,900 --> 00:07:49,820
We have chemistry analyzers like the Vitros that run the thyroid tests and hormone panels.

76
00:07:49,820 --> 00:07:58,800
We have urinalysis analyzers like the Clinitech, analyzers for blood cultures, analyzers in BloodBank like the OrthoVision to perform our type and screens.

77
00:07:58,800 --> 00:08:02,120
All of these analyzers are going to interface a little differently.

78
00:08:02,120 --> 00:08:05,620
They'll be running on different operating systems and handle data differently.

79
00:08:05,780 --> 00:08:08,580
Each instrument may be from a different vendor.

80
00:08:08,660 --> 00:08:11,500
There may be older analyzers mixed in with brand new ones.

81
00:08:11,500 --> 00:08:22,400
For example, in my clinical rotation in 2021, we had a Stago coag analyzer running on DOS, and across the room, a brand new Vitros for chemistry, and this was at a major hospital.

82
00:08:23,000 --> 00:08:24,340
Next slide, please.

83
00:08:25,860 --> 00:08:34,240
These instruments send data to the Laboratory Information System, like Cerner, and sometimes techs may have to enter or verify test data there.

84
00:08:34,460 --> 00:08:49,760
Laboratory Information System, or LIS, is used interchangeably with Laboratory Information Management System, or LMS, but LIS is more patient-based, whereas Laboratory Management System is typically more of a sample-based process.

85
00:08:50,320 --> 00:08:52,060
Next slide, please.

86
00:08:52,060 --> 00:09:03,180
When the information goes out of the LIS, it will go to a middleware like Cloverleaf to streamline the exchange of patient data between the LIS and the EHR patient record system, like Epic.

87
00:09:03,300 --> 00:09:17,520
There may be a middleware used between the instrument itself and the LIS, and middleware is often one step used to establish a web-based interface which can support all the standards like ASTM, HL7, and ICOM data transfer from an analyzer.

88
00:09:17,520 --> 00:09:20,680
Each analyzer may use a different data transmission standard.

89
00:09:20,680 --> 00:09:24,220
A lot of analyzers still communicate using ASTM.

90
00:09:24,840 --> 00:09:26,380
Next slide, please.

91
00:09:26,380 --> 00:09:34,140
When examining security concerns or vulnerabilities in the medical laboratory, we have to worry about three things, or three areas.

92
00:09:34,140 --> 00:09:45,620
Physical access to the laboratory computers or instrumentation, the variation in instrumentation and how they each handle patient data, especially in terms of storing and transferring that data.

93
00:09:45,940 --> 00:09:55,700
Some older analyzers are built to store patient data on sloppy disks or tapes still, though thankfully this is not typically done, even when those analyzers are still used today.

94
00:09:56,420 --> 00:09:57,680
Simple human error.

95
00:09:57,680 --> 00:10:00,200
People may leave their computer terminal logged in.

96
00:10:00,200 --> 00:10:03,460
They may leave Epic open, which is used to view patient records.

97
00:10:03,460 --> 00:10:08,500
They may stay logged into the LIS on one computer and move to the next computer and log in there.

98
00:10:08,740 --> 00:10:12,140
They may take pictures and forget to obscure patient data.

99
00:10:13,040 --> 00:10:14,560
Next slide, please.

100
00:10:15,800 --> 00:10:21,460
In my almost a year and a half of walking around the clinical laboratory at different facilities, I noticed a whole lot.

101
00:10:21,460 --> 00:10:37,360
For example, a badge may be required to access a lab, but I've also noticed that if you are at least dressed like a healthcare worker and you knock at that lab door, someone's bound to let you in, since sometimes nurses and other workers will come down to the lab either to grab blood products or deliver samples.

102
00:10:39,320 --> 00:10:43,240
Sometimes we've had to move samples from one lab to another.

103
00:10:43,240 --> 00:10:54,680
And I'm not going to say where this was at, but we've had people call in their relatives or non-healthcare workers to deliver samples that have patient information between the two laboratories.

