Portal de Periódicos da CAPES

Where Bits and Bytes Meet Flesh and Blood

2017; Elsevier BV; Volume: 70; Issue: 3 Linguagem: Inglês

10.1016/j.annemergmed.2017.07.008

1097-6760

William B. Millard,

Social Media in Health Education

A sight that most people have seen only in news reports or their entertainment equivalent—a screen announcing that malware has encrypted a computer’s files, rendering the machine unusable until a ransom is paid—began appearing throughout Erie County Medical Center (ECMC) in Buffalo around 2 am last April 9.1Davis H.L. How ECMC got hacked by cyber extortionists—and how it's recovering.Buffalo News. May 20, 2017; (Available at:) (Accessed June 12, 2017)http://buffalonews.com/2017/05/20/ecmc-got-hacked-cyber-extortionists/Google Scholar “What happened to your files?” taunted an intruding program before specifying payment procedures in the cryptocurrency Bitcoins. Such messages are increasingly common in the era of integrated systems and the Internet of Things, placing physicians and information technology personnel on a continuum from annoyance to dread. Although electronic health records, networked medical devices, data-driven precision medicine, and other informatics advances have improved care in ways few physicians would want to forgo, the profession’s digitization, accelerated by the “meaningful use” requirements of the 2009 Health Information Technology for Economic and Clinical Health Act, has expanded vulnerabilities without concomitant attention to security. Malware programmers and distributors, motivated largely but not universally by profit, have pounced. “We’ve seen a massive escalation in the number of cyberattacks targeting health care over the last five years,” said Carl Wright, MSIT, general manager of security firm TrapX and former chief information security officer for the US Marine Corps, “so much so that of all recorded and reported attacks and breaches, 27% were related to health care just last year.” The health care sector is less sophisticated in defense than other commercial enterprises or government, and “health care data is by far worth the most on the black market,” Wright added. “If we take a look at 2016, we saw a massive increase in the number of health care data breaches: it was a 63% increase year over year, and it accounted for over 12 million records.... You can go at any given day to the dark Web and find a host or cache of [health care] data that's typically for sale.” Ransomware incidents increased 300% from 2015 to 2016, he noted,2Computer Crime and Intellectual Property Section, US Department of Justice. How to protect your networks from ransomware (interagency technical guidance document). Available at: https://www.justice.gov/criminal-ccips/file/872771/download. Accessed June 13, 2017.Google Scholar and compromised privacy involving patient information is only part of the problem. Because pacemakers, insulin pumps, and other devices are connected in the Internet of Things, direct attacks on patient safety are an increasing risk. Some hospitals have simply given in, calculating (sometimes quietly, occasionally publicly) that a moderate payment to unidentifiable “dark-side” or “black-hat” hackers is preferable to risking patients’ safety by rebuffing the demand. When a hospital’s equipment is networked without up-to-date security patches, risks include loss of access to records and devices for hours, days, or weeks, depending on the extent of backups. Among recent data breaches, well publicized and otherwise, Hollywood Presbyterian Medical Center in Los Angeles drew attention and critiques in February 2016 by paying a $17,000 ransom (40 Bitcoins at the prevailing exchange rate) to obtain a decryption key and resume normal operations after 10 days of canceled procedures, diversion of patients, and reliance on paper records, telephones, and fax machines.3Stefanek A. Hollywood Presbyterian Medical Center statement on cyberattack, February 17, 2016. Available at: http://hollywoodpresbyterian.com/default/assets/File/20160217%20Memo%20from%20the%20CEO%20v2.pdf. Accessed June 12, 2017.Google Scholar, 4Winton R. $17,000 Bitcoin ransom paid by hospital to hackers sparks outrage.Los Angeles Times. February 19, 2016; (Available at:) (Accessed June 12, 2017)http://www.latimes.com/local/lanow/la-me-ln-17000-bitcoin-ransom-hospital-outrage-20160219-story.htmlGoogle Scholar, 5Wolff J. Sometimes, you have to give in to ransomware.Slate. February 18, 2016; (Available at:) (Accessed June 12, 2017)http://www.slate.com/articles/technology/future_tense/2016/02/hollywood_presbyterian_medical_center_paid_17_000_to_free_computers_from.htmlGoogle Scholar ECMC, in contrast, had enough confidence in its preparation for cyberattacks that its leadership never considered capitulating. From routine downtime drills to improvised minor details of computerless operations, the institution proved resilient, even when the full scope of the effects proved more extensive than anyone expected. ECMC’s experience offers a model for other hospitals seeking to prevent malware attacks, minimize the damage when they inevitably occur, and avoid contributing to the financial incentives driving them. Yet this hospital’s recovery from the episode relatively unscathed, security experts caution, does not imply that white-hatted cyberprotectors are anywhere near catching up with the black hats. Jennifer Pugh, MD, clinical assistant professor of emergency medicine at ECMC, was scheduled to work at 