My journey to becoming an Independent Researcher with Medtronic
When I received my implant 13 years ago, I became fascinated with the technology that kept me alive. I wanted to know more, and as any curious Hacker would do I researched my device. However I took a detour on my journey and started an amazing journey in Digital Forensics. I had an amazing mentor that for the last 13 years supported me in every crazy idea. My love for security was re-ignited when I started studying at Rhodes and met fellow Hackers who played a part in forming my interest. Three years ago I started prodding about my device and reading up on it.
I had some sit downs with Medtronic, but the time was simply not right and the conversation fell flat. This year though, after numerous discussion, Nina from Biohack made the introductions to two individuals from Medtronic, ironically I got to meet the Security person I initially dealt with and exchanged some ideas. Then a couple of months I proposed some questions to Medtronic for research they should look at, I found that the boots on the ground Security Engineers were very open to talking. After numerous discussions and frank conversation I was asked to join them on an amazing project which is still in infancy. I thought for the last three years that I was beating a dead drum, that no one was listening. I have come to learn that just because things are not moving according to my pace does not mean they are not moving. When it comes to a Medical Device Manufacturer things move slowly, but they do however move.
I decided to go into this whole process with an open mind, but I wanted to remain independent and not be influenced. I wanted to retain my voice and be the outspoken brat I am. I however have learnt patience in this process which was not an easy thing. We have come to the point that I feel comfortable sharing my experiences. I do believe that we are seeing more change as the times move on. I have also realised that Medical Manufacturers are well aware that they need to do better, that security should not be a bolt on feature.
I would like to urge more researchers to work with manufacturers as their is a need for more collaboration. Now I will not lie and say that it is easy. There is some red tape, and hoops to jump through. I believe that these are warranted from business to protect their interests, but in terms of the NDA I signed Medtronic was open to listening and designing it to protect me too. It was not easy, but nothing worthwhile in life ever is. I look forward both as a patient and Security Researcher to work with them, not only am I hopeful they will learn from me I am hopeful I can now understand the Medical Device Security perspective from three sides, the patient, the Researcher and the Manufacturers side, this helps close the loop on understanding the problem we face from multiple angles.
Thank you to all involved for believing in me and all the special friends who pushed and tickled me into doing this. I am excited to move this project forward and collaborating with the Company that is helping keep me alive. The industry is changing and being part of the change is exciting. It will be a wild ride but I am up for it. I am sure as most projects we will not always agree but I have seen that a healthy debate is good for all involved as long as it is done in a respectful manner. Sometimes we kick ass and take names, and other times we need to be patient and have more of a gentle hand.