A Conversation with Nina Alli: Expanding and Growing the Biohacking Village at DEF CON

0:00 0:00
100
Nina Alli, co-founder and executive director of Biohacking Village, discusses what's new and exciting at this years Def Con.

In this episode, Mike welcomes Nina Alli, Co-Founder and Executive Director of the Biohacking Village at DEF CON. Join us as they talk about what’s new and exciting in this year’s Biohacking Village. Nina notes the addition of a real word hospital simulation where each medical device exists as a system of connected devices.

SHOW NOTES

Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In this episode Mike Murray welcomes Nina Alli, who has over 16 years of experience in biotechnology, biomedical, and security with a focus on healthcare. She is currently the Executive Director of Biohacking Village at DEFCON.

Asked how her team was able to get medical device manufacturers onboard in their third year of operation, Nina says that it was a direct result of spending those first two years “convincing the world that we were not there to be nefarious.”

One of the ways they did this was by partnering with IoT Village and providing their own medical devices at their event. Once they were able to successfully collaborate with vendors later on, the Device Lab was conceived to allow for face-to-face conversations between medical device manufacturers and the hacker community.

Due to the pandemic, Biohacking Village had little choice but to limit themselves to online events. In 2022, Nina plans to double down on hands-on exercises. For the Device Lab, she wants to bring in bigger machines and present more comprehensive workflows to demonstrate how medical devices are actually made.

In a similar vein, the team is preparing to showcase a virtual space they call “The Loft,” in which one can traverse an entire hospital and see all of these devices at work in their natural habitat. This is yet another experience which she hopes can help bridge the gap between hackers and healthcare and effectively promote the cybersecurity industry to countless talented individuals.

Nina personally seeks more conversations between different entities in healthcare, big and small, and to let people know that the industry isn’t influenced exclusively by the FDA and the HHS. By bringing all of these players together, she hopes to tackle questions such as: “What does good risk prevention look like?” “What are the effects of all the decisions we are making?” and “Why aren’t there more people that are directly involved in those conversations?”

Finally, Mike and Nina comment on the alarming lack of regulation for providers. As an example, good hospitals monitor their systems, logging for cybersecurity incidents. However, Mike laments the fact that very few hospitals in the nation have a standardized process for doing just that. Nina emphasizes that physicians must be taught to become knowledgeable about their work not only from the medical standpoint, but the cybersecurity standpoint as well.

TIME STAMPS

– An introduction to Nina Alli.

– Successfully partnering with medical device manufacturers.

– Seeing medical devices not as singular but as a system.

– What 2022 holds for Biohacking Village.

– Developing “The Loft.”

– Bridging hackers and healthcare.

– Nina’s personal vision for 2022 and beyond.

– Helping doctors see risk from the point of view of cyber, not just patient care.

– Addressing the lack of regulation for providers.

– How to connect with Nina.

– How Mike has evolved as a cybersecurity professional thanks to DEF CON.

0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

[music]

0:00:20.7 Mike Murray: Hello and welcome to this week’s In Scope, The Healthcare Security Podcast. You can tell I’m laughing already because this week’s guest is one of my absolute favorite people. And I said to Phil before we started today that the hardest part was going to be not to be too much of a fan boy on this week’s podcast, because I have with me, one of the most luminary people in the medical cyber security community. With me today is Nina Alli, who is the driving force behind the Biohacking Village at DEFCON. And for those who don’t know the Biohacking Village, because I know not every one of our audience has hung out at DEFCON for the last 20 years like I have. The Biohacking Village is really a lot of the center of medical Cyber Security Research in our community. Every year the vendors bring devices and hackers hack on them, and there’s great talks and Scope’s been a sponsor for the last couple of years, because we think that the Biohacking Village is incredible, and we think that the work that Nina does is incredible.

