CHAPTER 1
The Darker Side of High Demand

The road to Hell is paved with good intentions.

-Henry G. Bohn, A Handbook of Proverbs, 1855

"First, do no harm" is attributed to the ancient Greek physician Hippocrates. It is part of the Hippocratic oath. The reality is that every day, doctors and hospitals need to make decisions about how to best help patients under the existing conditions. If doctors need to operate, they may harm the patient by making an incision-sometimes to save a patient's life. This is a calculated and acceptable harm from a moral perspective.

What isn't always as obvious to hospitals is the harm introduced by using an internet-connected medical device. In many cases, such as in hospitals, the doctors may have limited input about which devices are chosen for their environment. These devices have critical medical value not only for the hospital or doctor's office, but also from the patient's point of view. They are at the forefront of today's medical transformations. Often the harm that is introduced is unknown, unseen, or downplayed-if it is assessed at all.

This chapter explores, at a high level, the state of internet-connected medical devices and how those devices are impacting hospitals and unfortunately, and indirectly, human life. More importantly, this chapter covers the overall trends related to hospitals, partially as a result of internet-connected medical devices and how businesses evolved to the state they are in today. First, we need to understand the risks that internet-connected medical devices pose.

Connected Medical Device Risks

What exactly are the risks related to internet-connected medical devices? The hit TV show Homeland popularized the idea of an attacker assassinating someone by taking over a pacemaker. While this is not beyond the realm of possibility, the most common forms of attack utilizing internet-connected medical devices are ransomware and distributed denial of service attacks (DDOS).1 In the former case, the attacker takes over a system (often with malware, but sometimes with a password) and prevents (often through the use of encryption) the end user from using the system. In latter case, the attacker will own the device and use it to attack other sites.

Ransomware

Ransomware is essentially software that prevents systems from running. Criminals require that the owners pay to be able to gain access to their own systems. Imagine you had pictures of your family on your home computer and you could no longer access them unless you paid a fee. Now imagine critical medical systems rendered inoperable instead of family pictures. To make matters worse, once attackers are inside of systems, they often leave behind a way to gain access to them over and over again-meaning they are more susceptible to future attacks. This trend has only increased in the time of COVID. Obviously, the attackers do not care about the lives of others enough to not do the attacks.

Ransomware has been evolving tremendously over the last few years, and the number of the ransom demands has gone up significantly from a few years ago. In 2019 alone, 764 healthcare providers in the United States were hit with ransomware.2 One might be tempted to think that the attackers would not go after hospitals in a time of a global pandemic, but while this is the case for some attackers, the reality is that ransomware attacks are on the rise since COVID-19 hit.3 What is worse is that while ransom demands used to be a few hundred dollars, now they are growing and are often more than a million dollars. With so much to gain, it is no wonder that ransomware demands are on the rise. Clearly, hospitals have a great deal of risk related to ransomware.

The effect that ransomware has had on hospitals is crippling. The attackers are well aware that COVID-19 has severely stretched the resources at hospitals. They know that this is a life-and-death situation, which makes hospitals even more likely to pay the ransom,4 especially the smaller hospitals that may not have as mature of an IT and/or security program in place to protect their environments from the ravages of ransomware.5 Essentially, they are easier targets. Sadly, even larger, more mature organizations are susceptible to ransomware attacks, but can sometimes respond to them more effectively.

September 10, 2020, unfortunately marks a grim milestone for ransomware-the first indirect death. A patient was rerouted from Duesseldorf University Hospital in Germany as 30 of its internal servers were hit with ransomware. As a result of the subsequent delay getting the much needed medical treatment, the patient died.6 This particular attack was aimed at Heinrich Heine University and mistakenly hit the hospital because it is part of the same network. In this case, the perpetrators provided the keys to decrypt the systems and withdrew their extortion demands, but despite that, the hospital's systems were disrupted for a week.7

That was not the only death associated with ransomware in September 2020, unfortunately. Universal Health Services (UHS) was hit with a massive ransomware attack. UHS is a Fortune 500 company with more than 400 healthcare facilities in the U.S. and the UK. It provides services to more than 3 million patients yearly. In many cases whole hospitals were shut down and services were rerouted to other hospitals. Because of this rerouting of services, four people died.8 With the frequency of ransomware growing, these kinds of problems will not only continue, but will likely become worse before they get better.

It is important to note that medical devices are not the only avenue for ransomware attacks, but they are, arguably, the most egregious vector due to the gaps in their fundamental security, inability to patch cybersecurity flaws in some circumstances, and the volume of problems they have-especially in the long run. One report shows that malware against internet-connected devices (not just medical devices) is up 50% from 2019.9 That being said, they are a unique avenue due to the kinds of flaws they have. For example, the range of flaws in today's internet-connected medical devices is staggering. Take medical imaging devices: 70% of the devices are based on retired operating systems or systems that are under limited support.10 The potential for vulnerabilities is extremely high. In many cases internet-connected medical devices run on Windows XP, which is no longer supported. There continues to be new vulnerabilities found-many of which allow complete compromise of the whole system. Associated with a compromised system is a whole host of risks, including everything from the system not functioning to data being exfiltrated. Either way, these are risks to both patients and to hospitals.

Now let us think about connectivity. Today's world is also much more connected than ever before. Many systems connect back to something referred to as "the cloud." While I will go into greater depth in later chapters about the cloud, it should be noted here that the cloud aggregates and correlates data in one location. It also comes with a whole new set of risks that adds an extra layer of complexity for IT and cybersecurity teams.

Let's take a ransom in another direction-from a personal perspective. If you had a pacemaker, what would you be willing to pay to save your own life if someone threatened you with turning off the pacemaker? If attackers do not care about the lives of multiple people, they will not care about the life of one person. Attackers typically go for the easiest targets that offer the most reward. If they started targeting the rich who had internet-connected medical implants, that could be a lucrative route going forward. Of course this is not as lucrative as having a hospital pay a ransom.

Risks to Data

What does not often come to mind is the data risk related to internet-connected medical devices. Data can be as potentially deadly a risk as any device. An insulin pump that received the wrong amount of information can potentially kill someone with diabetes. A number of events can cause errors-everything from human error to machine flaws. This too deserves a much deeper dive as the data is far more interconnected than at any point in history, and that interconnection is only going to accelerate with the advent of new internet-connected medical devices.

Some risks are due to existing flaws in medical devices combined with the desire for people to have a better quality of life. For example, diabetics have hacked their own pumps to achieve innovation the manufacturers have not. While many of the devices have been recalled, people have been hurt by insulin overdoses as a result of hacking their own devices.11 Keep in mind that this was with commercial-grade systems that were attacked. These are not systems purchased off the black market.

Not everyone opts for commercially viable solutions. The cost associated with some of these solutions is too high for many to afford. As a result, they go through alternative sources that may not have the strict quality control that the commercial world has. In some cases, unknowingly, people will work with devices that are actually from the black market, such as insulin pumps that may be even less secure because they are not subject to the stronger regulation that exists today.12

While ransomware is taking the spotlight as of late, a host of other attacks are...