Fans of the long-running medical drama “Grey’s Anatomy” were treated to a pretty frightening scenario recently when the hospital was taken over by hackers seeking a Hollywood-sized ransom to release access to blood banks, medical records, and control of medical devices.
Several friends have looked for reassurance from me, asking, “That can’t really happen, right?”
Well, actually, it can. And it’s not just possible, but actually likely.
If we dissect the drama, we can find some takeaways for patients and the health care community.
Let’s break down the reality from the amped-up-for-TV “Grey’s Anatomy” storyline.
Monitoring devices, electronic locks, and patient records were all locked down by a hacker.
That’s a pretty terrifying but likely scenario. The most recent example was last March’s WannaCry hack that infected 300,000 computers in 150 countries, including radiology devices made by Bayer that were disabled by the virus. There are also many documented cases of hacking implanted medical devices like pacemakers, defibrillators, and insulin pumps, as well as hospital-based infusion and monitoring systems. With historically weak security as a lure, hackers are switching from locking down medical records or stealing Social Security numbers to taking control of health equipment and services and ransoming back access. Just like in “Grey’s.”
And just like a bad case of MRSA, one infected connected device can quickly spread throughout the entire facility’s IT network. According to Wired magazine, an average of 10 to 15 such devices are connected to each hospital bed.
The FDA has developed guidance for device manufacturers on cybersecurity, and it has even blocked some deficient devices from coming to market. But that, according to industry watchers, is rare and insufficient to address the magnitude of the risk. For the most part, the industry has to police itself. Device manufacturers are turning a lot more attention to security on their devices, but updates are primarily embedded in new devices.
A ransom of 5,000 Bitcoin was demanded of the Grey+Sloan facility.
In U.S. dollars today, that’s $40 million. Bitcoin fluctuates like any currency, and when the Grey’s episode was filmed the ransom in dollars was a mere $20 million. Regardless, that’s a lot, even for cardiologists and brain surgeons. It’s also exaggerated for dramatic impact. In reality, ransom demands are considerably smaller. Hollywood Presbyterian Hospital in Los Angeles paid out $17,000 last year in a ransomware incident. But the demands can be higher when lives linked to MRIs, medication dosage pumps, and pacemakers hang in the balance.
The problem with Bitcoin, however, is that it is not easy.
You can’t just go to the bank, buy Bitcoin, and transfer it to your hacker. The process is complex and underground, and it often doesn’t work so smoothly. That complicates the situation even more for victims, who think they can just pay and everything will go back to normal. Even if you decide to pay, it can take a few days to complete the transaction. For health care, that’s a critical situation with a poor prognosis. With Ransomware 1.0, not paying the ransom was an option for organizations with strong disaster recovery and the ability to switch over quickly to backup systems. But with the focus on control of medical devices, backups really don’t help regain control of services, devices, and access controls.
The FBI storms in and takes over early in the unfolding of the disaster.
No, that’s not going to happen. In the case of ransomware, the FBI wants you to notify them (that’s a request, not the law) and not pay the ransom. If, however, patient information or other sensitive data is exposed (even if you don’t know that it has been taken), companies in South Carolina are legally required to report the breach.
Operational thinking saves the day at Grey+Sloan.
And that’s a good lesson for any organization hit with a cyber attack. So many things we do are tied to technology that it seems impossible to accomplish anything without it. Operational thinking demands that we give up on what we can’t do and turn our attention to what has to be done. Solutions, often unusual ones, will bubble up. Regardless of your industry, this is a great exercise to go through – preferably when you are not under attack or facing onrushing floodwaters. For most of us, that won’t likely involve pumping your blood directly into a patient mid-surgery.
How will things turn out at Grey+Sloan? It remains to be seen. But if art imitates life, we have a lot of work to do in an essential industry that is now sitting squarely in the crosshairs of cybercriminals.