104
00:10:56,120 --> 00:11:08,120
A password may be required to access computers and used to access patient data, but the same password is often used between computers, network, the LIS, and the patient record system.

105
00:11:08,120 --> 00:11:17,360
While a password change is usually required at least once every three months from what I've seen, there isn't always a restriction in place to prevent users from reusing an old password.

106
00:11:17,660 --> 00:11:31,220
There is a constant flow of text in and out of the lab, rotating between departments, often forgetting to log out of their computer or leaving the patient record system logged in, which means someone else could gain access to their session and grab data.

107
00:11:31,220 --> 00:11:41,280
There is physical access to computers with open USB ports and the ability to plug in devices like keyboards and mice that you bring from home without the device being screened first.

108
00:11:41,540 --> 00:11:47,180
There is also no camera surveillance in the lab, as surveillance can itself result in a HIPAA violation.

109
00:11:47,220 --> 00:11:55,100
But this also means should patient data be accessed at a computer under one login, there isn't always a way to check who was sitting in that chair.

110
00:11:55,100 --> 00:12:02,520
Some people will clock out for lunch and go to the break room and then go back in the lab periodically to check a sample running on an analyzer.

111
00:12:02,520 --> 00:12:07,680
So the clock officially shows them on break, but they may in fact be in the lab handling samples.

112
00:12:08,200 --> 00:12:11,160
There may not always be an electronic trail of that.

113
00:12:12,840 --> 00:12:14,720
Next slide, please.

114
00:12:15,100 --> 00:12:22,260
To me, right now with the current level of understanding, the biggest concern is, of course, an always human error.

115
00:12:22,260 --> 00:12:30,180
It's people leaving their session logged in, writing down passwords on sticky notes or using simple ones, sharing passwords.

116
00:12:30,180 --> 00:12:34,200
It's people forgetting to lock their machine despite being informed to do so.

117
00:12:34,200 --> 00:12:39,880
People using each other's badges to gain access to an analyzer and run a sample.

118
00:12:39,880 --> 00:12:42,780
Outside of training sometimes as well.

119
00:12:42,800 --> 00:12:45,960
A lot of techs don't understand the severity of these actions.

120
00:12:45,960 --> 00:12:56,100
And I think one way we can fix this is to hold more informational sessions in the lab and focus not only on the fact that it's important to log out or lock your session.

121
00:12:56,100 --> 00:13:02,580
But what could also happen if they don't and what the consequences could be for a patient and for the tech who left their session open.

122
00:13:02,820 --> 00:13:07,420
Many don't seem to understand the level of impact this can have on a patient's life.

123
00:13:07,420 --> 00:13:16,280
Even if a tech slips up or acts maliciously with patient data and is caught and terminated, that won't prevent that data from circulating once it's leaked.

124
00:13:17,780 --> 00:13:19,480
Next slide, please.

125
00:13:19,740 --> 00:13:20,800
So why should you care?

126
00:13:20,800 --> 00:13:22,080
Because it's your data.

127
00:13:22,080 --> 00:13:28,820
That's your SSN, that's your date of birth, your address, your test results saying you're positive or negative for something.

128
00:13:28,820 --> 00:13:34,100
Sometimes that information could be a test result for HIV, a positive cancer diagnosis.

129
00:13:34,100 --> 00:13:38,000
It's sensitive information that can have severe consequences if leaked.

130
00:13:38,000 --> 00:13:41,860
That's all your medical history, sometimes spanning throughout your entire life.

131
00:13:41,860 --> 00:13:46,120
And it's all the personal data that can be held about you in your medical record.

132
00:13:46,840 --> 00:13:48,520
Next slide, please.

133
00:13:49,200 --> 00:13:50,880
So you could help us too.

134
00:13:50,880 --> 00:13:52,980
We need more security-minded people.

135
00:13:52,980 --> 00:13:55,640
We need more lab techs with a security brain.

