So as someone who runs and trains cyber incident response teams. Where a big focus is on MMTx and reducing chance for adversary breakout times. Which are gonna get worse thanks to AI. This paper was actually part of me calling the approach Formula One IR.
Specifically about getting people joining the IR to already have their assigned speciality and first moves ready to go and to begun, as a way to support the incident handler. There's really big benefits to studying the metrics of specific incidents you have to the minute by minute level. So much time saving to be made, accuracy to be enforced and duplication to be reduced.
You can find there's less time wasted in an incident dividing out jobs or lost go inevitable context switching to join the incident. There's already searches, people and clarity about what should mostly likely be done in the first few mins, even though the plan will change and details initially are probably scare. It's really effective and cuts MMTx down a huge amount.
Obviously then the handover itself is a vital part in IR to get done accurately and with speed. So that flows into all of the above. It's a really good paper for thinking through workflows
It may also be relevant to study what in aviation is called MCC, Multi-Crew Cooperation. That's all about catching errors and making decisions under pressure as a team.
For example, two crew in the simulator, one as captain and the other as first officer, with some external resources like a dispatcher on the ground and air traffic control. The scenario is a flight over high terrain with zero visibility, the trainer then introduces a failure for example an engine fire with inability to maintain altitude.
You could as captain start making decisions immediately but you'll then loose the input of your FO and not optimally use the resources you have. Or you could start a long conversation together about what to do, but you would crash into a mountain (or burn) due to being too slow.
MCC is about how to get the team on the same page quickly, avoid tunnel vision and rushed wrong decisions, while being fast enough to deal with the problem. And making effective use of outside resources like air traffic contol. Of course it's quite aviation specific, but there are several concepts that work in other areas as well.
Yep totally. It's something I've incorporated. Especially where the main incident commander gets overwhelmed with decisions, tunnel vision or distraction. For example getting trapped into threat hunting rather than commanding.
I actually think most cyber incident responder training for the commander is pretty weak because it doesn't do a great job of instituting the stress element. Physical security training does it in a much better way. The result is the need to create custom stuff. Because some shitty off the shelf big vendor table top or similar ain't gonna do it.
Exactly, it's that overwhelmed state with resulting tunnel vision or chasing the wrong thing that is so common in aviation incidents. If you have a big issue, the ECAM screen lights up light a Christmas tree. There is logic in the system to ensure messages are prioritised, but in the end the humans still have to systematically figure out what's going on.
What causes more issues in flight is that you have to maintain control of the aircraft while determining the issue and making a plan. Which in zero visibility doing manual flight has a significant mental load by itself, so if the automation is affected by whatever issues you have, one crew member can't sit back and 100% think.
It's probably hard to simulate that extra load/stress for cyber incidents. For MCC training it's done in a flight simulator so all the noise, alarms, and having to maintain control is there.
There is a precedent for organizations from wildly different industries meeting and sharing thoughts, lessons learned and procedures.
Some cases that come to mind:
- The United States Marine Corps spent time with New York City Fire Department. The USMC was interested to know how the FDNY managed radio communications, chaotic environments and co-ordinating teams from different departments in an urban environment
- In one of the Gladwell books he mentions getting financial traders and generals together to play military simulation games. The idea being that the traders were used to dealing with streams of fast moving information and they had to quickly decided what to do next.
It's not that Ferrari is not functional. It is, but it severely hampered by management.
When they were successful, they tried every new idea out, directly at the track. Because they they had their own track at the door. When they weren't allowed to do that anymore (all others complained about their unfair advantage), they had a gap from the idea to get the result from trying it out. So they build simulators (which all the others already had). But they were still used to try anything out, so that their simulators couldn't reproduce anything anymore. Because they constantly changed all the settings.
So the managers went radical and restore backups of the simulators every single night. They became stable, but the engineers lost all of their work every single day. So they stopped improving the system. That's when the car stopped improving also.
It’s impressive that surgical teams put aside ego enough to do this - and I suspect that barely 1 in 1000 businesses and teams could decide their own work as deeply.
I found this quote from the paper by Catchpole et al. quite important:
"Whilst it is encouraging that analogies from other industries with longstanding cultures of safety and reliability may be extrapolated, it is also important to recognize the unique demands of health care. One crucial difference that emerged was that Formula 1 and aviation both have a relatively stable workforce, with minimal staff turnover. For example, out of about 20 members of a pit team, only one or two members change annually. In contrast, turnover of staff in health care is far higher, with six residents rotating every 3 months in the study unit, and a nurse turnover of approximately 10%."