0:01:18.8 MM: And so today, I have Nina with me and I’m really excited to hear everything that she’s up to and everything she has to say. So, Nina in your own words, tell everybody who you are, ’cause I just kinda geeked out on you there for a minute, but where did you come from, what’s your bio? Tell us a little bit about you.

0:01:36.2 Nina Alli: Oh, this is like a for real origin story, like, sperm meets egg kinda moment. [chuckle] Interesting. Where do I come from? New York. So I am a New York City origin human, which is my theme song in life, apparently, ’cause I tell everybody, because apparently there’s a differentiation between New York and New York City, either way. Everybody remembers their first job, right? And it’s always super interesting what that was, so let’s talk about you for a second. What was your first job?

0:02:01.2 MM: Wait, you’re turning this around on me?

0:02:02.5 NA: Yeah, I’m totally turning it on you.

0:02:03.7 MM: Alright, so my first job was as a baseball umpire for Little League.

0:02:07.7 NA: See, that’s cool.

0:02:09.8 MM: That’s what I spent my teenage years doing and teaching kids how to play hockey.

0:02:15.0 NA: See, so you should bring those skills to the community and do roller hockey.

0:02:19.5 MM: We don’t need more hockey in the community.

0:02:21.7 NA: No, I don’t…

0:02:21.8 MM: There’s enough of us Canadians already. So, how did you get into medical device stuff? Like, why medical devices?

0:02:27.5 NA: So origin story. First job ever was working as a receptionist in a nurse’s retirement home. So, life goal achieved right there. And then I went off into the military, did and stuff, got out, went to the Department of Labor, the military liaison was like, What do you wanna do? Do you wanna work with children? Do you wanna do this? He asked me if I was good with computers? Went on a two and a half hour interview for implementing an electronic medical record. The man was like… Before I even walked out, the guy, his name is Dennis, he’s like, you got the job. I just need you to know that before you leave. And I was like, Yes. Amazing. So that’s where the whole thing started. So, 2006 I started working on electronic medical records, and that’s when they first had started to be implemented. They were still sort of that individualized area of, gynecology has their own EMR, cardiovascular has their own EMR, and this was integrating all of those things and just implementing pieces and parts until it all got put in there.

0:03:33.1 NA: And then, I’ve just been doing EMRs and then the associated IoT IoMT, Internet of medical…

0:03:41.2 MM: Things.

0:03:41.3 NA: Yes. So those things, I worked primarily in surgical oncology with all of the things, with every single device ever created by man and God, and putting those things together into logical formats for the surgeons and physicians, and clinicians and patients.

0:03:56.0 MM: How did you get from there to Biohacking Village at DEFCON?

0:04:00.4 NA: I am not one of the original owners of the Biohacking Village. They started a year before me, and I remember looking at the DEFCON website, and it was like, Biohacking Village, it’s new, it’s doing the thing, and the next day it was gone. And my heart melted a little bit, and then I went back and it was back up. So, I went to DEFCON, that was my first DEFCON, I think it was either 2014… It was 2014. And actually the schedule was completely off by an hour, so I just sat in the room. And by happen chance, I happened to sit by one of the coordinators of the Biohacking Village, and we just had lots of conversations in January of the next year so in 2015, he said, We need a PM. Do you wanna do it? So I said yes, and that’s my registry with Biohacking Village.

0:04:50.1 MM: And so the first few years, I remember distinctly when this started in the first couple of years, because that was when I was at GE, and I know that the medical device manufacturers were… Let’s put this nicely…

0:05:01.9 NA: Oh, you’re just going right in. Alright.

0:05:03.0 MM: There’s a nice word for this, reluctant to participate. How did you all get them, the vendors to the table?

