Cyberpocalypse: Inside the Digital Assault on Healthcare
By Matthew J. Surburg and Wendy Dunning
()
About this ebook
Pay up or shut down. You choose.
Cybercrime is on the rise and hackers have moved on from targeting individuals to targeting corporations both large and small. In recen
Matthew J. Surburg
Matthew Surburg grew up in southern Indiana. He and his wife have 5 children and live on a small farm in central Indiana. After earning his undergraduate degree from Purdue University, Dr. Surburg attended the Indiana University School of Medicine, graduating in 1999. He completed his residency at Union Hospital in Terre Haute in 2002. He is board certified in Family Practice. Dr. Surburg's experiences in practice have varied widely through the past 19 years, including delivering babies for his first 8 years in practice, occupational health, nursing home directorship, and serving as medical director for a program for at-risk youth. He spent 10 years working at the Physician Champion for Hancock Health's electronic health system, developing a deep interest in medical informatics. Outside of work, he enjoys playing cooperative board games, reading about history, playing trumpet in his church and community, and spending time with his children.
Related to Cyberpocalypse
Related ebooks
Ultra-Wideband Wireless Communications and Networks Rating: 0 out of 5 stars0 ratingsCybersecurity Regulations A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSmart Cities Cybersecurity and Privacy Rating: 5 out of 5 stars5/5Cyber Security Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCloud Computing: Advanced Business and IT Strategies Rating: 0 out of 5 stars0 ratingsSecuring Citrix XenApp Server in the Enterprise Rating: 0 out of 5 stars0 ratingsWhat's Cooking: Digital Transformation of the Agrifood System Rating: 0 out of 5 stars0 ratingsDefense in Depth: An Impractical Strategy for a Cyber-World Rating: 5 out of 5 stars5/5Management and DevOps Standard Requirements Rating: 0 out of 5 stars0 ratingsBig Data Analytics for Cyber-Physical Systems: Machine Learning for the Internet of Things Rating: 0 out of 5 stars0 ratingsClient-Side Attacks and Defense Rating: 0 out of 5 stars0 ratingsCyber Security ISMS Policies And Procedures A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsWi-Fi and the Bad Boys of Radio: Dawn of a Wireless Technology Rating: 0 out of 5 stars0 ratingsWeb Application Security is a Stack: How to CYA (Cover Your Apps) Completely Rating: 0 out of 5 stars0 ratingsUltra-Wideband Antennas and Propagation: For Communications, Radar and Imaging Rating: 0 out of 5 stars0 ratingsCloud Technologies A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsAdvances in Cyber Security: Technology, Operations, and Experiences Rating: 0 out of 5 stars0 ratingsThe Gilgamesh Project: Book I The Codex, #1 Rating: 0 out of 5 stars0 ratingsDocker Swarm Mode A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsThe Digital Age: A Critical View from a Wisdom Perspective Rating: 0 out of 5 stars0 ratingsLiving Networks 20th Anniversary Edition Rating: 0 out of 5 stars0 ratingsThe God Test: An Experiment to Prove or Disprove God Exists Rating: 0 out of 5 stars0 ratingsQuantum Computing and Future: Understand Quantum Computing and Its Impact on the Future of Business Rating: 0 out of 5 stars0 ratingsCognitive Informatics, Computer Modelling, and Cognitive Science: Volume 2: Application to Neural Engineering, Robotics, and STEM Rating: 0 out of 5 stars0 ratingsAnalysis and Design The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsShedding Light on Cloud Computing Rating: 5 out of 5 stars5/5CCIE Data Center The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsArchitecture Body of Knowledge Rating: 0 out of 5 stars0 ratings
True Crime For You