Turnover could also be seen as an addressable problem. "People are dying because of poor staff retention and rotation practices" this could be studied and improved upon.
A novel mechanism would be for a patient suing a hospital for malpractice for failing to retain nursing staff which it seems could be proven to be linked to worse outcomes. And when it comes to it, liability lawsuits are an adequate last resort to push back against hospitals cutting corners with staffing levels and staff pay when it comes to nurses.
This was 2008 when they were fighting for titles still (turns out they were robbed and the FIA knew about it and let it play out).
That said I imagine what Jonathan Wheatley would be able to achieve in a task similar to this since he had the Red Bull team maintain a consistent sub-2 second pit stop at Red Bull and he was able to significantly quicken the Sauber one this year.
To play devil's advocate a bit, Ferrari won both championships in 2007 and the constructors in 2008, so it's hard to say they were robbed when they actually won. Massa though, is another story.
There's actually a bit of crossover. This paper is quite old, but I know that other teams and other surgeons have visited each other plenty since this was published, and there's this cross fertilisation of ideas.
F1 is "important" in the sense that it is competitive, and so teams want to iterate and improve constantly. I think the fastest pit stop in the 2025 season 1.91 seconds, in which: the car is jacked, four tyres are removed, four new tyres are placed and secured into place, the car is dropped, the lane is checked for traffic, and then the car can move. There are thousands of permutations of how to get this right and that fast. And accuracy is important: get it wrong there is a risk of injury at worst, or a fine for an unsafe release at best.
ICU is obviously important in a different way. You can't really "experiment". Iteration needs data. So you need to go out and learn what good looks like from different disciplines, and then carefully plan the changes you want to make and get buy-in. Get it wrong, and people die. Best case scenario you're struck off, worst case you're going to prison for murder.
In dev speak, F1 can afford to be agile, ICUs need to be waterfall.
But because F1 needs to be precise and they perceive the dangers of imprecision so acutely from a monetary perspective (where you finish in the Worldwide Constructors Championship directly affects the profitability and viability of the team), they want to borrow ideas too.
It sounds ridiculous that surgeons and F1 garages would have so much to talk about, but it turns out, they really do feed ideas off each other sometimes.
"Some aspects of the Formula One handover were not transfer-
able to the medical handover process. When the consultant from
Formula One went to GOSH and looked at the whole handover
process, he said it would be best to engineer out parts and get
new equipment. He noted the complex technical problems with
the handover ... The Formula One consultant asked,
“Why don’t you just have one thing that does both and has its
own power supply and its own ventilator?” This was obviously
what needed to be done, but it turned out not to be feasible
since manufacturers were not interested in producing the needed
equipment. They were not interested because the market is
very small (only children) and hospitals would never be able to
replace all its beds at the same time due to the exorbitant cost of
the proposed new equipment. While the Formula One crew can
count on using technology to improve their handover process,
the hospital team could not; they had to rely more on human
beings and less on state-of-the-art technology."
Formula One teams are known to throw money (and lots of it) at problems. It works for them because:
- 2 drivers/cars per team.
- ~2 hour race on a weekend every ~2 weeks per season.
They don’t need to solve every problem and the solutions just need to work well during the race (at least for the pit crew).
The hospital needs to do this for hundreds of patients every day. They need solutions that can scale (cost less per person). This was about one specific problem (handover) but different patients could bring with them different complications and add new constraints.
Still very cool though. Glad they got some actionable insights.
It's more to do with the bureaucratic costs of getting a product licensed as a medical device. By the standards of the medical industry, an F1 wheel nut gun or a WEC refuelling rig isn't particularly expensive; the prohibitive part is getting a specialist item approved for medical use. Motorsport can do things that don't scale, because no-one is stopping them from using a one-off prototype made to precisely fit their needs. They (and their suppliers) iterate incredibly rapidly Bringing a new medical device to the market is an immensely expensive multi-year project. Obviously there are benefits to the precautionary principle, but I'm not sure that anyone has quantified the costs.
> they had to rely more on human beings and less on state-of-the-art technology.
They would do better to look at the Michelin starred kitchens starting with leaning to keep their work spaces organized and clean no matter how fast they are moving. Here is a good example of an engineered kitchen. "Oui" https://www.youtube.com/watch?v=klfxQuXT66s
Where I live, ambulances use pulse oximeter probes incompatible with those used by in hospital and issued to home (my daughter was ventilated at night and this was a real issue). That one at least would be solved (and not expensively if only people talked to each other. It didn’t need Ferrari to surface that one!