0:05:12.9 NA: Kindness, kindness and love. How did we get them? So, we… That’s a great question. We did not have a device lab for, I think it started when I was in year three. And a lot of that, year one and year two was primarily convincing the world that we were not there to be nefarious, that we were not there to cause pain to the healthcare by medical pharma industry, and eventually we teamed up with the IoT Village, and we had a small medical IoT table there, and that we had brought all of the medical devices and people are like, Oh, this is great, and then the next year, we started the device lab where it was more, let’s bring the medical device manufacturers, they have more hands on, there’s a little more ownership on their side of bringing the devices, having those face-to-face conversations with the hacker community, so that they can help have that conversation and understand what the research or community is doing in terms of how they’re researching, how they’re disclosing and ultimately trying to bring those people into the auspices of the medical community and helping build out more of the medical devices.

0:06:24.3 MM: For those not familiar, what’s come out of it? Like, how has that worked out for the last few years?

0:06:29.4 NA: Brilliantly. So, it’s gotten so much bigger and I love this question. So my background is in hospitals, right. So when I look at the devices, I don’t see them as singular, I see them as a system. So over the years, it wasn’t just an idea of, “Okay, this manufacturer will have this table, and they’ll have their own table.” It’s more, “How are we going to start networking these things, creating a system of systems so that people understand?” As opposed to what Grey’s Anatomy and some of the other medical shows show, people are not kept alive by a pulse-ox and a heart-monitor. There’s so much more to this workflow, when you’re a patient and when you’re a physician. So every time we do the device lab, or the Biohacking Village, just in general with the different labs, it’s always a next level thing of, “What did we do last year that didn’t work?” I’m very big on, “Let’s do a SWAT-analysis” on everything. What didn’t work, what did work, and how are we gonna make that better? And I, as a thing, whenever I end meetings with the team, I ask them, “What are we not seeing? What can we do better?” And if it’s just garbage, if it’s a garbage idea, we have to toss it because we can’t spend time on this to make this community better.

0:07:42.5 MM: Completely. So where do you go from here? What’s next? And then I wanna go a completely different direction. But what does 2022 look like for Biohacking Village? What’s the plan?

0:07:53.3 NA: So here’s the thing friends, I just had this conversation with Mike, so now he’s just in here asking for all this information. So the last 2 years, because of COVID, we’ve had to do more of the online situation, which is great, because accessibility, right. Everybody can now join DEF CON, everybody gets to be a part of it. It’s a lot of work. We’re gonna have the Speaker Lab. I’ve had lots of conversations with a lot of different people, and we do have a line-up already because I’m an overachiever and by January, I’m like, “Nope. Half of this has to be done.” So we have a line-up and for all intents and purposes, it’s pretty extraordinary. I learn better by hands-on, so we also have hands-on exercises that are just mindblowing, this year. The Device lab, we are gonna do it more where it’s system of systems, where things are going to be connected, and we are going to be bringing in bigger machines, things that under normal circumstances, you wouldn’t see as a patient, or maybe you wouldn’t remember seeing as a patient because you’re in surgery already under anesthesia. And just full workflows for how the medical device is actually made.

0:08:58.6 NA: It’s not just like, “Oh, here’s an iPhone. Slam it into your arm, that’s good enough.” More like, “Here’s the chipset, here’s the thing, here are the mechanisms, here’s the bio-film or plastic or glass that goes around it to protect the humans so that whatever metals inside don’t start integrating with your bloodstream and being broken down that by the [inaudible] by the iron in your blood, etcetera. We’re doing a table-top exercise. So if you know me, talking is great, right? Table-top exercises are amazing, they’re great, they do what they’re supposed to do. But I wanted to do something more integrative this year where it’s a lot more hands-on. This is going to be an exercise in patience, in understanding, knowing your side of the situation, just as much as understanding the doctor’s side, the physician’s side, national security, all the things. And then we have the capture the flag, which is also going to be a lot bigger this year because of all the changes that have rapidly been happening. So there’s just a lot of things. It’s massive.

0:09:57.1 MM: It’s almost a conference in itself. So for those who haven’t been there, you can go to DEF CON and you can spend all your time with the Biohacking Village.

