A Think Tank at the Intersection of Medicine & Security

Where biology
meets the firewall

BFAM is a think tank exploring the collision of healthcare, cybersecurity, and artificial intelligence — founded by two brothers (from another mother) who brought the concept of "medjacking" into the medical literature while walking their dogs.

Scroll
The Origin Story
It started over a dog walk in December 2014. An academic surgeon and a cybersecurity chief, brothers-in-law, realized that the devices keeping people alive were built on the same vulnerable platforms as the phones in their pockets. On that walk, Armstrong and Kleidermacher immediately conferenced in two other renowned specialists — and the four of them did something about it.

Armstrong and Kleidermacher recruited two other renowned specialists into the collaboration: David C. Klonoff, Clinical Professor of Medicine at UCSF, founder of the Diabetes Technology Society, and editor-in-chief of the Journal of Diabetes Science and Technology; and Marvin J. Slepian, Regents Professor of Medicine, Medical Imaging, and Biomedical Engineering at the University of Arizona, co-founder of SynCardia Systems — maker of the world's first and only FDA-approved Total Artificial Heart — and a named inventor on over 160 patents.

Together, the four wrote the first paper in the peer-reviewed medical literature on medjacking — the malicious hacking of medical devices — bridging a cybersecurity industry concept into clinical medicine and proposing a regulatory framework based on international Common Criteria.

That manuscript catalyzed something unprecedented. Klonoff established the Cybersecurity Standard for Connected Diabetes Devices (DTSec) Steering Committee — the first-ever program to develop a "Protection Profile" for implanted and connected medical devices, starting with insulin pumps and continuous glucose monitors. The committee brought together an extraordinary coalition: the FDA, the Department of Homeland Security, the National Security Council, NIST, NASA, the NSA, Booz Allen Hamilton, the Bluetooth Special Interest Group, and leading device manufacturers. Armstrong served as the lone medical academician on the committee.

DTSec became the world's first consensus cybersecurity standard for connected medical devices, later adopted by IEEE and Underwriters Laboratories as the foundation for IEEE 2621. In 2018, the Insulet Omnipod DASH became the first insulin pump certified under the standard. In 2019, the first-ever recall of a diabetes device for cybersecurity vulnerabilities validated what the four authors had warned about on that dog walk five years earlier.

A decade later, the threat landscape has exploded. AI-powered diagnostics, remote patient monitoring, connected insulin pumps, smart wound care — the attack surface is no longer theoretical. It's on every patient's body.

BFAM exists to think about what happens next.

The Founders
David G. Armstrong
Distinguished Professor of Surgery & Neurological Surgery · USC
A limb preservation surgeon who leads USC's NSF-funded Center to Stream Healthcare in Place (C2SHiP), bridging consumer electronics with medical devices. Founding President of the American Limb Preservation Society. Fellow of the Royal College of Surgeons, Glasgow. The rare clinician who thinks in firmware.
760+
Peer-Reviewed Papers
120+
Books & Chapters
David N. Kleidermacher
VP Engineering, Android Security & Privacy · Google
Protects billions of users and devices across the Android ecosystem. Former CSO of BlackBerry, CTO of Green Hills Software, and co-creator of INTEGRITY — the only OS ever certified to Common Criteria EAL 6+. Board member of the ioXt Alliance. Author of Embedded Systems Security. Thinks in threat models the way surgeons think in anatomy.
3B+
Devices Protected
EAL 6+
Highest Security Cert
Founding Collaborators
David C. Klonoff
Clinical Professor of Medicine · UCSF · Founder, Diabetes Technology Society
Coined the term "diabetes technology" and founded the field's leading professional society. Editor-in-chief of the Journal of Diabetes Science and Technology. Chaired DTSec, DTMoSt, and the IEEE 2621 standards — the world's first three consensus medical device cybersecurity standards. Featured in Wired for this work. Recipient of the ADA Outstanding Physician Clinician Award and an FDA Director's Special Citation.
3
Cybersecurity Standards Chaired
120+
Clinical Trials as PI
Marvin J. Slepian
Regents Professor of Medicine & Biomedical Engineering · University of Arizona
Co-founded SynCardia Systems, maker of the world's only FDA-approved Total Artificial Heart. Inducted into the National Academy of Inventors. Invented endoluminal paving, drug-eluting stents, and biodegradable polymers for tissue repair. A cardiologist who earned a law degree to better navigate the innovation landscape. Thinks across disciplines the way others think within them.
160+
Patents Issued/Pending
1st
Total Artificial Heart (FDA)
Next Generation
Natalie S. Armstrong
PhD Candidate, Johns Hopkins Bloomberg School of Public Health
A Fulbright Scholar who studied water systems in Greenland's Arctic settlements before serving as a Program Officer at the National Academies of Sciences, Engineering, and Medicine. Now pursuing her PhD at Johns Hopkins Bloomberg, working at the food-energy-water (FEW) nexus — the collision point where data centers, infrastructure, and humanity's resource needs converge. The thread connecting Arctic fieldwork to AI server farms: every system is a body, and every body needs protecting.
🇬🇱
Fulbright, Greenland
NAS
National Academies
FEW
Food · Energy · Water
Domains of Inquiry
The questions keeping us up at night
🔓
Medjacking 2.0
The next generation of medical device vulnerabilities — from AI-powered insulin pumps to remote surgical robots. We brought this threat into the medical literature a decade ago. Now the attack surface is inside your body.
🧬
Digital Immunity
Applying biological resilience principles — redundancy, immune surveillance, adaptive response — to cybersecurity architecture for connected health systems.
🤖
AI + Clinical Trust
When AI makes diagnostic and therapeutic decisions, who certifies its security? How do we build trust frameworks for algorithms that touch human tissue?
📡
Streaming Healthcare
The security implications of moving care from hospitals to homes — remote monitoring, wearable therapeutics, and the consumer-medical device convergence.
🏛️
Policy & Standards
Shaping regulatory frameworks for connected medical devices — from FDA cybersecurity guidance to international Common Criteria for health tech.
The Body Electric
Every patient now carries multiple IP addresses in or on their body. We explore the philosophical and practical implications of being permanently networked.
"We are all walking around with IP addresses in or on us, which makes us susceptible to the same attacks as bank accounts and ATM machines."
Armstrong, Kleidermacher, Klonoff & Slepian · JDST, 2016 · The paper that launched the first medical device cybersecurity standard
Two Davids.
One mission.
Protecting the body electric.
Get in Touch