Skip to main content
Center for Healthcare Cybersecurity Center for Healthcare Cybersecurity
  1. HOME
  2. Past Events
  3. 2025 Academic Symposium
  4. Recordings

CHC Academic Symposium 2025

Aaron Shulman, PhD - Finding Single Points of Failure in Healthcare Infrastructure Through Dependency Measurement

Hospitals run on vendors and upstream platforms they do not control. This talk shows how to measure those dependencies and find the failure points that turn incidents into widespread outages.

Hospitals increasingly rely on external service providers and shared infrastructure that sit outside traditional enterprise security boundaries. Aaron Shulman proposes a measurement-driven approach to identify and prioritize third-party dependencies that can create systemic, cascading failure. Using observable digital signals, internet measurement, and wireless data sources that adversaries already use for reconnaissance, the work aims to map operational reliance on vendors and upstream platforms. The goal is to surface central points of failure, quantify concentration risk, and produce actionable dependency maps that help reduce outage and ransomware blast radius before disruptions occur. The talk closes with practical considerations for validating dependency graphs and integrating application and infrastructure perspectives.

Watch video Open in new tab

Deepak Kumar, PhD - Using Social Media to Measure Real World Harm From Hospital Ransomware

Official reporting is slow. This work uses Facebook and Reddit signals to detect ransomware impact sooner and to capture what patients and staff actually experience during disruptions.

Ransomware attacks against healthcare delivery organizations are increasing, yet evidence of patient and provider impact is often sparse, inconsistent, or delayed. Deepak Kumar presents a measurement approach that uses social media as an external lens to study ransomware impact at scale. The work analyzes six years of data from official Facebook pages for roughly 4,000 healthcare organizations and discussion across 73 Reddit communities from 2018 to 2024, linking posts to known attacks assembled from multiple public incident datasets. The analysis shows that platforms provide different types of visibility, with Facebook skewing toward rapid operational updates and short-lived communications, while Reddit supports longer, more detailed discussion including help-seeking around billing and downstream disruption. The findings support using these signals to improve situational awareness, guide triage during acute incidents, and inform resilience planning beyond technical remediation.

Watch video Open in new tab

Hannah Neprash, PhD - Healthcare Economics: A Powerful Tool for Cybersecurity Research

Ransomware is measurable harm, not a vague risk. This talk links attack windows to Medicare outcomes and then applies the same lens to what the Change Healthcare disruption reveals about emergency financial relief.

Hospitals face growing exposure to ransomware, yet policy and investment decisions often lack quantified evidence of patient harm. Healthcare economist Hannah Neprash presents research that links precisely timed hospital ransomware events to Medicare patient outcomes using a curated incident dataset designed to capture when an attack materially disrupted operations. Using a quasi-experimental design comparing affected hospitals to matched controls, the analysis finds a substantial increase in mortality among patients treated during ransomware attack windows, alongside shifts in admissions and case mix consistent with disruption and diversion of time-sensitive care. The talk then turns to a second question driven by the 2024 Change Healthcare incident, examining what the federal response reveals about how financial relief is delivered during healthcare cyber disruptions. The discussion highlights timing and targeting challenges in emergency payments and offers practical lessons for designing faster, more equitable support that stabilizes care delivery during large-scale outages.

Watch video Open in new tab

Miro Moffett - Building Hospital Digital Twins for Frugal Testing and Detection of Legacy Device Risk

Legacy devices are hard to replace and even harder to test realistically. This talk shows how low-cost rigs and digital twins can surface risk under real use conditions and support practical resilience.

Medical devices and point-of-care edge systems often depend on legacy protocols, default configurations, and postmarket practices that leave real operational exposure after deployment. Miro Moffett describes research directions within the InCypher program at Imperial Global Singapore aimed at improving security for both legacy and next-generation medical devices. A central case study examines continuous glucose monitors, showing how low-friction test rigs and physiologic simulation models can support dynamic security testing that better reflects real use conditions. The discussion connects protocol design choices to clinical consequences, including how unencrypted short-range communications can enable manipulation of glucose readings and unsafe patient behavior. The talk also introduces hardware-rooted trust using physically unclonable functions for lightweight keying and group access, and argues for scalable synthetic data and digital twin platforms to enable continuous testing, collaboration, and better intrusion detection for nonstandard hospital networks.

Watch video Open in new tab

Zhengzi Xu, PhD - AI Agents for Medical Device Security, From SBOM Inference to Vulnerability Discovery

This talk connects device-level attack paths to software risk at scale, using AI agents for component inference, vulnerability discovery, and more trustworthy, privacy-aware deployment.