Quest for Love: Memoir of a Child Sex Slave Rating: 5 out of 5 stars5/5Under the Bridge Rating: 4 out of 5 stars4/5Cop Without a Badge: The Extraordinary Undercover Life of Kevin Maher Rating: 3 out of 5 stars3/5400 Things Cops Know: Street-Smart Lessons from a Veteran Patrolman Rating: 4 out of 5 stars4/5Hollywood's Dark History: Silver Screen Scandals Rating: 4 out of 5 stars4/5Manhunt: The 12-Day Chase for Lincoln's Killer: An Edgar Award Winner Rating: 4 out of 5 stars4/5When Women Kill Rating: 5 out of 5 stars5/5The Enigma of Ted Bundy: The Questions and Controversies Surrounding America's Most Infamous Serial Killer Rating: 5 out of 5 stars5/5Franklin Scandal: A Story of Powerbrokers, Child Abuse & Betrayal Rating: 5 out of 5 stars5/5Mindhunter: Inside the FBI's Elite Serial Crime Unit Rating: 4 out of 5 stars4/5Dead Mountain: The Untold True Story of the Dyatlov Pass Incident Rating: 4 out of 5 stars4/5Journey Into Darkness Rating: 4 out of 5 stars4/5Fallen Idols: A Century of Screen Sex Scandals Rating: 4 out of 5 stars4/5Confession of a Serial Killer: The Untold Story of Dennis Rader, the BTK Killer Rating: 4 out of 5 stars4/5Wicked New Orleans: The Dark Side of the Big Easy Rating: 4 out of 5 stars4/5Buried Memories: My Story: Updated Edition Rating: 4 out of 5 stars4/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Breaking Free: How I Escaped Polygamy, the FLDS Cult, and My Father, Warren Jeffs Rating: 4 out of 5 stars4/5My Story Rating: 4 out of 5 stars4/5Coroner Rating: 4 out of 5 stars4/5The Devil and Harper Lee Rating: 4 out of 5 stars4/5Picking Cotton: Our Memoir of Injustice and Redemption Rating: 4 out of 5 stars4/518 Tiny Deaths: The Untold Story of Frances Glessner Lee and the Invention of Modern Forensics Rating: 4 out of 5 stars4/5Devil's Knot: The True Story of the West Memphis Three Rating: 4 out of 5 stars4/5The Ivy League Counterfeiter Rating: 4 out of 5 stars4/5
Reviews for Cyberpocalypse
0 ratings0 reviews
Book preview
Cyberpocalypse - Matthew J. Surburg
CYBERPOCALYPSE
Cyberpocalypse
Inside the Digital Assault on Healthcare
Matthew J. Surburg, M.D.
Blue River Publishing
Morristown, Indiana
Cyberpocalypse: Inside the Digital Assault on Healthcare
By Matthew Surburg, MD
Published by Blue River Publishing, Morristown, Indiana
Copyright © 2021 Matthew Surburg, MD
All rights reserved.
This publication is protected under the U.S. Copyright Act of 1976 and all other applicable international, federal, state, and local laws, and all rights are reserved, including resale rights: you are not allowed to reproduce, transmit, or sell this book in part or in full without the written permission of the publisher.
For permission requests, write to the publisher, addressed Attention: Blue River Publishing, c/o Matthew Surburg, MD, 7192 E 600 S, Morristown, IN 46161.
FRONT COVER DESIGN: Wendy Dunning, wendydunning.com
INTERIOR DESIGN: Wendy Dunning, wendydunning.com
BOOK CONSULTANTS: Peter Wietmarschen and Colleen Wietmarschen, YourLiteraryProse.com
ISBN: 978-1-7375222-0-1 (Paperback)
ISBN: 978-1-7375222-1-8 (eBook)
Library of Congress Control Number 2021918991
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
First Edition
Dedication
To my Amata.
She is far more precious than jewels.
—Proverbs 31:10
Contents
Foreword 9
Introduction 11
part I
Cybersecurity History and Landscape
14
Part II
January 2018 Hancock Cyberattack
81
Part III
Healthcare IT Cybersecurity Lessons Learned
157
APPENDIX: Hancock Regional Health: a Brief Historical Portrait 170
Bibliography 179
Acknowledgments 184
Foreword
Hancock Health suffered a cyberattack on the evening of January 11, 2018. After a short, but grueling, recovery period and the longer, but no less grueling aftermath, we experienced a curious phenomenon, a steady stream of requests for advice and information and it has not abated more than two years later. Members of the recovery team have given literally dozens of presentations to regional and national organizations inside and outside the healthcare industry. Our hospital was even included in a segment highlighting organizational experiences with cyberattacks on the CBS television news show, 60 Minutes.