0:10:03.2 NA: We take up a whole block now.

0:10:06.8 MM: It’s incredible. I mean, the capture the flag itself… So I don’t usually get to play capture the flag. And two years ago when COVID started, obviously we weren’t at DEF CON and I got to play and played the capture the flag with the scope team myself and…

0:10:20.5 NA: Wait… Sorry, sorry, chronic interrupter. So I forgot. So last year we had this thing called the Loft. And because I’m over Zoom, I think we’re all over Zoom. So this created a space where people could go into the different doors, into the different areas. And if you went into the CTF, it looked like a workshop, and if you… A wood-workshop? These are words, I don’t know if they make sense, but these are words. And then if you go into the T-tech’s room, it looked like a table that you could all talk at. Blah, blah, blah, blah. So this year, we are making those things bigger because accessibility. Because I don’t want it to just be, “Come to DEF CON, and this is the only time you can experience things.” It’s going to be also like, “You can go to the Loft and spend time there.”

0:11:01.8 MM: And by the way… Hang on. Just for everybody that doesn’t know, this is a virtual space, this isn’t a loft in the building.

0:11:07.0 NA: Yeah, sorry. Correct. Yes, yes, it’s online.

0:11:12.0 MM: And it’s as cool as she says it is. I hung out there last year.

0:11:14.6 NA: But we’re making it better. Let me tell you how, we’re building a hospital in that space. We’re building… Yup, we’re building a legit hospital modeled after some of the awesome hospitals that are more recently built. And we’re showing the devices that are brought to the village. And we’re like, “Yes, this specific thing would be in the ER, and this baby incubator would be in NICU, and this anesthesia machine would be in surg, things like that. So that you can understand not just the logistics of things, but also the topologies where it’s, “Oh. Okay, that makes sense as to why it’s in this enclave” or whatever, however we end up setting up the hospital.

0:11:58.7 NA: I think that’s super important just to put out, because a lot of conversations that I continue to have is that there’s not enough people to hire in medical. And I find that fascinating because to an extent, yes, but medical has also made it a little more difficult to get into. And because how medical in general is where it’s that you go see your general practitioner, you have that conversation with them and they’re like, “Oh, you might have diabetes. Go see the endocrinologist.” And you go see the endocrinologist, and then they’re like, “Oh, you might have to go see your GYN and a cardiologist.” And everything is separated. And then you have to come back to your GP to have whatever conversation you have. And I feel like we’ve also done that in medical, to an extent, in our side of it, where cyber security does the thing that they do, and then IT does the thing that they do, and Privacy and Policy and Risk are over there, and the doctors are on the other side. And there’s not enough communication between them all. So I’m trying to somehow thread them together. It may not be the tightest knit right now, but I feel like it’s a work in progress.

0:13:04.1 MM: I think it’s been a challenge, over the years. I’ve often said that healthcare doesn’t necessarily understand hackers and hackers don’t necessarily understand healthcare. And I think what you’ve done over the last few years is such an important bridge and everybody I ever talked to in healthcare security says, we can’t find anybody to hire. Great place to go, to… What you’ve built is literally a room, physical and virtual, where you can meet those people and convince them why they wanna come work in healthcare cyber security rather than just go hack Bitcoin stuff or whatever. So how do you see the future of this? How do you see getting more hackers into cyber security and around healthcare, and where do we go from here, what’s the industry gonna see?

0:13:50.9 NA: I love these questions because you’re just setting me up for nothing but success, and I appreciate it. I think COVID has exposed a lot of the issues that we had well before COVID, it’s just now we’re here. And more than that, we look at the larger industries, the things that we can see, the things that we interact with on a daily basis, like petrol gas, electricity, water, and we see the hacks that are happening there, and we’re like, Oh, that’s the cray cray. But are we also recognizing that those things interact with hospitals just as much, which means there’s some downstream effect or there might be some downstream effect, and being that you can have real-time evacuation situations in the energy market, in water, whatever, whatever, but you can’t really do that in a hospital, you can’t say, We’re gonna do a practice run, because practice run in a hospital means that you are going to be… New York is the hospitals that I worked at, so those are always my example, so how do you evacuate a hospital that’s 14 floors with 100 patients on the floor and no elevators? You have to disconnect them from machines, you have to bring some of these folks down.

