After conducting cyber incident exercises in a hospital this week, Charlie is sharing his key take aways and research, looking specifically at healthcare organisations.
Earlier this week at PlanB Consulting, my colleagues and I wrote and then delivered two exercises for a hospital in the UK. We delivered the first exercise for the Gold Team in the morning and the second exercise, for the Silver and Bronze Teams, was completed later. We started out with a presentation on the incident management landscape and essential cyber knowledge, followed by a desktop exercise. In this bulletin, I want to share the learning points taken from these exercises, as well as the research I conducted before the exercise looking at attacks on health organisations.
Healthcare has a mixed experience with cyber incidents. When you mention ‘WannaCry’, the NHS is always referred to as an example of a victim. It is important to note that this was an untargeted attack, so it was not specifically the NHS who were the target of the attack, they were just collateral damage. Some ransomware gangs will not attack the healthcare service and others think they are fair game. Wizard Spider is alleged to have attacked the Health Service Executive (HSE) of Ireland, but due to the widespread revulsion after the attack, they supplied the decryption keys for free. While attacks on the NHS are very unlikely to elicit a ransom as they are government organisations, American healthcare organisations and hospitals may be considered “fair game” as they are private or corporate organisations. Perhaps the attack on NHS provider Advanced last month was due to ransomware gangs doing their research and attacking a private company which might be more likely to pay than a government one.
So, if there is a double extortion ransomware attack on a hospital which includes a lockout of all systems, possibly including telephony and data exfiltration, what are the possible impacts?
Hospital Staff Working Blind
Although many medical procedures are delivered physically, such as surgery, bed care, and administration of medicine, all the information about the patients is mainly on computers, and without the information the staff are blind. Which medicines patients get, their diagnoses, and notes are all held electronically. There was a sharp intake of breath from all teams, especially those in the Bronze Team which consisted of the matrons who work directly with the patients, when they were informed that they might lose access to all their systems for weeks, if not months, during a cyber attack. They knew that they had failover servers and had assumed that during a cyber attack they would get access back within 15 minutes. I recently read a case study of a cyber attack that happened last month on South Francilien Hospital Centre in France. One of the impacts of the attack was that every day they had to write out the drugs they needed to give to patients. They also didn’t have any access to the patient scans and x-rays images.
During the exercise, the Bronze Team also mentioned that without the records, all patients would need to be re-examined and re-diagnosed, which would be extremely time-consuming. With no access to systems, each patient would also have to be risk assessed and the Bronze Team would have to decide if it was safer for them to be transferred to another hospital, or if it was safer where they are. There was some debate about whether there was sufficient capacity in other hospitals, if large numbers had to move to another hospital. For the patients who remained, everything would take much longer to do manually and additional staff would have to be brought in to accomplish this. This would add cost and complexity to the existing systems.
Hospitals are often a part of major incident plans, therefore they take logging very seriously and have staff trained in the role. There was some discussion about the difficulties in trying to find staff to be on call and who would be willing to come in at short notice and out of hours. One of the issues we discussed was recording decisions at the Gold level. Decisions made by the Gold Team could have an impact on patient safety and so they should be recorded, so that if there was an inquiry, they could be reviewed in light of the information available, who made the decision and why the decision was made.
Part 2 of this bulletin will be delivered next week.