I once worked as a paramedic at the German-French border in the 1990s. Cross-border collaboration between us ("DRK RPF 2/83/1") and the French firefighters ("Samu-67") was cordial but the radio frequencies were not just different but such that the German radios could not even be set to the French frequency (this was before mobile phones were spread beyond C-net phones for business people that looked like suitcases), and syringe tips and infusion needle tips had incompatible endings.
So on one occasion, after running out of medicine and lacking a medic, we called the French colleagues for assistance, and we'd improvise and put a needle on a syringe and injected atropin, adrenaline etc. as needed into the plastic infusion bottle instead of connecting the syringe's ending right to the incompatible butterfly (nick name for the intravenal needle).
That episode (Saturday, August 1, 1992) remains particularly memorable since this was my first day on the job, and job #4 on that 24-hour-shift (now they are banned to work that long) would become my first primarily successful resucitation after 45 min of CPR.
I actually heard this from my wife who is working with GOSH and related a version of this to me. So I was really grateful to be able to read the proper analysis.
There's a (TED talk?) reel been doing the rounds the last couple of days. One of those "interest dies down, someone finds it again, shares it, there's a new bloom of viral interest, repeat until heat death" things.
Specifically about getting people joining the IR to already have their assigned speciality and first moves ready to go and to begun, as a way to support the incident handler. There's really big benefits to studying the metrics of specific incidents you have to the minute by minute level. So much time saving to be made, accuracy to be enforced and duplication to be reduced.
You can find there's less time wasted in an incident dividing out jobs or lost go inevitable context switching to join the incident. There's already searches, people and clarity about what should mostly likely be done in the first few mins, even though the plan will change and details initially are probably scare. It's really effective and cuts MMTx down a huge amount.
Obviously then the handover itself is a vital part in IR to get done accurately and with speed. So that flows into all of the above. It's a really good paper for thinking through workflows
I must get around to writing it up some day.
For example, two crew in the simulator, one as captain and the other as first officer, with some external resources like a dispatcher on the ground and air traffic control. The scenario is a flight over high terrain with zero visibility, the trainer then introduces a failure for example an engine fire with inability to maintain altitude.
You could as captain start making decisions immediately but you'll then loose the input of your FO and not optimally use the resources you have. Or you could start a long conversation together about what to do, but you would crash into a mountain (or burn) due to being too slow.
MCC is about how to get the team on the same page quickly, avoid tunnel vision and rushed wrong decisions, while being fast enough to deal with the problem. And making effective use of outside resources like air traffic contol. Of course it's quite aviation specific, but there are several concepts that work in other areas as well.
I actually think most cyber incident responder training for the commander is pretty weak because it doesn't do a great job of instituting the stress element. Physical security training does it in a much better way. The result is the need to create custom stuff. Because some shitty off the shelf big vendor table top or similar ain't gonna do it.
What causes more issues in flight is that you have to maintain control of the aircraft while determining the issue and making a plan. Which in zero visibility doing manual flight has a significant mental load by itself, so if the automation is affected by whatever issues you have, one crew member can't sit back and 100% think.
It's probably hard to simulate that extra load/stress for cyber incidents. For MCC training it's done in a flight simulator so all the noise, alarms, and having to maintain control is there.
Some cases that come to mind:
- The United States Marine Corps spent time with New York City Fire Department. The USMC was interested to know how the FDNY managed radio communications, chaotic environments and co-ordinating teams from different departments in an urban environment
- In one of the Gladwell books he mentions getting financial traders and generals together to play military simulation games. The idea being that the traders were used to dealing with streams of fast moving information and they had to quickly decided what to do next.
When they were successful, they tried every new idea out, directly at the track. Because they they had their own track at the door. When they weren't allowed to do that anymore (all others complained about their unfair advantage), they had a gap from the idea to get the result from trying it out. So they build simulators (which all the others already had). But they were still used to try anything out, so that their simulators couldn't reproduce anything anymore. Because they constantly changed all the settings. So the managers went radical and restore backups of the simulators every single night. They became stable, but the engineers lost all of their work every single day. So they stopped improving the system. That's when the car stopped improving also.
Management problem.
The original paper by Catchpole et al. (2006): https://onlinelibrary.wiley.com/doi/10.1111/j.1460-9592.2006...
A quite interesting lecture on the whole project, given by Elliott in a racecar driver's suit: https://www.youtube.com/watch?v=ZeMGrHcfRjY
Annotated transcript of the talk available here: https://www.gresham.ac.uk/watch-now/formula-1-and-its-contri...