7 am on April 9 as “second in command...on call that week to handle everything,” because her director was out of town during the Easter break. ECMC’s emergency department (ED) is a Level I trauma center, operating the western New York State area’s only psychiatric emergency and burn treatment facilities, among other services. Interruption of ECMC’s operations for any length of time would be an unacceptable risk to public health. “Around 5:30 in the morning,” Dr. Pugh recalled, “I started getting contacted by the physicians who were currently working,” who informed her of the situation. Investigators would eventually determine that the remotely executed program SamSam, which exploits unpatched server vulnerabilities through brute-force character combinations to match a password and can evade antiviral defenses,6Spring T. New server-side ransomware hitting hospitals. ThreatPost, Kaspersky Lab News Service, March 29, 2016. Available at: https://threatpost.com/new-server-side-ransomware-hitting-hospitals/117059/. Accessed June 12, 2017.Google Scholar had infected ECMC’s Windows systems. “You think of it happening on TV shows, but never to your individual site,” Dr. Pugh commented, noting that the NBC series Chicago Med, with inadvertently exquisite timing, had run an episode about a ransomware attack on April 6.7National Broadcasting Corporation. “Ctrl Alt”: Chicago Med, season 2, episode 19. Available at: http://www.nbc.com/chicago-med/video/ctrl-alt/3493072. Accessed June 12, 2017.Google Scholar Senior physicians who were familiar with precomputerization procedures, she noted, had certain advantages over colleagues from digital-native generations, despite the latter’s greater familiarity with information technology and malware-related concepts. “We had looked at X-rays on films at some point; we had prescription pads and stampers, little things that the newer providers, our younger residents, really never were exposed to. We had done paper orders before; we had done paper charting.... Everything from the beginning of [younger physicians’] medical school training had been on computers, so they needed additional coaching on how to write paper orders, how to construct a good paper chart that was detailed enough to really show the patient care that you’ve provided. A lot of them didn’t know how to write a prescription out, because they were so used to just typing in a drug name, clicking on it, and everything would just come pre–filled out.” Another key resource was the regional clinical information exchange HEALTHeLINK, a patient-accessible, Health Insurance Portability and Accountability Act–compliant system, which was unaffected by SamSam and contained uploaded copies of all hospital records through April 8. A critical lesson for everyone at ECMC was that even an institution prepared with extensive tape backups, a coherent disaster plan, and cybersecurity insurance (fortunately increased last November) should expect recovery to move slowly.8Davis H.L. ECMC, hit by cyberattack, continues massive task of restoring computer functions.Buffalo News. April 21, 2017; (Available at:) (Accessed June 12, 2017)http://buffalonews.com/2017/04/21/ecmc-hit-cyberattack-continues-massive-task-restoring-computer-functions/Google Scholar Some stumbling blocks were simple: paper prescription pads began running out on day 2 after the attack, Dr. Pugh reported. The radiology department maxed out local storage within a few days, having to save tens of thousands of images with a capacity of only thousands, and thus needing to print images on film. Nonclinical information technology functions, an obvious lower priority than patient safety, have been slower to recover. “It is pretty devastating financially,” she noted. “No matter what you do with the current paper charting system and the difficulty of getting the information out to the billers and coders, it definitely has pushed back our collections by as many days as we’ve been down, about 44 to 45 days.” Perhaps most impressive is that ECMC’s ED never went on diversion. The incident passed without observable harm to life. Still, Dr. Pugh found it a bracing alarm. “In the first few hours,” she recalled, “I don't know how much the hospital actually knew this was how it was going to affect our system. I think we all thought, you know, hours, days, but not 44 days. No one anticipated the amount of work it would take to get the system back to where it needed to be.” Other institutions have been less fortunate. Notoriously, a ransomware program known variously as WanaCrypt0r 2.0, Wanna Decryptor 2.0, WCry 2, WannaCry 2, and Wanna Decryptor 2 was spotted in the wild on May 12 by the security research group MalwareHunterTeam. Incorporating segments of code called EternalBlue (which exploits vulnerabilities in Windows and is believed to have originated in the National Security Agency as an offensive weapon and then leaked), WannaCry scanned for connected and unpatched computers (very rapidly, about 25 random internet protocol addresses per second9Miller J, Mainor D. WannaCry ransomware campaign: threat details and risk management. FireEye blog, May 15-17, 2017. Available at: https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html. Accessed June 14, 2017.Google Scholar), penetrated hundreds of thousands of machines (not limited to, or specifically targeting, hospital systems), and demanded relatively small payments, $300 or $600 in Bitcoins per infected computer. It caused damage to