136
00:13:55,640 --> 00:13:58,980
We need more security warriors willing to protect patient data.

137
00:13:58,980 --> 00:14:05,180
And most importantly, we need more people who care enough and who possess a background to understand healthcare workflow.

138
00:14:05,240 --> 00:14:09,820
How much restriction can we place in the lab without slowing down patient testing?

139
00:14:09,820 --> 00:14:16,040
How much security precautions can we put in place without increasing the time that a sample is run?

140
00:14:16,040 --> 00:14:19,980
And therefore, increasing the time for a patient to receive proper care.

141
00:14:20,060 --> 00:14:26,380
So if you work in cybersecurity at a facility with a medical laboratory, please get to know your lab department.

142
00:14:26,380 --> 00:14:28,660
We really want your data to be safe too.

143
00:14:29,940 --> 00:14:32,720
I guess I've really whizzed past this talk.

144
00:14:32,720 --> 00:14:37,620
When I rehearsed it before, I got up to about 17 minutes.

145
00:14:37,620 --> 00:14:39,780
We're currently at about 14.

146
00:14:39,780 --> 00:14:41,940
I guess that leaves some time for questions.

147
00:14:41,940 --> 00:14:43,720
But next slide, please.

148
00:14:44,960 --> 00:14:47,880
I have some citations that you can go and check out.

149
00:14:47,880 --> 00:14:52,440
And if you'd like a copy of the slide deck, you can DM me or send me a message.

150
00:14:53,200 --> 00:14:54,400
Next slide.

151
00:14:55,860 --> 00:14:57,360
Thanks for listening.

152
00:14:57,360 --> 00:15:05,160
This talk was mostly to bring awareness to the medical laboratory field, and that there are those of us who are concerned about how your data is handled.

153
00:15:05,160 --> 00:15:07,760
We really want to make things more secure for you.

154
00:15:07,820 --> 00:15:14,040
I hope this will maybe help to get people thinking about patient data in the laboratory, and kickstart some serious change.

155
00:15:14,040 --> 00:15:20,600
If you're here at DEFCON, come find me to get a little homemade badge of my squid character, or DM me on Twitter.

156
00:15:20,600 --> 00:15:23,540
I really only use the account listed here during cons.

157
00:15:24,680 --> 00:15:25,960
Thanks, you guys.

158
00:15:36,220 --> 00:15:39,020
If there are any questions, I'll do my best to answer.

159
00:15:41,420 --> 00:15:50,660
Do you think that this kind of lack of control of the data is systemic to the whole industry, or do you think it's only problem spots?

160
00:15:51,820 --> 00:15:54,900
I think it would be whole industry.

161
00:15:55,000 --> 00:15:59,200
I think, yes, I think this kind of thing is really prevalent throughout healthcare.

162
00:16:02,140 --> 00:16:03,880
Do you think that stronger policies...

163
00:16:03,880 --> 00:16:15,840
I know HIPAA is in place, but what stronger internal policies do you think actually help, or do you think you would still run into the same kind of issues of people just kind of ignoring them or just getting around them?

164
00:16:16,460 --> 00:16:24,940
We do have some stronger policies in place in a lot of the hospitals I've been in, but I don't think they do as much as people want them to.

165
00:16:24,940 --> 00:16:29,780
I think we would still run into the same problem of people just not understanding the impact.

166
00:16:29,780 --> 00:16:42,820
I feel like techs coming into the lab, people going into healthcare, they need more training, they need to know how this can impact patients, and policies aren't exactly going to explain all of that to them.

167
00:16:42,960 --> 00:16:51,960
They may put things in place, make things a little bit harder to access, but where there's a will, there's a way, and people always find a way to circumvent protocols that are put in place.

168
00:16:57,340 --> 00:17:09,320
So I've heard the horror stories of medical or laboratory equipment running awfully, awfully outdated software that's vulnerable in a hundred different ways.

169
00:17:10,220 --> 00:17:22,060
Do you say that internal sort of lack of awareness or internal threats pose a bigger risk than external threats?