Healthcare security increasingly depends on both legacy-connected medical devices and emerging AI-enabled workflows. Zhengzi Xu describes research underway at Imperial Global Singapore within the InCypher program spanning device security, software risk analysis, and trustworthy AI. The presentation begins with a continuous glucose monitor case study, showing how wireless traffic monitoring and data manipulation can translate into life-critical consequences when readings influence insulin delivery. The talk then introduces hardware-based authentication using chip-level fingerprints that enable device identity without stored passwords. Moving up the stack, Xu presents AI-agent approaches for software composition analysis that infer components and vulnerabilities from observable features, plus AI-assisted static analysis that broadens vulnerability candidate discovery while reducing false positives through program analysis. The talk closes with privacy-preserving model training using differential privacy and a trust-agent framework that evaluates whether AI-generated recommendations are correct and practically useful, paired with an explainable stepwise agent architecture intended for healthcare settings.

Watch video Open in new tab

Geoff Voelker, PhD - Remote Measurement of Hospital Network Outages Using Web Services FHIR and NTP Signals

If you cannot see inside the hospital network, you can still measure disruption. This talk shows how probing public services and FHIR endpoints can detect outages, estimate duration, and support a national view.

Hospitals have limited uniform reporting on when ransomware events begin, which services fail, and how long recovery takes, creating a situational awareness gap for researchers, responders, and policymakers. Geoff Voelker presents a measurement-driven approach to infer disruption from a remote third-party perspective by continuously probing internet-facing services and healthcare-specific endpoints. The methodology combines availability signals from standard services such as web and mail, domain-specific probing of FHIR endpoints across vendors, and corroborating telemetry from network time protocol traffic that can drop when organizations take infrastructure offline. The talk describes how the project identifies hospital networks and services at scale using domain expansion and certificate-based discovery, distinguishes on-prem and cloud-hosted services, and converts probe streams into down and recovery events. Case examples show how the system can surface early disruption signals before public communications and detect non-malicious systemic outages such as the CrowdStrike update. The presentation concludes with a prototype dashboard that visualizes national availability and supports longitudinal analysis of healthcare disruption patterns.

Watch video Open in new tab

Kevin Fu, PhD - (Keynote) Twenty Years of Medical Device Security, From Pacemakers to Ransomware and Systemic Failure

From early pacemaker demonstrations to modern ransomware-driven downtime, this keynote traces how the field shifted from device bugs to system-wide resilience and patient safety outcomes.

Medical device cybersecurity has shifted from isolated vulnerability research to a broader resilience problem that touches hospitals, regulators, and national incident response. Kevin Fu reflects on nearly two decades of work that began with early pacemaker security demonstrations and traces how the field matured into coordinated vulnerability disclosure with active participation from manufacturers, regulators, and agencies such as CISA. He argues that the center of gravity has moved from firmware bugs in a single device to systemic failure modes that can take clinical operations down, including ransomware events and fragile shared dependencies. The keynote emphasizes patient safety outcomes, noting that availability failures can matter more than confidentiality in acute care. Fu highlights practical priorities for the healthcare ecosystem including threat modeling literacy for engineers, reduction of default credential exposure, and procurement language that prevents hospitals from being misled about device security capabilities. The result is a call to align incentives so safety-critical technology is built, bought, and operated with measurable resilience.

Watch video Open in new tab

Nastassia Tamari - SBOMs, Vulnerability Management, and Least Burdensome Evidence, How FDA Reviews Cyber Devices

What does FDA actually want to see for a cyber device submission. This talk walks through Section 524B expectations, SBOM quality, and the postmarket plan that separates strong packages from slow reviews.

Nastassia Tamari, Division Director of Medical Device Cybersecurity at FDA CDRH, explains how FDA is operationalizing Section 524B of the FD&C Act for cyber devices and what manufacturers should include in premarket submissions. She walks through how the latest FDA premarket cybersecurity guidance incorporates statutory documentation expectations, with emphasis on traceable cybersecurity evidence that supports safety and effectiveness across the total product lifecycle. Key topics include SBOMs as a foundational tool for vulnerability awareness and remediation, common SBOM quality issues that slow review, and the expectation that SBOMs be maintained and updated as part of configuration management. Tamari also outlines expectations for a postmarket vulnerability management approach, including coordinated vulnerability disclosure and clear reporting of critical vulnerabilities that could drive uncontrolled risk. The talk closes with practical guidance on modifications and how recommended documentation varies based on whether a change affects software, connectivity, or cybersecurity risk.