0:15:09.4 NA: There’s a lot of issues around it. So a lot of bringing the visibility of what’s going on in all the sectors, because this is the one industry, the one sector, the one critical infrastructure that has all of them, so how are we protecting all of those, including health care?

0:15:26.4 MM: Absolutely. So I wanna flip this a little bit more towards you for a second.

0:15:30.4 NA: Oh dear.

0:15:32.9 MM: So as long as I’ve known you, you’ve been working in the federal government, and I just got the news before we started that that may not be the case anymore, so tell the world what you’re looking for. What are you out there… What’s next for Nina? Not just what’s next for the bio-hacking village and the medical cyber security industry?

0:15:49.7 NA: I want everybody to know that you do not prepare people for questions, first of all. So, what do I want? I feel like I focus a lot on the laws, rules, regulations of things, of medical things, but simultaneously, I find that there are a lot of conferences that do these things without input from the physicians, from the people on the ground doing the things. So what do I wanna do with it? When people think about risk in healthcare, the risk generalized is the cost of things, what is the cost of a cyber attack, but when we’re looking at hospitals, we also have to integrate that into the cost of patient care and understanding how workloads can be disrupted and interrupted for the physician, but also for the patients. So when I think about what I wanna do in my future life, we have this tendency, I feel like most of the United States has this tendency to think that the FDA runs all of healthcare and that is not the case. They…

0:17:05.3 MM: Or HSS.

0:17:09.6 NA: Or HSS. And there’s multiple entities that have some sort of control on healthcare, because production of the medical devices, because of information and data and care. I would love to see somehow, I don’t think I would go back into the government for this, but I would love to see more conversations with them and hospitals of what does good risk prevention look like in the reality of the situation, not just… It could be better if… No, what is the reality? I’ve been in too many table top exercises where the people in the room are like, No, we got this, we’ll make a decision. And it’s like, But you may be affecting someone’s workflow, the physician’s workflow and the patient’s workflow. And by changing this one thing you might be adding 20 minutes to a visit that they don’t have time for already, and how is that affecting patient care, what are the effects of all the decisions we are making, and why aren’t there more people that are directly involved in those conversations?

0:18:07.8 MM: One of the things that I… I’m just riffing off of what you said there, but one of the things that I’ve seen a lot of is exactly what you say, and it’s such a different thing in healthcare than it is in other places. If you walk into a financial services firm and they wanna do something silly like put all of their customer’s PIR on our website, the security people get to walk in and say, “No, you shall not do that,” and sort of hit them with a hammer. And I don’t think people understand the power difference in healthcare, that really… What the doctors need to do to treat patients matters and takes precedence over cyber security in ways that don’t happen other places. What do you think of that?

0:18:49.0 NA: Because they don’t see risk as the cyber side, they see risk as patient care. How is this going to affect the patient? And we’re not having enough discussions of, let’s say, just pacemakers, for example. We don’t have enough conversations about, this is what a pacemaker looks like, these are the security implications of this thing, a patient doesn’t walk into a hospital with some sort of heart condition and the physicians say, “You know what? We need to operate on you right now.” That happens, but there’s never, “Hey, these are the pamphlets of the current models that we have here in our supply.”