organizational networks in more than 100 countries; within 4 hours of its initial identification, it had spread to the British National Health Service, where it paralyzed functions from radiology to blood-product refrigeration, causing widespread diversions and delaying surgical procedures.10Clarke R, Youngstein T. Cyberattack on Britain’s National Health Service—a wake-up call for modern medicine. N Engl J Med. http://dx.doi.org/10.1056/NEJMp1706754.Google Scholar Some National Health Service machines ran the out-of-service Windows XP operating system, which Microsoft’s regular security patches did not initially protect; a Tory administration’s decision to forgo a £5.5 million ($7 million) annual security-support arrangement with Microsoft proved to be a painfully counterproductive exercise in short-term austerity. Windows XP, however, was not a major vector of WannaCry, according to 2 research groups, Kryptos and Kaspersky11Brandom R. Windows XP computers were mostly immune to WannaCry.Verge. May 30, 2017; (Available at:) (Accessed June 13, 2017)https://www.theverge.com/2017/5/30/15712542/windows-xp-wannacry-protect-ransomware-blue-screenGoogle Scholar: most infected XP machines simply crashed. The majority of WannaCry victims ran unpatched versions of Windows 7 or Windows Server 2008. (Microsoft eventually released security patches that protect XP as well.12Microsoft Security Response Center. Customer guidance for WannaCrypt attacks. May 12, 2017. Available at: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/. Accessed June 14, 2017.Google Scholar) A British security specialist who prefers anonymity and uses the generic pseudonym MalwareTech performed a critical public service by reverse-engineering the WannaCry code and discovering a built-in kill switch in the form of a nonsensical Web domain name that the virus automatically checks; if the domain is live, WannaCry stops spreading. MalwareTech registered the domain to get insights into the malware’s botnet operations, and when it stopped the epidemic, he became an accidental hero.13Khomami N, Solon O. “Accidental hero” halts ransomware attack and warns: this is not over. Available at: https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack. Accessed May 13, 2017.Google Scholar, 14Khomami N, Solon O. ‘Accidental hero’ halts ransomware attack and warns: this is not over. May 13, 2017. Available at: https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack. Accessed June 13, 2017.Google Scholar Removing human error from the digital realm can never be perfect but can improve, particularly when system designs account for it. Anton T. Dahbura, PhD, executive director of the Information Security Institute at Johns Hopkins University, and colleagues are “studying user behavior in light of social engineering attacks, such as phishing attacks. And what happens when users are distracted, they have an office workload, they're multitasking, and so forth: it’s really not good.... It’s likely that users will continue to not think, or not take the proper precautions and click on the links that they’re not supposed to click on. However, there’s a lot of room for the software itself to be on the lookout for these kinds of things.” One of the most common scenarios leading to a malware download, Dr. Dahbura pointed out, is the individually targeted “spear-phishing” approach, when “you get an e-mail from someone [and] you look at the ‘from’ field, and it’s someone you know. It’s a good friend’s name. But you have to go hover over that link to discover that really the e-mail address ends in .ru, from Russia.... [A]nd also with all of the information about us that’s online, it’s very easy for someone to put together an e-mail from Uncle Frank, wanting to know how your recent vacation to Italy was, and so forth. And you say ‘Wow! Uncle Frank knew I went to Italy’—but it’s not Uncle Frank at all.” Unfortunately, Dr. Dahbura continued, even timeworn and crude methods of manipulating user behavior such as the “Nigerian prince” advance-fee scam (aka 419, named for the relevant portion of Nigeria’s criminal code) still find takers. The expanding scale of the attacks, says Wright of TrapX, makes it impossible to rely on human vigilance and countermeasures alone. “As more and more attacks come, we continue to see the number of attacks that health care providers are dealing with on a daily basis; we cannot possibly hire enough security professionals to deal with the magnitude of the threat,” he said. “So we have to have more and more automated security products that talk together, to be able to create automated response so that we can deal with the magnitude of the problem.” The shrewdest defenses may be those that leverage expertise in both coding and behavioral variables. TrapX counteracts threats to hundreds of hospitals worldwide through its own strategic combination of automation and constructive deception. Its Deception Grid software, Wright said, can “emulate and respond just like the real devices that you would find on a health care network.... We commingle fake assets with real assets, and when adversaries come in, they can’t tell the difference between our stuff and the real stuff. And it’s very simple. Only 2 things touch something fake: something misconfigured and somebody doing something bad. So it’s a very high-fidelity alert. Very easy for the health care organization to deploy, and they get very quick protection.... As the WannaCry made it into organizations, we