Forget airplanes flying into buildings. The next major terrorist attack on US soil could be coming to a hospital near you. All it takes is a couple of cyber-terrorists hijacking a hospital’s computer network with a few bits of code and taking the entire power grid – including generator – offline; or changing the radiation settings in a CT scanner; or messing with the oxygen mix rates and cutting off a patient’s breathing; or instructing the prescription ordering system to automatically change milligrams to kilograms.
This was just one of the terrifying scenarios that cyber-security expert John Gomez painted during the first day of his three-day workshop, Hacking Healthcare, held here in Long Branch, NJ.
Gomez, who founded and runs the cyber-security firm Sensato, a partner of Divurgent healthcare consulting, stressed over and over again that today’s cyber-security threats no longer come from geeky hackers high on Cheetos and Sprite who break into your system just because they can. Today, such threats come from cyber-terrorists, cyber-criminals, and cyber-spies intent on wreaking as much harm to your organization as they can – and not always just for profit.
Cyber-spies, for instance, are employed by nation states, highly trained, with access to many of the same resources as the National Security Administration (NSA). Cybercriminals access your system and then wait for customers – those would be the bad guys who are looking for exactly the data you have to offer. And cyber-terrorists – the worst of the three – are motivated by ideology and allegiance to a cause.
Be afraid of all three, came the message from Gomez, but be terrified by the latter.
Be particularly terrified because few healthcare organizations have even thought about the havoc these people can wreak, let alone implemented the kind of proactive cyber-security protocols required to thwart them.
Just consider the terrorist network ISIS. “They have a cyber-attack squad that we think is trained by North Korea or Iran,” Gomez said. “And one of the fastest ways to replicate 9-11 is to go after people in the hospital.”
Perhaps the scariest thing about the vision Gomez painted is how easy it is to implement. He held up a tiny electronic gizmo not much bigger than a quarter. An Intel Edison, it is, essentially, a computer, with 1 GB of RAM, 4 GB of onboard storage, Wi-Fi, GPS, and a LINUX operating system. You can drop it anywhere (think on the floor of the bathroom in a major hospital system) and have it act as a “middle man” to intercept computer transmissions. Oh, and the cost? About $44.
And let’s not even talk about the tiny, motion-activated camera Gomez showed us that can be hidden inside a stuffed animal. Just consider: Your CIO is promoted and someone sends her a congratulatory basket of flowers with a small stuffed bear attached. Only the bear has a motion-activated sensor that then records all conversations and actions within that office –including the entering of passcodes – for the next two weeks.
The thing that scares me most? This was just the first day. What will tomorrow bring?