Anatomy of a ransomware attack

How real is that Gray's Anatomy episode anyway?

By Laura Haight

Fans of the long-running medical drama "Grey's Anatomy" have to wait another month to find out how Grey+Sloan gets out from underneath the weight of a ransomware attack. But the episode did present a pretty frightening scenario and left many viewers asking: “Can this really happen?”.

In the cliff-hanger, the hospital was taken over by hackers seeking a Hollywood-sized ransom to release control of the entire hospital from electronic locks preventing access to blood banks, encrypted medical records and external control of medical devices. 

Can it really happen? It can, it has, it does and it's more than possible as healthcare has become the number one target of hackers and cyber criminals.

If we dissect the drama, we can find some takeaways for both patients (that's pretty much all of us) and the healthcare community. Healthcare is a very large part of the area's employment picture. Greenville's two large hospital systems are home to nearly 27 percent of all area employees working in business or organizations of 400 or more. That doesn't even include third party health care support companies, and a seemingly endless array of dentists, pediatricians, eye care professionals, and chiropractors.

So the fact that a new national report states that 77 percent of all healthcare organizations in the US have been infected with malware since August 2015, that healthcare as a segment was in the top 5 target list for hackers in 2016, and that security companies, the FDA, ethical hackers, and analysts have been banging the gong about medical device security for at least three years should cause some eyebrows to lift. 

Let's break down the reality from the amped-up-for TV storyline in the Grey's episode.

Monitoring devices, electronic locks, patient records were all locked down by a hacker. That's a pretty terrifying but increasingly likely scenario. The most recent and most visible example was last March's WannaCry hack that infected 300,000 computers in 150 countries, including radiology devices made by Bayer that were disabled by the virus.  There are also many documented cases of hacking implanted medical devices like pacemakers, defribillators, and insulin pumps. As well as hospital based infusion and monitoring systems. With historically weak security as a lure, hackers are turning their targets from locking down medical records or stealing Social Security numbers to taking control of health equipment and services and ransoming back access. Just like in Greys. 

And just like a bad case of MRSA, one infected and connected device can quickly spread throughout the entire facility's IT network. According to Wired Magazine reporting, an average of 10 to 15 such devices are connected to each hospital bed. 

The FDA has developed guidance for device manufacturers on cybersecurity. And it has even blocked some deficient devices from coming to market. But that, according to industry watchers is rare. For the most part, the industry has to police itself. Device manufacturers are turning a lot more attention to security on their devices, but updates are primarily embedded in new devices.

A ransom of 5000 Bitcoin was demanded of the Grey+Sloan facility. In real US dollars today (12/13/17)  that's $86 million at least. Bitcoin fluctuates like any currency and when the Grey's episode was filmed the ransom in dollars was a mere $20 million. Regardless, that's a lot, even for cardiologists and brain surgeons. It's also exaggerated for dramatic impact. In reality, ransom demands are considerably smaller. Hollywood Presbyterian Hospital in LA paid out $17,000 last year in a ransomware incident. But the demands can be higher when lives linked to MRI's, medication dosage pumps, and pacemakers hang in the balance. 

The problem with Bitcoin, however, is that it is not easy. You can't just go to the bank, buy Bitcoin and transfer it to your hacker. The process is complex, underground and, often, doesn't work so smoothly.  That complicates the situation even more for victims who think they can just pay and everything will go back to normal. Even if you decide to pay, it can take a day or two to – sometimes more – to complete the transaction. For healthcare, that's situation critical with a poor prognosis. With Ransomware 1.0, not paying the ransom was an option for organizations with strong disaster recovery and the ability to switch over quickly to backup systems. But with the focus on control of medical devices, backups really don't help regain control of services, devices, and access controls.

The FBI storms in and takes over early in the unfolding of the disaster. No, that's not going to happen. It is possible in certain cyberattacks where your computers are taken over by hackers and used to attack another target that the FBI would identify you as a victim or a potential perp before you were even aware you'd been hacked. In the case of ransomware, the FBI wants you to notify them (that's a request, not the law) and not pay the ransom. If, however, patient information, personally identifiable information is exposed (even if you don't know that it has been taken), companies in South Carolina are legally required to report to the breach. 

Operational thinking saves the day at Grey+Sloan. And that's a good lesson for any organization hit with a ransomware or other type of cyber attack. So many things we do are tied to technology, it seems impossible to accomplish anything without it. Operational thinking demands that we give up on what we can't do and turn attention to what has to be done. Solutions, often unusual ones, will bubble up. Regardless of your industry this is a great exercise to go through - preferably when you are not under attack or facing onrushing floodwaters.

How will things turn out at Grey+Sloan? It remains to be seen. But if art imitates life, we have a lot of work to do in an essential industry that is now sitting squarely in the crosshairs of cybercriminals.

More on Cybersecurity and Ransomware