saw in seconds that the malware started to spread left and right, moving laterally. And our technology allows us to do something called intrusion, suppression, and containment. And I know that sounds kind of military—it kind of is, a little bit—but the idea is when we see the malware spreading, we can automatically talk to a network and shut it down, stopping the spread and the infection of it. It’s a fully automated response.” One intuitively useful approach in combatting cyberterrorism is to combine expertise in the clinical and digital domains. Analogies between biological and cybernetic processes can be powerful in communicating between fields that use complex professional discourses; the very term virus is only the most obvious example. Simulation drills are a common tool in the medical and security fields. Physicians, security researchers, health care administrators, device manufacturers, and policymakers convened in Phoenix last June for a CyberMed Summit that included not only panels and addresses but also 3 clinical simulations involving various hacked devices. Christian Dameff, MD, an emergency medicine resident at Maricopa Integrated Health System in Phoenix (soon to begin a clinical informatics fellowship at the University of California, San Diego), devised scenarios that would “show clinicians what it would look like if they were working in the emergency department and someone’s pacemaker got hacked, and that patient was brought in. I wanted to frame it to be very medically accurate, to be a common pathology they may experience, and to show them truly how they would work this patient up, identify the problem, and solve the problem.” The simulation cases, using sophisticated responsive mannequins, involved 3 compromised devices: a wireless infusion pump in a patient presenting with atrial fibrillation with rapid ventricular response, hacked to deliver an overdose of a rate-controlling medication in 1 minute rather than an hours-long drip; an insulin pump in an otherwise healthy patient driving a car, discovered only by rolling the patient over, and hacked so that it “bolused the entire multiple-day dose of insulin at once” to produce rapid hypoglycemia, coma, seizures, an auto crash, and assorted vehicular trauma; and an automatic implantable cardioverter-defibrillator hacked so that it repeatedly shocked the patient, randomly interfering with heart rhythm and producing cardiac arrest. “We put in clinicians who had no idea of what they were about to see,” Dr. Dameff said. “If any of those cases had happened in real life and they were in an ED, there is a high likelihood that those patients would have died.” In the postexercise discussions among the clinicians, “there was a common theme: ‘I had no idea that something like this could happen. I had implicit trust in the medical devices that I use—and that maybe I should be questioning sometimes. If these types of things should fail, what would I do as a backup?’” Dr. Dameff, a longtime white-hat hacker who has explored digital systems since he was 12 years old, recognizes that networked devices, such as remote-monitoring pacemakers that can report incipient heart-rhythm abnormalities through wireless routers before symptoms appear, offer such substantial benefits that if physicians and patients abandoned them, “we would lose far more people than we would ever save. What I’m asking for is awareness and preparation and an emphasis on changing the next generation of technology to be more secure.... Your computer can get viruses and malware just like medical devices, but you can click a button that says ‘give me the latest patch.’ You can’t do that with a pacemaker; a pacemaker might have a known vulnerability for decades.” Rather than retreat from the Internet of Things during the current period of highest risk, Dr. Dameff said, “what we want is to inject security practices now for the next generation of technology, so we can theoretically only have to live with this problem for the next 10 years, as opposed to the next 20 or 30.” In this grave new world, in which patients’ (and perhaps the public’s) safety depends on collaborations across realms of digital and biological expertise, Dr. Dameff believes emergency medicine is the logical discipline to take leadership. “Emergency physicians are tremendously powerful patient advocates; they can recognize these risks; they can go and be change agents in their ecosystems.... Disaster medicine is the purview of the emergency physician. We are the experts, we deal with Katrina, we deal with earthquakes, tornadoes—but we don’t talk about cyberdisasters. Emergency medicine should own this domain. They should own what should happen when a cyberdisaster happens. We’re trained for it, [and] we have the skills to be able to address something like this because we understand how to handle disaster management.” Imagining worst-case scenarios can be more than an obsession or an entertainment; it can be a left-of-boom thought experiment that exposes areas where work urgently needs to be done. The combination of ethical hackers conjecturing how the unethical ones think, security specialists answering those conjectures with both technical and behavioral preventive measures, and emergency physicians applying experience in disaster response—along with, perhaps, a touch of luck during a period when that entity is vanishingly scarce—just might get the US medical-informational complex through these years of exceptional risk.