Don’t Let Cyber Life Imitate Art
by Suzie Dodds, CIC
If you watched the “Paid in Full” episode of the NBC medical drama New Amsterdam this week, you watched a frightening scenario unfold: cyber ransomware meets hospital computer network. And it wasn’t limited to email and billing, even though it started with an infected email opened by the hospital’s outgoing medical director. As an insurance agent, why should you care? Keep reading to find out…
An ER department head initiates a typical remote diagnostic process in a pacemaker implanted in a New York horse carriage driver. Surgeons begin a delicate robot-assisted surgery. The behavioral health wing begins normal daily operations with their inpatients. Oncologists begin a fairly routine drip chemo treatment into a burr-hole drilled into the head of a young mother with cancer who didn’t respond to more traditional chemotherapy. The procedures all begin uneventfully. There is other storyline drama between the good-hearted, patient-focused outgoing medical director and the ruthless fiscally-focused incoming medical director who wants him to co-sign a balanced budget that would eliminate many beloved department heads and valuable programs. The outgoing director opens an email about compassion and empathy in the workplace so he could facetiously forward it to the incoming director. Suddenly, a deranged-looking rabbit graphic appears on computer screens, with a demand for $10 million in cryptocurrency or the hospital system will be shut down – from a Russian-backed cyber cell that has successfully attacked over 250 healthcare facilities, according to the serious-looking FBI official later standing in the directors’ office.
All those uneventful procedures? Catastrophes… and the ER can’t accept new patients.
The carriage driver’s pacemaker begins shocking his heart repeatedly, the pacemaker has to be removed in the ER and a non-networked mechanical CPR machine is brought in to keep him alive because all the other equipment they would normally use is connected to the infected network and they don’t have the staff to manually perform CPR until the crisis passes.
The surgical robot begins uncontrollable movements, tearing into the patient and causing internal bleeding that the surgeons have to manually and urgently repair.
The behavioral health wing loses all their session schedules, session notes, and patient medication records, and has to reconstruct them through immediate phone calls to patients’ families, prior physicians, and patient interviews that rely on the patients’ recollections of their conditions, and the quantities, size, shape, and color of their pills, before they can administer any meds for the day. One patient provides false info in an attempt to commit suicide.
The chemo machine releases all the chemo medication into the young mother’s brain at once, giving her an immediate dose 5 times the maximum. She begins to go into shock and has to be treated in the ER without assistive equipment, using a procedure the oncology department head has only read about.
The department heads who are on the chopping block all come up with solutions to the individual medical problems, but none of that solves the ransomware issue. The outgoing director wants to pay the ransom, but the hospital would risk being sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for transacting with the ransomware attackers. The incoming director says they are a public hospital and don’t have $10 million lying around, doesn’t want to pay the ransom, and wants to rely on the FBI cybersecurity unit to just reconstruct their records, department by department, which could take weeks or months, and would likely only be partially successful.
As the crisis unfolds, the incoming director finally agrees to use her fiscally-responsible reputation (unlike the outgoing director’s fiscally irresponsible one) to get the $10 million in cryptocurrency from the HCC (the Health Care Commission), which in real life is the HHC (Health and Hospital Commission), and an arm of the City of New York. They also are able to secure a compliance waiver from the OFAC to pay the ransom without sanctions. But the incoming director’s help comes at the cost of the outgoing director’s signature on the budget he hates, and staff cuts are made. He manages to save the department heads who got them through the day’s medical crises, but even that comes at the cost of dozens of furloughed lower-level employees.
Why you should care, both as a patient and as an insurance agent
Ransomware is no joke, and no one is immune. https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
It’s not even a new problem. This 2012 article highlights cyber vulnerabilities in medical and hospital systems. https://www.technologyreview.com/2012/10/17/183245/computer-viruses-are-rampant-on-medical-devices-in-hospitals/
Even though we know about these vulnerabilities, very little has been done to eliminate them. This 2021 article explains why. https://www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/
The OFAC sanctions are real. https://www.fenwick.com/insights/publications/ofac-helps-those-who-help-themselves-how-a-ransomware-response-plan-can-help-avoid-sanctions-enforcement-for-ransom-payments
Not to oversimplify, but Cyber Liability insurance would have been helpful in this episode scenario. With the cyber liability carriers and response teams available through the markets of AJ Wayne, the hospital could have called their cyber carrier to report the incident, and the carrier’s partnered cybersecurity experts would have responded immediately, engaging remotely and sending experts to the hospital site to begin re-establishing control of the system and the stolen/lost records, assist existing IT staff, trace the attackers, work with law enforcement, and assist with securing ransom funding per the policy terms. The damage to hospital systems could have been minimized and access restored without the need for taxpayer assistance, and severe budget restriction resulting in furloughed workers and understaffed healthcare facilities. Once the crisis was past, those same experts could provide recommendations for preventative measures such as anti-virus software, encryption, staff education and procedures, critical system isolation, system updates and patching, off-site data backups, etc. Had the hospital undergone a cybersecurity audit when they purchased cyber insurance, the entire attack could possibly have been prevented or at least minimized.
Can you or your clients afford to turn away new clients, lose all or part of any records for existing clients, be offline for weeks or months, withstand the backlash of financial or physical/property damage to those clients, come up with potentially millions of dollars in ransom funding, and know where to begin to avoid fines, penalties, and sanctions for trying to get their business-critical data back? If you don’t know the answer already, you need to ask. And if the answer is No, they need Cyber Liability. If they don’t have it, we can help you get it for them at a reasonable cost. The coverage is cheaper than any loss they could suffer at the hands of a cyber attacker.
Reach out to one of our brokers today to put our expertise to work for your agency and your clients!