Cyberpocalypse: Inside the Digital Assault on Healthcare

By Matthew J. Surburg and Wendy Dunning

Pay up or shut down. You choose. 

Cybercrime is on the rise and hackers have moved on from targeting individuals to targeting corporations both large and small. In recen

• Language: English
• Publisher: Blue River Publishing
• Release date: Dec 27, 2021
• ISBN: 9781737522218

Matthew J. Surburg

Matthew Surburg grew up in southern Indiana. He and his wife have 5 children and live on a small farm in central Indiana. After earning his undergraduate degree from Purdue University, Dr. Surburg attended the Indiana University School of Medicine, graduating in 1999. He completed his residency at Union Hospital in Terre Haute in 2002. He is board certified in Family Practice. Dr. Surburg's experiences in practice have varied widely through the past 19 years, including delivering babies for his first 8 years in practice, occupational health, nursing home directorship, and serving as medical director for a program for at-risk youth. He spent 10 years working at the Physician Champion for Hancock Health's electronic health system, developing a deep interest in medical informatics. Outside of work, he enjoys playing cooperative board games, reading about history, playing trumpet in his church and community, and spending time with his children.

Book preview

CYBERPOCALYPSE

Cyberpocalypse

Inside the Digital Assault on Healthcare

Matthew J. Surburg, M.D.

Blue River Publishing

Morristown, Indiana

Cyberpocalypse: Inside the Digital Assault on Healthcare

By Matthew Surburg, MD

Published by Blue River Publishing, Morristown, Indiana

Copyright © 2021 Matthew Surburg, MD

All rights reserved.

This publication is protected under the U.S. Copyright Act of 1976 and all other applicable international, federal, state, and local laws, and all rights are reserved, including resale rights: you are not allowed to reproduce, transmit, or sell this book in part or in full without the written permission of the publisher.

For permission requests, write to the publisher, addressed Attention: Blue River Publishing, c/o Matthew Surburg, MD, 7192 E 600 S, Morristown, IN 46161.

FRONT COVER DESIGN: Wendy Dunning, wendydunning.com

INTERIOR DESIGN: Wendy Dunning, wendydunning.com

BOOK CONSULTANTS: Peter Wietmarschen and Colleen Wietmarschen, YourLiteraryProse.com

ISBN: 978-1-7375222-0-1 (Paperback)

ISBN: 978-1-7375222-1-8 (eBook)

Library of Congress Control Number 2021918991

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

First Edition

Dedication

To my Amata.

She is far more precious than jewels.

—Proverbs 31:10

Contents

Foreword 9

Introduction 11

part I

Cybersecurity History and Landscape

14

Part II

January 2018 Hancock Cyberattack

81

Part III

Healthcare IT Cybersecurity Lessons Learned

157

APPENDIX: Hancock Regional Health: a Brief Historical Portrait 170

Bibliography 179

Acknowledgments 184

Foreword

Hancock Health suffered a cyberattack on the evening of January 11, 2018. After a short, but grueling, recovery period and the longer, but no less grueling aftermath, we experienced a curious phenomenon, a steady stream of requests for advice and information and it has not abated more than two years later. Members of the recovery team have given literally dozens of presentations to regional and national organizations inside and outside the healthcare industry. Our hospital was even included in a segment highlighting organizational experiences with cyberattacks on the CBS television news show, 60 Minutes.

Given this, I was not overly surprised that someone would want to write a book on the experience. What did surprise me was the author of the book you are holding in your hands. Dr. Matthew Surburg is a bright, young, exceptionally accomplished family physician at Hancock Physician Network, our affiliated medical group. In addition to his very busy medical practice and other duties within our organization, Dr. Surburg is an amazing father of five, is actively involved in the farm-to-market industry with his wife and is an active member of the community. I could not imagine how he might find the time to do this project, and I was even more intrigued when he showed interest.

As Dr. Surburg expressed his interest in moving forward with this commitment it dawned on me, at his core, Dr. Surburg is a scientist with a deep interest in information technology. His undergraduate training in biology gives him an innate understanding of complex systems and he sits on the IT advisory group for Hancock Health where he has been a key leader in the evolution of our electronic medical record system over the last ten years.

Even with this in mind, I was still not prepared for the extent of his vision for this book. In addition to peering behind the scenes of our story, he also dives headlong into the nexus of cybersecurity and healthcare, providing an extraordinary overview of the vulnerabilities of healthcare organizations and methods that can be taken to harden their defenses.

I am thankful for the time and effort Dr. Surburg invested in the production of this remarkable work and believe you will find it enlightening, encouraging, and even entertaining. Enjoy!

Steve Long, MHA, MBA, FACHE

President & CEO

Hancock Health

Introduction

At 10 p.m. on Thursday, January 11, 2018, Hancock Regional Hospital was the victim of a ransomware attack. This attack locked up all computers which were on the hospital’s network. The ransom message gave the leadership seven days to pay 4 Bitcoin, which at the time was about $50,000. The leadership decided to pay the ransom, the attackers provided the means to unlock the computers, and by the 25th the last of the electronic functions was back online. For everyone associated with Hancock, it was two weeks they will never forget.

At the end of January, the CEO of Hancock, Steve Long, was speaking at a meeting of Hancock Physician Network, and he described the events as they unfolded. As he explained the sequence of events, I thought, This would make a really interesting book. It made for a compelling story: the process of obtaining and paying the Bitcoin, the problems which came up along the way, the challenges of providing patient care when one of the most heavily relied upon tools in modern medicine’s arsenal, the electronic health record, was suddenly just not there. I felt that telling Hancock’s story would be useful to others as a glimpse into what it feels like when a crisis of this nature strikes and provide a review of the lessons we learned the hard way. Making the information into a book would also enhance its accessibility to healthcare executives, patient care professionals, and interested members of the general public.