0:19:25.1 NA: This is… These are the best models that fit your condition specifically. Can you just take a few minutes, look through these, the pamphlets? Here’s the contact number for the medical company. If you have any questions, comments, concerns, give them a call, come back to me, but you’ve also got five minutes before we have to prep you for surgery. It’s the different level of duress. And you… So I worked in finance, I went into finance for about three years, three or four years, because I was like, “Ugh, I don’t know why health… Why this is so hard for healthcare.” And when I got there, I was just… It was a God moment. You walk into healthcare and they’re like, “Boom, here’s our laws, rules, regulations, standard metrics, audits. This is everything you need to know about how we are going to do our work.” That is phenomenal, and there’s nothing grey about it.

0:20:11.5 NA: It’s, “This is it, this is what you’re gonna do, these are the laws you abide by, and if you don’t abide by these, these are the fines that we get.” And that happened after, I think it was like 2005, the Wall Street thing. That all came about after that. So I feel like this is that moment for healthcare. We are having our Wall Street moment of, “What are we gonna do to take this over?” And just going back, that duress moment for the patient of, “I came in here thinking I just had just some chest pain and now I’m going into surgery.” We are still under that duress, healthcare, biomed, pharmaceutical is still under that kind of duress right now, and nobody makes good decisions when they’re under that kind of duress. However, we have to start making better decisions and good decisions, increased education decisions, because once COVID is over, we cannot go back to what the normal “Situation” was because that’s how we got here.

0:21:06.2 NA: So what are we learning? What have we learned? And I wish there were people… I suspect there are, I do it. Writing things down of, “This didn’t work. This didn’t work before, it doesn’t work during COVID, we just have to eliminate this from our process.” And just sign off on things. Do real-time conversations of, “I think this could be better, I think this is how we can make it better,” and try. Because one of the things I love doing at the Biohacking Village is we get to try something different every year. We get to do something. And if it doesn’t work, that’s fine. There was an effort. And inherently, every failure equals a success because now we know it doesn’t work, and we just check it off and say, “Okay.” But we’re gonna save that. When I used to program, I would write code and be like, “I tried this, do not try this. It blocked everything, I broke it, please don’t do that. But it may work in a different version.” So why are we not doing more of that? When oncology has things, they document. Medicine medicine documents everything, “Patient’s hematocrit went up to high or by 0.2, this may be an issue for future case.” We don’t write those things down like that.

0:22:21.0 MM: I think part of that is… That you’re right, the medical side of the business understands that sort of risk aversion and risk management and risk understanding, but we don’t necessarily do the same thing. I wanna flip this to another one of… To one of my rants and hear what you say ’cause I always just like your opinion on things, but…

0:22:36.8 NA: Oh God. Bring it. I’m excited.

0:22:41.3 MM: I’ve been… And especially with all your understanding of regulation, one of the things that I’ve been frustrated by and seen, and I think you’re saying it’s our moment, and I think this is part of that moment, is we as a medical cyber security industry has done a pretty good job of certain proactive regulation, whether it’s the FDA pre-market guidance saying, “You have to design medical devices with cyber security in mind,” or the post-market guidance that says, “Hey, if a vulnerability comes up, you have to fix it.” But the thing that I think is lacking, and I’d love to hear your thoughts on that how it plays into everything you just said, is we don’t regulate the providers. We don’t say, “As a hospital… ” A great example, “As a hospital, you have to monitor your systems for security and you have to actually be watching.” I’ve walked into many health systems in our nation and say, “What are you… How are you logging from your medical devices, and how are you watching for cyber security incidents?” And they said, “Well, we patch things.” And there’s no regulation, there’s no drive towards standardization, and it’s one of my pet peeves, but I’d love to hear your thoughts.

0:23:45.4 NA: So if we look at financials, financial responsibility, things like that, most hospitals do not work in the black, they work in the red. They’re always at a deficit, so we are having conversations about, “Let’s bring in people that are going to cost us as much as a physician to secure the hospital.” Okay, that’s an opportunity. But are they looking at this as, “Okay, but they’re gonna the whole hospital, or is this one… ” It’s a cost situation, and also, when we talk about securing a hospital, the FDA and MDIC have the linkage now, that partnership of doing threat models. I am all for a threat model. I love threat models. I love threat models, I love workflows, however, when that is not a mandate to the hospital system, so they get contracts of this new device that’s come in and they’re like, “Boom, I have everything I need. I have an S bomb, I have the threat model against… Awesome. Yeah, high five everybody, we did our job.” Amazing. You did, but how is this going to fit into the medical system?