Given this, I was not overly surprised that someone would want to write a book on the experience. What did surprise me was the author of the book you are holding in your hands. Dr. Matthew Surburg is a bright, young, exceptionally accomplished family physician at Hancock Physician Network, our affiliated medical group. In addition to his very busy medical practice and other duties within our organization, Dr. Surburg is an amazing father of five, is actively involved in the farm-to-market industry with his wife and is an active member of the community. I could not imagine how he might find the time to do this project, and I was even more intrigued when he showed interest.
As Dr. Surburg expressed his interest in moving forward with this commitment it dawned on me, at his core, Dr. Surburg is a scientist with a deep interest in information technology. His undergraduate training in biology gives him an innate understanding of complex systems and he sits on the IT advisory group for Hancock Health where he has been a key leader in the evolution of our electronic medical record system over the last ten years.
Even with this in mind, I was still not prepared for the extent of his vision for this book. In addition to peering behind the scenes of our story, he also dives headlong into the nexus of cybersecurity and healthcare, providing an extraordinary overview of the vulnerabilities of healthcare organizations and methods that can be taken to harden their defenses.
I am thankful for the time and effort Dr. Surburg invested in the production of this remarkable work and believe you will find it enlightening, encouraging, and even entertaining. Enjoy!
Steve Long, MHA, MBA, FACHE
President & CEO
Hancock Health
Introduction
At 10 p.m. on Thursday, January 11, 2018, Hancock Regional Hospital was the victim of a ransomware attack. This attack locked up all computers which were on the hospital’s network. The ransom message gave the leadership seven days to pay 4 Bitcoin, which at the time was about $50,000. The leadership decided to pay the ransom, the attackers provided the means to unlock the computers, and by the 25th the last of the electronic functions was back online. For everyone associated with Hancock, it was two weeks they will never forget.
At the end of January, the CEO of Hancock, Steve Long, was speaking at a meeting of Hancock Physician Network, and he described the events as they unfolded. As he explained the sequence of events, I thought, This would make a really interesting book.
It made for a compelling story: the process of obtaining and paying the Bitcoin, the problems which came up along the way, the challenges of providing patient care when one of the most heavily relied upon tools in modern medicine’s arsenal, the electronic health record, was suddenly just not there. I felt that telling Hancock’s story would be useful to others as a glimpse into what it feels like when a crisis of this nature strikes and provide a review of the lessons we learned the hard way. Making the information into a book would also enhance its accessibility to healthcare executives, patient care professionals, and interested members of the general public.
This is that book.
In trying to organize my thoughts and figure out how to present the story, it became clear to me that the scope of healthcare cybersecurity is not immediately clear to people who are not involved in it every day. It also involves a lot of industry jargon – virus, firewall, ransomware, VPN – which is commonly used but not always well defined. My first task then was to provide some background into healthcare cybersecurity. In the first section, this book studies the nature of the problem, such as types of threats, who the attackers are, and exactly how ransomware works. This also involved exploring exactly how the Internet works. The goal is for my readers to have a common basic fund of knowledge about cybersecurity for understanding the events of the attack.
Healthcare is about people. A statement so self-evident may risk being a cliché, but this event, which at first glance seemed to be about machines, really brought the people into focus. The theme of the second section then is people. Naturally, this encompasses the patient as a person and the challenge of providing patient care through a difficult situation. However, it’s also about the providers as people, adjusting to changing circumstances, managing information, meeting needs, keeping up with developments, wondering what’s going on, wearing out and keeping going, caring for patients but not neglecting care for themselves. Behind the providers, though, there are other layers of people: pharmacy, dietary, custodial, administrative, clerical, chaplaincy. For each of these, while their functions didn’t change, the way they fulfilled them did. The people had to keep the wheels turning when it felt like they just might fall off. My privilege was to talk with them, learn their stories, and tell how Hancock’s people met the challenge of the cyberattack.
