[BreachExchange] A ‘Grey’s Anatomy’ episode shines light on large-scale health system hacks

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 30 18:32:46 EST 2017


https://upstatebusinessjournal.com/greys-anatomy-episode-shines-
light-large-scale-health-system-hacks/

Fans of the long-running medical drama “Grey’s Anatomy” were treated to a
pretty frightening scenario recently when the hospital was taken over by
hackers seeking a Hollywood-sized ransom to release access to blood banks,
medical records, and control of medical devices.

Several friends have looked for reassurance from me, asking, “That can’t
really happen, right?”

Well, actually, it can. And it’s not just possible, but actually likely.

If we dissect the drama, we can find some takeaways for patients and the
health care community.

Let’s break down the reality from the amped-up-for-TV “Grey’s Anatomy”
storyline.

Monitoring devices, electronic locks, and patient records were all locked
down by a hacker.

That’s a pretty terrifying but likely scenario. The most recent example was
last March’s WannaCry hack that infected 300,000 computers in 150
countries, including radiology devices made by Bayer that were disabled by
the virus. There are also many documented cases of hacking implanted
medical devices like pacemakers, defibrillators, and insulin pumps, as well
as hospital-based infusion and monitoring systems. With historically weak
security as a lure, hackers are switching from locking down medical records
or stealing Social Security numbers to taking control of health equipment
and services and ransoming back access. Just like in “Grey’s.”

And just like a bad case of MRSA, one infected connected device can quickly
spread throughout the entire facility’s IT network. According to Wired
magazine, an average of 10 to 15 such devices are connected to each
hospital bed.

The FDA has developed guidance for device manufacturers on cybersecurity,
and it has even blocked some deficient devices from coming to market. But
that, according to industry watchers, is rare and insufficient to address
the magnitude of the risk. For the most part, the industry has to police
itself. Device manufacturers are turning a lot more attention to security
on their devices, but updates are primarily embedded in new devices.

A ransom of 5,000 Bitcoin was demanded of the Grey+Sloan facility.

In U.S. dollars today, that’s $40 million. Bitcoin fluctuates like any
currency, and when the Grey’s episode was filmed the ransom in dollars was
a mere $20 million. Regardless, that’s a lot, even for cardiologists and
brain surgeons. It’s also exaggerated for dramatic impact. In reality,
ransom demands are considerably smaller. Hollywood Presbyterian Hospital in
Los Angeles paid out $17,000 last year in a ransomware incident. But the
demands can be higher when lives linked to MRIs, medication dosage pumps,
and pacemakers hang in the balance.

The problem with Bitcoin, however, is that it is not easy.

You can’t just go to the bank, buy Bitcoin, and transfer it to your hacker.
The process is complex and underground, and it often doesn’t work so
smoothly. That complicates the situation even more for victims, who think
they can just pay and everything will go back to normal. Even if you decide
to pay, it can take a few days to complete the transaction. For health
care, that’s a critical situation with a poor prognosis. With Ransomware
1.0, not paying the ransom was an option for organizations with strong
disaster recovery and the ability to switch over quickly to backup systems.
But with the focus on control of medical devices, backups really don’t help
regain control of services, devices, and access controls.

The FBI storms in and takes over early in the unfolding of the disaster.

No, that’s not going to happen. In the case of ransomware, the FBI wants
you to notify them (that’s a request, not the law) and not pay the ransom.
If, however, patient information or other sensitive data is exposed (even
if you don’t know that it has been taken), companies in South Carolina are
legally required to report the breach.

Operational thinking saves the day at Grey+Sloan.

And that’s a good lesson for any organization hit with a cyber attack. So
many things we do are tied to technology that it seems impossible to
accomplish anything without it. Operational thinking demands that we give
up on what we can’t do and turn our attention to what has to be done.
Solutions, often unusual ones, will bubble up. Regardless of your industry,
this is a great exercise to go through – preferably when you are not under
attack or facing onrushing floodwaters. For most of us, that won’t likely
involve pumping your blood directly into a patient mid-surgery.

How will things turn out at Grey+Sloan? It remains to be seen. But if art
imitates life, we have a lot of work to do in an essential industry that is
now sitting squarely in the crosshairs of cybercriminals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171130/a634c5c6/attachment.html>


More information about the BreachExchange mailing list