0:24:57.4 NA: Again, example I give is in your house, you have a Mac computer, your stove is a Viking stove, your fridge is GE, your TV is Samsung, but they’re all on the same network and they’re all secured very differently in one place. Exact same thing in the hospital, very different things, secured very different ways in one place. How are we going to secure these things in a hospital that has almost every device ever created, legacy and brand new, with patients of different needs? Because not every pacemaker is put into the same calibrations per patient. So you have to adjust per thing, per hospital, it’s a lot, it’s a lot. But since we’re here, let’s go in, let’s keep digging. Thoughts on how to better regulate hospitals? I love that you’re smiling at me ’cause you know there’s so… This is so compounding. How do we get the people that are making these decisions?

0:25:56.1 NA: I think there’s… That they maybe lying about the number. I think it’s between 23 and 29 different agencies in the US, government agencies that have some jurisdiction over medical devices. We don’t think about that, nobody… Everybody’s like, “FDA, amazing.” And they are, they’re doing a phenomenal job, [chuckle] of their work they are doing exactly what they’re supposed to do. However, do we understand and recognize that hardware is not necessarily run by the FDA? That’s like FTC, FCC, the data situation, 5G, all these things. Again, conglomerated into one space, we’re talking about costs, we’re talking about risk, we’re talking about humanity and their lives.

0:26:39.9 NA: So, bringing more people to the table, bringing in those opposing thoughts from working in the hospital. You do the case studies, you’d have those cases where people start talking about whatever it was. We need to start doing that, but to a much better extent. We need physicians that understands their work on the hospital side and also understand the cybersecurity side. And they can then say, this works and this doesn’t work. Had a conversation with a surgeon, he’s 28, I think, and he said, “The surgeons that I work with don’t understand that if the cyber security situation with that robot that they’re using goes down in one search suite, they think they can just go to the next suite.” That’s like, it’s not… That’s not how that works. He’s like, “I know that, I know that. I know that it becomes an open surge. It’s not Laparoscopic anymore. But they just think they can just move the patient.” And that’s fine, that’s fine, because we also haven’t done a good enough job of having those conversations.

0:27:41.8 NA: These are hard conversations in making each other understand every relationship. Communication is what’s gonna get you through it. If you’re fighting, you still have to have that conversation, if you love each other, you’re still talking, we need to have better order skills with each other.

0:27:57.2 MM: In other words, it’s hard, and getting all those people to the table is going to be hard too. So, I know we’ve been talking for a while, and you and I could probably keep talking all day. But I always end with where, can the world find more Nina? Where do we find you on the socials, what things are you up to, where your projects? Tell the world where they can find more of you.

0:28:19.7 NA: So, I’m actually gonna divert that question. They’re a team of 10 core people that work on this village for 360 days. And then we get to DEFCON and then we work on it in real life for four days. And we get one day off a year, and that day off is flying home, this… And it’s all volunteers. Every single person that works on this village is a volunteer, they’re giving time, love and consideration to doing what they do. So, at the core… Numbers. So at the core there’s 10 people, under that, there’s at least 150, maybe 200. So it’s… I don’t want this to be a reflection of where do we find more Ninas, because there’s many, many other Ninas. It’s just that, again, going back to the idea of we aren’t necessarily looking for people. We’re like, “Oh, you’re a superstar, let’s talk to you only.” I don’t wanna be the only person that has conversations with people. My unicorn “Moment” is that I’m one of the only people that has worked on EMRs, Electronic Medical Records. I’m one of the only people that I have worked on medical devices with EMRs.