170
00:17:24,060 --> 00:17:28,380
That's a difficult one to answer, but I'm going to say yeah, I think so.

171
00:17:28,380 --> 00:17:40,760
I think we're more likely to see something due to somebody slipping up than we are to an external attack, if that answers your question.

172
00:17:41,680 --> 00:17:56,640
What happens when something like internal to a hospital, like a medical record number is released or something like that?

173
00:17:57,800 --> 00:18:05,720
What would happen is first there'd be an investigation by compliance.

174
00:18:05,720 --> 00:18:08,380
We would try and find out the source of the leak.

175
00:18:08,940 --> 00:18:14,680
We would alert the patient immediately that this information has been leaked.

176
00:18:14,700 --> 00:18:20,060
But from there, I don't have that compliance background to let you know fully what the hospital would do.

177
00:18:20,060 --> 00:18:21,260
Okay.

178
00:18:21,420 --> 00:18:34,360
Also, what do you think that is limiting the big groups that run the hospitals and clinics and all that stuff?

179
00:18:34,360 --> 00:18:39,060
What do you think is keeping them from upgrading the systems and stuff?

180
00:18:39,060 --> 00:18:44,920
Because I've heard that some still run on Windows XP, I think, Windows Vista.

181
00:18:45,480 --> 00:18:48,660
Some of it just has to do with funding.

182
00:18:48,660 --> 00:18:55,060
Some of it just has to do with the funding that the medical laboratory needs to bring in these analyzers.

183
00:18:55,640 --> 00:19:04,360
And I'm not sure if you're asking the people who run these organizations if they really understand the need that we have for updated instrumentation.

184
00:19:04,360 --> 00:19:06,420
So I think that's part of it.

185
00:19:06,620 --> 00:19:11,760
And I think part of it is also that the lab gets very used to using one analyzer.

186
00:19:11,760 --> 00:19:14,720
And some people are very hesitant to change.

187
00:19:14,720 --> 00:19:16,580
I think that's another one.

188
00:19:18,660 --> 00:19:19,840
Okay.

189
00:19:19,840 --> 00:19:25,270
Thank you.

190
00:19:25,270 --> 00:19:38,930
What kind of positions would it be for someone that wants to get into security of hospitals?

191
00:19:40,810 --> 00:19:48,190
We have a security team and we have an IT apps team that you could join.

192
00:19:48,190 --> 00:19:50,870
You wouldn't exactly need a healthcare background.

193
00:19:50,890 --> 00:20:01,070
But I would say we would need more techs, more people in health informatics, for one, that could join the laboratory and create change from within the laboratory.

194
00:20:01,690 --> 00:20:07,710
Because we have security teams, but a lot of the problem is that they don't understand the healthcare workflow enough.

195
00:20:10,960 --> 00:20:11,600
Okay.

196
00:20:11,600 --> 00:20:18,940
So what you're saying is that you're looking for people that are more skilled in health informatics, right?

197
00:20:19,520 --> 00:20:20,180
Yeah, sure.

198
00:20:20,180 --> 00:20:22,820
Health informatics, laboratory information systems.

199
00:20:22,840 --> 00:20:26,760
People that kind of have a mix of both IT and healthcare.

200
00:20:27,820 --> 00:20:28,480
Okay.

201
00:20:28,480 --> 00:20:29,360
Thank you.

202
00:20:29,460 --> 00:20:31,040
No problem.

203
00:20:35,750 --> 00:20:51,610
Do you think some of the issues might be that the people working there don't actually understand the impact of violating some of the security policies that to them it seems inconsequential, not realizing the risk it's putting them in and the system in?

204
00:20:52,030 --> 00:20:53,010
Absolutely.

205
00:20:53,010 --> 00:20:55,490
I think that's absolutely true.

206
00:20:56,150 --> 00:21:00,670
A lot of people, they don't really think about it on a day-to-day basis either.

