In the tail end of September, an email attachment was forwarded to an unknown employee in the United Health Services network. It would have been innocuous. Disguised in the form of a trusted source or gift—a trojan horse. The attachment—once opened—would have run an extension, that instantaneously wormed its way into the computer network. It would have spread laterally through the nodes of the UHS network, dredging out its contents and harvesting their data. Then, once it was sated, the virus would deploy its killer payload: Ryuk. A play on the death spirit from the manga, “Death Note”, the malware encrypts all the files and backups that it can get its claws around until the entire network is frozen, bound in digital chains. Then in the stillness of a dead screen it delivers a message demanding its ransom in Bitcoin.
The message varies from attack to attack, but in each case, it is signed: “Ryuk. No system is safe.”
This attack, possibly orchestrated by Russian or North Korean based hacking groups, brought the facilities operated by UHS across 37 states to a grinding halt, forcing over 90,000 employees to care for patients with pen and paper until the code was broken, or more likely until the ransom was paid.
This attack was unique only in the fact that it was widely reported; in fact, in August of 2020 alone, 2,167,179 medical records were stolen or improperly exposed1, and in previous years it has been estimated that 25% of healthcare organizations experienced very or extremely disruptive cyber attacks2. Each attack presents an opportunity for hackers to abscond with valuable data and rake in a ransom that could number in the millions of dollars. In the peculiar landscape of cyberspace, these attacks allow state actors like Russia and North Korea to brazenly plunder the infrastructure of foreign countries, causing so much monetary damage that if it occurred in any other domain it would likely be considered an act of war. In this new interconnected world, hospitals have become outposts on the frontlines of an ongoing conflict. Combining a trove of valuable information, a desperate intolerance of network outages, and the money to cover any ransom, hospitals represent the perfect targets for a potential attack.
However, while the system-wide costs are substantial, the real immediacy of these attacks reaches you at the individual level. Thousands of critically delayed treatments. Orders and critical lab work lost to filing errors at the hands of staff unfamiliar with paper charts. And finally, ambulances rerouted away from blighted hospitals causing patients to die while in transit.
The latter case was from a cyberattack on a German university hospital and is widely regarded as the first death attributable to a cyberattack3. However, despite the low death count, network outages from cyberattacks doubtless incur substantial morbidity that is difficult to calculate.
Around the same time as the UHS attack, my hospital system experienced a similar event. Thus far the cause of their network outage in my hospital has been unconfirmed, but during the week when many of their computer systems were down, the hospital was in chaos. Not only were medical records inaccessible, but the pneumatic tube system that ran through the hospital transporting specimens and medication were halted, compounding delays in care. In an instant, every individual member of the hospital staff was cast adrift and in many cases had to reinvent their workflow and protocols on the spot. Young residents and nurses who had never used a paper chart suddenly found themselves writing critical orders on scraps of paper because the old paper charts had not been maintained. Throughout the hospital, the pager system, which was operated on a computer network, devolved into a series of cold calls and hurried messengers. Outpatient visits were canceled, cancer treatments were postponed, and EMS was diverted to other hospitals.
Thankfully, there were no adverse events reported during the outage, but given the prevailing chaos, I shudder to think of what could have been. This disruption multiplied hundreds of times across the healthcare facilities throughout the US, amounts to a clear and present danger to the health of the country. Hospitals need to prepare for cyberattacks as they plan for any other disaster. Not only do they need to take the necessary steps of investing in secure networks, training employees on good cyber-hygiene, and hiring dedicated IT security staff, but they need to prepare for the eventuality of a total network collapse. This includes running drills that simulate an outage, having blank paper charts at the ready, and instituting protocols for staff to follow in the first minutes and hours after an outage. Beyond this, there needs to be a national call to action to protect American cyber-infrastructure. This represents a vital security interest to the nation and includes not only the vulnerability of American hospitals, but of utilities, banking, and retail.
The US has virtually no national standards for cybersecurity and provides little funding to cover the cost of what is essentially a national defense issue. Hospitals have found themselves on the frontlines of a multifront war, but have thus far been fighting alone. We need government support to continue to optimize health system security because while many large systems are able to cover the cost of substantial security operations, it ultimately increases the hospital’s bottom line and filters down into ever increasing healthcare costs for patients. This is an emerging, critical issue that will only intensify in the coming years. My hope is that we can take the necessary steps to safeguard the health of our people before an even more destructive cyberattack brings our healthcare system to its knees.
*As of this writing, another substantial cyberattack on major US hospitals has been reported. The scope of this event is unclear at present, but this clearly underscores the ever-increasing threat discussed in the above article.
