Petya and WannaCry: The Newest Threats to Our Patients
A sixty-five year old English man with a history of high cholesterol and elevated blood pressures awoke one morning about a month ago in Liverpool with a mild, dull ache in his chest. Throughout the day his discomfort worsened, just a little, slowly crawling along his left shoulder and settling deep in his gut. The very personification of the stiff British upper lip, the gentleman thought about stopping in on his local doctor, but dismissed the thought moments later. Besides- he had heard on the radio earlier that NHS hospitals were closed to all but the most serious of emergencies- and surely this gnawing ache wasn’t an emergency.
This hypothetical patient- doomed to death from a fictitious but massive heart attack- sprung to life in our heads the moment we learned last month about what is now one of biggest cyber attacks in history. A malicious piece of code – member of a family of computer viruses known as “ransomware” – having infiltrated scores of computer networks across (at last count) ninety-nine countries, erupted within its hosts, locking down crucial data while demanding anonymous Bitcoin payments for their release.
As practicing physicians with a keen interest in the burgeoning field of medical cybersecurity, these events were a sobering reminder that healthcare faces a new and unprecedented threat. While multinational corporations and world governments were counted among the “WannaCry” ransomware victims, the story originally broke with reports that Britain’s National Health Service suffered a devastating electronic attack that drew the attention of the Prime Minister herself.
Dozens of NHS hospitals, clinics, and administrative facilities were compromised in the attack- some through computers running Microsoft Windows XP, originally released in 2001 with its last official upgrade in 2008- resulting in an inability for doctors to access key systems and essential files.
Most importantly, the threat lies not just in the capture and potential exposure of private health information- which often contain one’s deepest secrets and darkest vices amongst routine laboratory work and vital signs- but in the downstream damage effected when medical care itself suffers as a result. Indeed, affected hospitals in the U.K cancelled surgeries, diverted patients to other facilities, and warned away potential patients not suffering from life threatening emergencies, and similar disruptions of care have even occurred in the United States following a recent attack by the sister worm Petya.
Such attacks are not novel, with other hospitals closer to home having felt the sting of ransomware in recent years. But this attack was breathtaking for the scope of the disaster, as well as for the fact that the operation was not particularly directed toward the healthcare arena, thus raising the specter of what may come when malicious hackers, realizing the potential for widespread mayhem and financial gain, set their sights solely on our hospitals- hospitals which in many cases run outdated and vulnerable legacy systems.
So what, aside from gawking, are doctors, nurses, and other medical professionals to do? While we place an implicit trust in the vast expanse of technology we use to treat and care for patients, we need to become aware of the inherent dangers that exist in today’s Internet connected world. Basic literacy of cybersecurity “hygiene“- from avoiding the trap of classic “phishing” scam emails to the creation of more robust passwords and regular updating of our operating systems can be simple first steps toward secure solutions.
Ultimately, we need to these events as the harbingers they are- warnings that our patients now face an additional threat in addition to disease and injury- a threat just as dangerous as the most serious infection or wound.
We would not at all be surprised to learn, in the coming weeks, of patients in the vein of our imaginary Englishman, or those recently affected by Petya in Pittsburgh, who, dissuaded from or unable to seek care due to the sheer stress placed on a beleaguered system, suffered real, even fatal, harm.