207
00:21:00,950 --> 00:21:07,870
It's very much, you know, we need to do what we need to do to be able to get this sample out the door and to get this sample completed.

208
00:21:07,870 --> 00:21:17,710
And if that means overriding something that's telling you, hey, stop, don't press a button, or, hey, do you want to stay logged in for this extended amount of time and they just breeze past it?

209
00:21:18,570 --> 00:21:23,770
A lot of people don't really think about those things or think about how it could impact them.

210
00:21:36,470 --> 00:21:42,570
Some of them, yeah, there is going to be, especially right now with the shortage of techs, training might be limited.

211
00:21:42,570 --> 00:21:58,070
But even for those that have had years and years of training, people who have been in the lab for 40-odd years, they still might not understand exactly how that breach can impact a patient, especially now with newer systems and newer technologies in place.

212
00:21:58,070 --> 00:22:11,650
They might not understand all of the layers that come into play in terms of patient data these days, because when they started out in the lab, they didn't have all of this information that they were working with.

213
00:22:11,650 --> 00:22:13,410
You know, mouth pipetting was still a thing.

214
00:22:13,410 --> 00:22:15,710
It was still very much a manual process.

215
00:22:17,470 --> 00:22:23,390
I think definitely more training, consistent education on it would be good.

216
00:22:25,890 --> 00:22:26,970
Okay.

217
00:22:28,670 --> 00:22:39,690
What are your thoughts on when the whole WannaCrypt ransomware attack happened that affected hospitals and clinics?

218
00:22:39,690 --> 00:22:41,350
What were your thoughts on that?

219
00:22:41,350 --> 00:22:43,170
Did that ever happen in your place?

220
00:22:43,650 --> 00:22:46,890
It didn't happen anywhere that I worked.

221
00:22:48,210 --> 00:22:53,910
I guess my thoughts on it was that it was terrible and a lot of people didn't know how to handle it at all.

222
00:22:53,910 --> 00:22:56,630
A lot of hospitals weren't sure how to deal with that threat.

223
00:22:56,630 --> 00:23:01,590
And that's just from what I've heard, because that was from before I entered the workforce.

224
00:23:02,350 --> 00:23:03,230
Okay.

225
00:23:06,580 --> 00:23:07,620
Thank you.

226
00:23:08,280 --> 00:23:09,500
No problem.

227
00:23:25,360 --> 00:23:26,200
Thanks.

228
00:23:28,460 --> 00:23:34,100
If there are any more questions, you can definitely shoot me a DM or you can come find me, send me an email.

229
00:23:34,140 --> 00:23:38,360
I'd be happy to talk with you more, especially about this topic.

230
00:23:55,270 --> 00:23:57,190
I didn't realize I was muted.

231
00:23:58,010 --> 00:23:59,990
Thank you, Squidy, for an excellent talk.

232
00:23:59,990 --> 00:24:05,150
Your talk in last DEF CON, which was 2020, was excellent as well.

233
00:24:05,930 --> 00:24:09,230
And if you're going to be around in here, people can talk to you in here too.

234
00:24:09,230 --> 00:24:15,150
I know you're at DEF CON, so you may not actually be in AllSpace VR for much longer.

235
00:24:15,150 --> 00:24:16,090
Is that correct?

236
00:24:16,750 --> 00:24:18,310
Yeah, that's correct.

237
00:24:18,310 --> 00:24:22,690
But I'll try and hang out for a little while longer if people want to come find me in AllSpace.

238
00:24:23,270 --> 00:24:24,270
Okay.

239
00:24:24,270 --> 00:24:34,550
And also just a reminder that we don't have any presentations scheduled for tomorrow, but the spaces will be open for people to hang out and talk and network.

240
00:24:35,050 --> 00:24:39,590
So our next presenter won't be here for roughly another 30 minutes.

241
00:24:40,050 --> 00:24:48,850
So now's a good time to take a bio break, wander around, look for some of the Easter eggs, talk to some of the speakers, and we'll see you back here in about 30 minutes.