0:29:28.5 NA: I’m one of the only people that has gone through traumatic situations where we had to just go back to absolute bare bones paper and the machines where you have to dial in to them, to configure them for the patient. So when it comes to that sort of thing, yes, that’s my niche. I am all for problem solving and resiliency and things like that. So on the socials, if you wanna find me and my friends, it’s @DC_BHV, my personal one is @headinthebooth. Yeah, we’re doing a bunch of other conferences, so if you want to tune in to the things that we are doing, the website is villageb.io.

0:30:14.8 MM: Nina, thank you so much for being here. We love having you, and it’s been far too long getting you here, but we’re gonna do this again, and especially right after DEFCON. If I can convince you to come on after you’re fatigued and exhausted and maybe after you get one day off on the flight home.

0:30:30.8 NA: Yeah, exactly. [laughter]

0:30:31.0 MM: We’ll do this again after DEFCON.

0:30:34.4 NA: I have one thing for you…

0:30:34.5 MM: So, thanks again for being here this morning.

0:30:35.5 NA: Wait, wait, no, no, no, no. I have one thing for you, random question.

0:30:40.1 MM: Okay.

0:30:40.9 NA: What about you has changed during DEFCON or what during your calls with people, have people realized more about you on a personal level?

0:30:47.2 MM: That’s a hard question. I’m gonna use the podcast. Because we started the podcast during the pandemic, and really, I think it’s clear to everyone at this point who’s been listening. And probably everybody who’s talked to me in the last two and a half years, that I always say, I’m not smart enough to figure out how to cure cancer or cure COVID, or do any of the amazing things that our physicians and nurses and nurse practitioners do every day. If I can use my cyber security background and whatever skills I have to help make patients safer while they’re in the hospital, and safer within the bounds of what I can do and what I can convince the folks at Scope to do and how the work we do can improve that. That’s really what drives me to get out of bed in the morning and how we try and change the world. And if we make a little bit of a difference in that, and if we make a little bit of a difference with this podcast in convincing people that this is an interesting problem in an interesting space. And if we can get more of the hacker community to come work in hospitals and work in healthcare to solve the problem.

0:31:55.0 MM: And if we can get more people interested in solving this problem and truly understanding the complexity of the problem. The real thing that I’m driving towards with this podcast and all of our guests, and thank you for being incredible this morning because you did such a great job of doing this. This is really complicated, and really hard, and it’s not gonna be me that solves it, and it’s not gonna be you that solves it, and it’s not gonna be any of our friends that solves is it’s going to be all of us. From the government, from FDA to HHS, to Europe to Asia, this is a global problem, and a problem that’s going to take a huge number of us. And I think if anybody’s listened and learned anything about me, it’s that and that it’s I’m obsessed with this and there’s nothing I wouldn’t do to solve the problem. So with that, we’re gonna wrap up and thank you for turning that around on me, you are the first guest that ever turned questions around on me…

[music]

0:32:49.5 NA: You’re welcome.

0:32:50.4 MM: And I love it, I absolutely love it. And thank you again for this and thanks to everybody for listening.

0:32:57.7 Speaker 1: Thanks for joining us for this episode of In Scope, to make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]

About Nina Alli

ABOUT THE GUEST

Nina Alli has 15 years of experience in the NYC ambulatory and hospital environments for managing the complexities of modernization of legacy systems within the healthcare industry. Her journey began when electronic medical records, associated IoMT devices and applications connectivity, were conceptually new and laws were being adapted to meet the novel technologies. From this insight, as Co-Founder and Executive Director of the Biohacking Village for the past seven years, Nina has taken the lessons and experiences to grow nine talks to five labs designed to engage and educate folks on the aspects impacting practices of care to focus on the biotechnology, citizen science, and cybersecurity of the healthcare industry and biomedical ecosystem.

LINKS