Watch video Open in new tab

Pat Pannuto, PhD - Solving Embedded Operating Systems and Firmware Challenges for Medical Devices

This talk breaks down how secure systems earn trust from power-on, then applies those ideas to medical devices that must run for years with limited ability to patch, redesign, or isolate components.

Medical devices and the systems around them increasingly resemble general-purpose computing, but they are often built on embedded platforms that lack the isolation and safety mechanisms common in laptops and servers. Pat Pannuto frames cybersecurity as a question of trust foundations and walks through how modern systems establish that trust starting at power-on. He explains hardware and firmware roots of trust, how verified boot chains protect firmware and operating system integrity, and why firmware update mechanisms must be designed to prevent cross-component compromise. The presentation then connects these principles to the realities of medical devices and hospital-adjacent embedded systems, where resource constraints and long lifecycles complicate patching and redesign. Pannuto argues that stronger isolation and memory-safe development are becoming non-negotiable for safety-critical products, and discusses approaches such as Rust-based embedded systems and operating system designs that support multiple mutually distrustful applications on microcontrollers.

Watch video Open in new tab

Ronald E. Thompson - Clinician and Patient Perceptions on Security Failures and Trustworthiness

Cyber incidents do not stay in IT. This talk shows how availability and integrity failures break clinical workflows, reshape risk perception, and raise hard questions about what patients are owed when care is disrupted.

Healthcare cyber incidents rarely stay confined to IT systems. Ronald E. Thompson frames cybersecurity as a patient safety problem and shows how technical disruptions cascade into clinical workflow and communication failures. He opens with a real-world ransomware event in which loss of network availability disrupted centralized fetal monitoring, contributing to delayed clinical response and severe downstream harm, despite bedside devices still functioning. Thompson then presents research on clinician risk perceptions using structured scenarios that isolate confidentiality, integrity, and availability impacts to understand what clinicians fear most and which failures immediately stop care. He emphasizes that frontline teams prioritize availability and integrity, and that workarounds often introduce new safety risks. The talk also examines cybersecurity-informed consent, arguing that patients are frequently unaware of cyber-related operational disruptions that can meaningfully affect care and decision-making. The overall message is that resilient healthcare requires designing for human behavior under pressure and aligning device makers, clinicians, patients, and operators around measurable safety outcomes.

Watch video Open in new tab

Andrew Hindella (KARAMBIT.AI) - Beyond SBOM, A Software Bill of Behaviors for Medical Device Cyber Risk and Safety

SBOMs tell you what is inside. This lightning talk focuses on what the software actually does, producing behavior reports that support faster triage and clearer postmarket decisions.

SBOMs improve visibility into third-party components and known vulnerabilities, but they do not reliably answer what hospitals and regulators often need most, what the device software will actually do in the real world and what risks that behavior creates. Andrew Hindella proposes a complementary approach he calls a Software Bill of Behaviors, automated firmware and binary analysis that characterizes observable behaviors such as network activity, update mechanisms, and other embedded capabilities that can affect cybersecurity and patient safety. Using medical device firmware analysis, including the CMS8000 Contec monitor case, he shows how behavior-based reporting can reveal risky functionality that may not surface in SBOM-based review. The talk connects behavior reports to practical workflows such as faster risk triage, improved postmarket vulnerability management, and clearer evidence of what changed between firmware versions so teams can prioritize testing and accelerate safer patch cycles.

Watch video Open in new tab

Tom Sherman (STR); Ricardo Barato (Aarno Labs) - Securing Legacy Medical Devices, From Vulnerability Discovery to Binary Patching

Legacy devices stay in service, even when the patch does not. This session lays out a pragmatic path from finding vulnerabilities to deploying compensating controls and binary fixes when source code or vendor updates are not available.

Legacy medical devices stay in service for years, often run outdated firmware, and sit on networks ransomware actors routinely penetrate. This session outlines why long device lifecycles and secondhand markets amplify risk, and why waiting for a vendor patch is not a sufficient strategy for availability-driven clinical environments. The first portion, Tom Sherman from STR, frames the problem including opaque vendor updates, limited visibility into device software composition, and the challenge of isolating devices that are operationally essential. The second portion, Ricardo Barato from Aarno Labs, presents a technical path forward once vulnerabilities are identified, including firmware and software composition analysis, matching against known code bases, and binary analysis and patching approaches that can enable compensating controls when source code or vendor fixes are unavailable. The emphasis is on practical security improvements for real hospital conditions including reducing blast radius, improving detection, and enabling safer operations for devices that cannot be replaced on the timeline security teams would prefer.

Watch video Open in new tab