When Ransomware Becomes Murder
I’m not a computer scientist. I’m not a software engineer. I can’t code and I don’t plan to start any time soon. I’m a medical doctor and I’m deeply worried about the state of global cybersecurity and so should you be.
Cybersecurity has become a specialist area for me over the past 3 years because the lens that I view the consequences of it through, when it fails, are so devastating. With every tweet or news update about a fresh data breach or ransomware attack, the most obvious chatter that emerges is often about either data privacy or financial fraud.
In fact, whenever some level of subterfuge happens the unfortunate targets go to great lengths to explain that no unencrypted financial or personal customer information has been accessed. I get it, those are the elements that jeopardise brand reputations, customer loyalty and can lead to regulatory penalties. For consumers, identity theft is real and can be a nightmare.
However, rarely do people think of cyber-attacks achieving a direct impact on their health so what if I told you though that healthcare is an open goal when it comes to devastating massive attacks?
Confidentiality, integrity and availability. These are the age old categories of harm when it comes to cyber-attacks. Confidentiality is the most obvious one. In healthcare though, I always argue that integrity and availability are the most devastating. Let’s take an increasingly common example about availability:
Example I
“An unsuspecting doctor, nurse, secretary clicks on a link in a phishing e-mail releasing a form of ransomware into the hospital network locking down patient information. A bitcoin ransom is requested.”
Let’s think about that for a second. In a digital hospital, if you can’t access an electronic health record then that means different things for different people. It means cancelled outpatient appointments and elective procedures which can affect patient prognosis but will unlikely be immediately life threatening.
What about inpatients though?
What happens if you can’t access medication prescribing systems or early warning indicators (systems that show you a patient is starting to deteriorate often before symptoms are obvious)? What if this happens during operations that are depending on software systems for guidance and support? What about medical imaging or lab systems which basically hospitals can’t function without when it comes to patient diagnosis and management? Do you pay the ransom and become the never-ending target? Do you spend time trying to reboot or call an emergency meeting? How long will that take? It’s all starting to spiral out of control and it only gets worse.
Example II
Let’s talk about integrity now and just tweak the first example:
“An anonymous call is made to a hospital Chief Information Officer asking for a 5 BTC payment otherwise the hacker, who has already subverted network security, will start to mix patient medications and doses.”
It’s like Schroedinger’s cat. In that moment everyone is in harm’s way or it’s a bluff but what does the CIO do? Turn off all systems immediately and plunge the digital hospital into chaos? Call an emergency meeting with clinical leaders? How long will that take. We’re talking at scale patient harm now.
How about another example?
Example III
“An anonymous call is made to a hospital CIO stating that for the past hour the hospital’s patient Early Warning System has been reset to report normal for all patients at all times. Pay 5BTCs and everything will return to business as usual.”
Let’s remember EWS systems are supposed to detect when patient’s vital stats are showing signs of deterioration before a patient shows physical systems so doctors and nurses can respond while there’s still time on their side. Reset the EWS to normal and we’re talking significant potential for harm.
The purpose of these examples is to show that healthcare is a scarily easy target with ageing legacy systems and a minimal focus on security standards as we’ve pushed the transition from paper based to paperless practice. Even now as the incident count ticks ever upwards the spend on cybersecurity solutions is low and the focus on training users and developing end-user contingency plans is even lower. This has to change.