Whether they realize it or not, hospitals and health care companies exist in an electronic arena in which nation-states are actively engaged in cyberwar. They would do well to protect themselves. Wired magazine recently published an in-depth account of 2017’s “NotPetya” internet worm attack that concluded, “The release of NotPetya was an act of cyberwar by almost any definition.” The attack, which the magazine said began as a Russian cyberattack on assets in Ukraine, quickly spread online into a global emergency that crippled ports, utilities and banks, along with hospitals in Pennsylvania and elsewhere. A software patch that could have prevented NotPetya infections was already released by the time the worm hit, but NotPetya was designed to move from computer to computer behind a firewall if it found one unpatched entry point into the system. Those dynamics help explain why the Twin Cities’ boutique device and drug law firm DuVal & Associates has a software and design consultant on call — Greg Spar — solely to provide advice and services for cybersecurity and related regulatory needs. What follows is an edited transcript of a conversation with Spar.
Q: U.S. hospitals have been hit with malware attacks, but I’ve heard that there’s never been a successful malicious attack on a medical device that was designed to physically harm a patient. Is that right?
A: I’m not aware of it having happened. Probably the biggest reason for that is, somebody that is going to spend a lot of time and effort to create an attack and engineer what it takes to accomplish that would want a bigger gain. Possibly a high-level political figure might be a high enough gain factor for somebody to architect an attack. But for the common person, it would be more a matter of terror — if someone was trying to exercise terrorism, then they might focus on individual nondescript persons.
Q: For hospitals, how much of the work in med-tech cybersecurity boils down to making sure every machine is up to date with its software patches?
A: That presents the largest challenge to an institution like a hospital. They have such a huge variety of equipment, and the equipment is widely distributed and a lot of it is mobile. It is constantly moved from place to place. So the logistics of managing that is a real challenge. Also, hospitals in general are running on tight budgets and in a lot of cases are undermanned for staff to keep up with this stuff. That makes it difficult to make sure that everything is always kept up to date.
Q: It’s striking to me that when NotPetya was released, the software patch to prevent infection was also already available — it just hadn’t been installed.
A: I don’t think that’s going to be an uncommon problem. A lot of places are not going to do what needs to be done until they’re kind of pushed. It’s just kind of human nature, and unfortunately, business often models that.
Q: What are the best ways for health care organizations to protect themselves when it comes to cybersecurity?
A: First and foremost, they need to take the topic seriously. It is real, it is not going away. And there are several tiers that you need to attack this at.
For individuals the best tools are common sense and some simple training. Don’t click on suspicious e-mails, don’t reveal personal information, make sure you are using anti-virus on your computer and your devices. For organizations, they need to be proactive and not wait for something to happen before they respond. There is some excellent information out there. I recommend the Framework for Improving Critical Infrastructure Cybersecurity, published by the National Institute of Standards and Technology. That document teaches kind of a five-step process for protection: identify, protect, detect, respond and recover. They want an institution as a whole to be kind of built with this concept in mind. I think that’s probably the most broad scope of any document I’ve seen, and I think that their steps, if they’re actually implemented, will employ a reasonable and secure environment.
Q: So individuals need to take common-sense steps to protect their computers and themselves, and companies need to take proactive steps for detection?
A: First of all, provide proper training to employees. Giving them training on the topics I mentioned, watching out for e-mails, don’t bring your thumb drive from home and plug it into your business computer — the common methods of spreading ailments. The proactive one is also to start looking right at the top level, right from the CEO down, and have a dedication to looking at the big picture and making sure your organization is built around providing securities that are needed.