This is that book.

In trying to organize my thoughts and figure out how to present the story, it became clear to me that the scope of healthcare cybersecurity is not immediately clear to people who are not involved in it every day. It also involves a lot of industry jargon – virus, firewall, ransomware, VPN – which is commonly used but not always well defined. My first task then was to provide some background into healthcare cybersecurity. In the first section, this book studies the nature of the problem, such as types of threats, who the attackers are, and exactly how ransomware works. This also involved exploring exactly how the Internet works. The goal is for my readers to have a common basic fund of knowledge about cybersecurity for understanding the events of the attack.

Healthcare is about people. A statement so self-evident may risk being a cliché, but this event, which at first glance seemed to be about machines, really brought the people into focus. The theme of the second section then is people. Naturally, this encompasses the patient as a person and the challenge of providing patient care through a difficult situation. However, it’s also about the providers as people, adjusting to changing circumstances, managing information, meeting needs, keeping up with developments, wondering what’s going on, wearing out and keeping going, caring for patients but not neglecting care for themselves. Behind the providers, though, there are other layers of people: pharmacy, dietary, custodial, administrative, clerical, chaplaincy. For each of these, while their functions didn’t change, the way they fulfilled them did. The people had to keep the wheels turning when it felt like they just might fall off. My privilege was to talk with them, learn their stories, and tell how Hancock’s people met the challenge of the cyberattack.

The third section is a summary of lessons learned. These fall roughly into three categories: communication, IT-related, and administrative. Because people are so central to healthcare, maintaining communication between them – at every level – is key to surviving an event like this one. IT-related considerations may be very familiar to IT staff, but a basic understanding of some technical considerations should be helpful for laity in the field. Finally, administrative lessons include such big-picture concerns as vendor management and pedestrian needs such as printing checks and meeting payroll.

Originally, I had wondered why a reader would care about a medium-sized regional hospital in Central Indiana, and I thought to answer this by a short discussion of the history of Hancock County, in general, and Hancock Regional, in particular. Eventually, I realized the problem of cybersecurity is sufficiently universal for the discussion to stand on its own. However, the history was so much fun to write that I included it as an Appendix. I invite the reader to enjoy it as a brief glimpse of a place where, and the people among whom, it has been my privilege for the past 19 years to practice medicine.

part I

Cybersecurity History and Landscape

The world is a dangerous place.

From a tender age, parents drill into the minds of young children the basic rules of safety: Don’t talk to strangers. Look both ways before crossing the street. When going out in public, stay with a buddy. As children grow, the rules don’t change, but they develop more nuance: Don’t answer the door if you don’t know who rang the doorbell. Don’t answer the phone if you don’t recognize the number. Don’t talk to strangers. Adolescence and adulthood bring still more factors: Call to check in when you arrive at a destination. Don’t drink to excess. Meeting new people has its time and place, but if you find yourself in a dark alley, don’t talk to strangers.

The Internet’s novelty means many real world assumptions have yet to translate into online etiquette. What exactly does a friend on social media mean? Does removing someone from a friends list after two people have drifted apart constitute a grave offense, or is it simply an acknowledgement their lives have moved on in different directions? What limits apply when engaged in a debate, especially with a stranger who shares a common acquaintance? Debates can, and frequently do, meander onto intensely personal topics – most notably politics and religion – often leading to hurt feelings. How far is too far? These rules of conduct developed over millennia, and while the basic outlines of decent manners can transfer from the real world, some situations have no precise comparison.

The same holds true for safety practices. Although general principles will apply, the advent of the Internet has produced situations full of dangers unimagined before the widespread use of interconnected computers. Improper use of computers can lead to self-inflicted damage and expose incautious users to external attacks in ways they might not imagine. Indeed, the potency of many criminals’ attack avenues lies in the imaginative malice they employ.

Healthcare has always interacted with people experiencing life at its worst. While one might consider such an industry especially responsive to the changes brought about by the information age, the truth is the opposite has occurred. Healthcare has lagged behind other industries when it comes to its record of incorporating security awareness and best practices.¹ Unfortunately, compared with other areas such as finance, healthcare organizations have a lot of work to do in order to move forward and keep the information entrusted to them safe.

Medical Errors: A Crisis Met

Some of this may sound familiar to longtime medical professionals. In November 1999, the U.S. Institute of Medicine (IOM) issued a report entitled, To Err Is Human: Building a Safer Health System. This scathing report documented in excruciating detail the industry’s failure, broadly speaking, to put proper safety practices into place, which led to inadvertent – and unnecessary – patient harm. Some hospital errors – wrong patient operated upon, wrong limb amputated, etc., – received public notice. But the IOM report highlighted the widespread nature of errors largely hidden from public view, the overall burden of injury these errors represented, and the fact that most of these injuries were utterly preventable.

An alarmed healthcare industry conducted a thorough, deliberate, and broad-based effort to reform its approach to patient safety. Aviation, an industry with a high risk of disastrous failure, put safety practices into place and made them mandatory. Using the airline industry as a model, healthcare developed a series of best practices to reduce the rate of preventable errors. For instance, hospitals included simple practices such as timeouts before every surgical procedure, from transplants all the way down to circumcisions, to confirm the team had the right patient, the right procedure, and the right site.

A culture change occurred within a few years. Instead of expecting people to try harder, providers and executives realized a horrific bad outcome represented the final result of many mistakes. In a failure, no one person could be blamed and punished. Systems and processes needed to change so the errors themselves became harder to commit and performing a task the correct way became easier than doing it the wrong way. As one example, hospitals color- and size-coded medications in a crash cart to minimize the likelihood