What If Local Hospitals Were Hit With Ransomware?
Remember the Wannacry attack that basically took down the UK healthcare system and which CBS says will cost about $4 billion to mitigate?
Well, a few medical experts with a bent towards hacking presented the results of a simulation they conducted regarding what would happen if local hospitals were hit by a coordinated malware attack.
They claim that the average connected device had about 1,000 exploitable CVEs( vulnerabilities). The speakers said that 85 percent of US hospitals do not have any IT security staff. Those are scary thoughts.
The speakers, Joshua Corman, founder of I am the Cavalry , Beau Woods, Dr. Christian Dameff and Dr. Jeff Tully, painted a pretty bleak picture.
Along with authorities in Phoenix, they ran a simulation for three days that started with one hospital being infected by destructive malware, followed by digital assaults on other hospitals in the city on day 2 and finally a physical attack like the Boston Marathon attack on day 3.
To their surprise, the simulations calculated deaths would occur almost immediately on day one. With elevators and HVAC systems out, and no refrigeration for medicines, patients had to be shuttled to other medical facilities and some were not making it there alive.
By day two, doctors switched from standard to disaster triage due to the sheer volume of patients not being treated. Typically, people are triaged so that the sickest or most seriously injured get treated first, but instead doctors had to switch to prioritizing those they could realistically save and left the more seriously sick to die.
All of the deaths in the simulation were caused by the hacking.
You may remember the case of the St. Jude pacemaker. A security researcher told the government of the flaw and for a year, the government hemmed and hawed and didn’t do anything. Eventually the feds blinked and issued a warning and St. Jude patched it. Most flaws do not get patched at all.
Even if the hospitals have an infinite pot of money, it takes years to get new devices approved.
What needs to happen is for the government and medical device makers to improve their security processes and for hospitals and doctors to fully engage. We are never going to have bug free software, but right now, many devices are never patched because the approval process to apply the patches (from the government) is basically unworkable. The public needs to demand it – minus that, the problem will never get fixed and people will likely die needlessly.
In the case of hospitals affected by Wannacry, the researchers are confident that the result was people dying.
Source: The Register.