A WSJ article from 2006: A Hospital Races To Learn Lessons Of Ferrari Pit Stop: http://www.wsj.com/articles/SB116346916169622261 (archived copy: https://archive.is/xEbio)
Times article from 2024: The surgeon who used F1 pitstop techniques to save lives of babies: https://www.thetimes.com/sport/formula-one/article/professor... (archived copy: https://archive.is/1iGXK)
"Whilst it is encouraging that analogies from other industries with longstanding cultures of safety and reliability may be extrapolated, it is also important to recognize the unique demands of health care. One crucial difference that emerged was that Formula 1 and aviation both have a relatively stable workforce, with minimal staff turnover. For example, out of about 20 members of a pit team, only one or two members change annually. In contrast, turnover of staff in health care is far higher, with six residents rotating every 3 months in the study unit, and a nurse turnover of approximately 10%."
A novel mechanism would be for a patient suing a hospital for malpractice for failing to retain nursing staff which it seems could be proven to be linked to worse outcomes. And when it comes to it, liability lawsuits are an adequate last resort to push back against hospitals cutting corners with staffing levels and staff pay when it comes to nurses.
That said I imagine what Jonathan Wheatley would be able to achieve in a task similar to this since he had the Red Bull team maintain a consistent sub-2 second pit stop at Red Bull and he was able to significantly quicken the Sauber one this year.
Another take-
"Two F1 fan surgeons found a way to visit Ferrari headquarters as a business trip."
F1 is "important" in the sense that it is competitive, and so teams want to iterate and improve constantly. I think the fastest pit stop in the 2025 season 1.91 seconds, in which: the car is jacked, four tyres are removed, four new tyres are placed and secured into place, the car is dropped, the lane is checked for traffic, and then the car can move. There are thousands of permutations of how to get this right and that fast. And accuracy is important: get it wrong there is a risk of injury at worst, or a fine for an unsafe release at best.
ICU is obviously important in a different way. You can't really "experiment". Iteration needs data. So you need to go out and learn what good looks like from different disciplines, and then carefully plan the changes you want to make and get buy-in. Get it wrong, and people die. Best case scenario you're struck off, worst case you're going to prison for murder.
In dev speak, F1 can afford to be agile, ICUs need to be waterfall.
But because F1 needs to be precise and they perceive the dangers of imprecision so acutely from a monetary perspective (where you finish in the Worldwide Constructors Championship directly affects the profitability and viability of the team), they want to borrow ideas too.
It sounds ridiculous that surgeons and F1 garages would have so much to talk about, but it turns out, they really do feed ideas off each other sometimes.
The hospital needs to do this for hundreds of patients every day. They need solutions that can scale (cost less per person). This was about one specific problem (handover) but different patients could bring with them different complications and add new constraints.
Still very cool though. Glad they got some actionable insights.
You missed item number 3 from your list ....
Because F1 has a shit load of sponsors willing to throw a shit load of money at the team as long as they get their logo on the side of the car.
Hospitals don't have that. Even the US has not (yet ?) stooped so low as to have corporate sponsorship for hospitals !
"Mr Patient, your heart operation is being sponsored by $megaCorp ... pay extra to remove the ads from your implanted pacemaker".
They would do better to look at the Michelin starred kitchens starting with leaning to keep their work spaces organized and clean no matter how fast they are moving. Here is a good example of an engineered kitchen. "Oui" https://www.youtube.com/watch?v=klfxQuXT66s
I once worked as a paramedic at the German-French border in the 1990s. Cross-border collaboration between us ("DRK RPF 2/83/1") and the French firefighters ("Samu-67") was cordial but the radio frequencies were not just different but such that the German radios could not even be set to the French frequency (this was before mobile phones were spread beyond C-net phones for business people that looked like suitcases), and syringe tips and infusion needle tips had incompatible endings.
So on one occasion, after running out of medicine and lacking a medic, we called the French colleagues for assistance, and we'd improvise and put a needle on a syringe and injected atropin, adrenaline etc. as needed into the plastic infusion bottle instead of connecting the syringe's ending right to the incompatible butterfly (nick name for the intravenal needle). That episode (Saturday, August 1, 1992) remains particularly memorable since this was my first day on the job, and job #4 on that 24-hour-shift (now they are banned to work that long) would become my first primarily successful resucitation after 45 min of CPR.
Standards (and open borders) can save lives.