The third section is a summary of lessons learned. These fall roughly into three categories: communication, IT-related, and administrative. Because people are so central to healthcare, maintaining communication between them – at every level – is key to surviving an event like this one. IT-related considerations may be very familiar to IT staff, but a basic understanding of some technical considerations should be helpful for laity in the field. Finally, administrative lessons include such big-picture concerns as vendor management and pedestrian needs such as printing checks and meeting payroll.
Originally, I had wondered why a reader would care about a medium-sized regional hospital in Central Indiana, and I thought to answer this by a short discussion of the history of Hancock County, in general, and Hancock Regional, in particular. Eventually, I realized the problem of cybersecurity is sufficiently universal for the discussion to stand on its own. However, the history was so much fun to write that I included it as an Appendix. I invite the reader to enjoy it as a brief glimpse of a place where, and the people among whom, it has been my privilege for the past 19 years to practice medicine.
part I
Cybersecurity History and Landscape
The world is a dangerous place.
From a tender age, parents drill into the minds of young children the basic rules of safety: Don’t talk to strangers. Look both ways before crossing the street. When going out in public, stay with a buddy. As children grow, the rules don’t change, but they develop more nuance: Don’t answer the door if you don’t know who rang the doorbell. Don’t answer the phone if you don’t recognize the number. Don’t talk to strangers. Adolescence and adulthood bring still more factors: Call to check in when you arrive at a destination. Don’t drink to excess. Meeting new people has its time and place, but if you find yourself in a dark alley, don’t talk to strangers.
The Internet’s novelty means many real world
assumptions have yet to translate into online etiquette. What exactly does a friend
on social media mean? Does removing someone from a friends
list after two people have drifted apart constitute a grave offense, or is it simply an acknowledgement their lives have moved on in different directions? What limits apply when engaged in a debate, especially with a stranger who shares a common acquaintance? Debates can, and frequently do, meander onto intensely personal topics – most notably politics and religion – often leading to hurt feelings. How far is too far? These rules of conduct developed over millennia, and while the basic outlines of decent manners can transfer from the real world, some situations have no precise comparison.
The same holds true for safety practices. Although general principles will apply, the advent of the Internet has produced situations full of dangers unimagined before the widespread use of interconnected computers. Improper use of computers can lead to self-inflicted damage and expose incautious users to external attacks in ways they might not imagine. Indeed, the potency of many criminals’ attack avenues lies in the imaginative malice they employ.
Healthcare has always interacted with people experiencing life at its worst. While one might consider such an industry especially responsive to the changes brought about by the information age, the truth is the opposite has occurred. Healthcare has lagged behind other industries when it comes to its record of incorporating security awareness and best practices.¹ Unfortunately, compared with other areas such as finance, healthcare organizations have a lot of work to do in order to move forward and keep the information entrusted to them safe.
Medical Errors: A Crisis Met
Some of this may sound familiar to longtime medical professionals. In November 1999, the U.S. Institute of Medicine (IOM) issued a report entitled, To Err Is Human: Building a Safer Health System.
This scathing report documented in excruciating detail the industry’s failure, broadly speaking, to put proper safety practices into place, which led to inadvertent – and unnecessary – patient harm. Some hospital errors – wrong patient operated upon, wrong limb amputated, etc., – received public notice. But the IOM report highlighted the widespread nature of errors largely hidden from public view, the overall burden of injury these errors represented, and the fact that most of these injuries were utterly preventable.
An alarmed healthcare industry conducted a thorough, deliberate, and broad-based effort to reform its approach to patient safety. Aviation, an industry with a high risk of disastrous failure, put safety practices into place and made them mandatory. Using the airline industry as a model, healthcare developed a series of best practices to reduce the rate of preventable errors. For instance, hospitals included simple practices such as timeouts before every surgical procedure, from transplants all the way down to circumcisions, to confirm the team had the right patient, the right procedure, and the right site.
A culture change occurred within a few years. Instead of expecting people to try harder, providers and executives realized a horrific bad outcome represented the final result of many mistakes. In a failure, no one person could be blamed and punished. Systems and processes needed to change so the errors themselves became harder to commit and performing a task the correct way became easier than doing it the wrong way. As one example, hospitals color- and size-coded medications in a crash cart to minimize the likelihood