Why you should worry about cybercriminals
â¦ Cybercriminals hit a hospital in DÃ¼sseldorf, Germany with so-called ransomware, in which hackers encrypt data and hold it hostage until the victim pays a ransom. Ransomware invaded 30 servers at DÃ¼sseldorf University Hospital [Sept 10, 2019], crashing systems and forcing the hospital to refuse emergency patients. As a result, German authorities said, a woman in a life-threatening condition was sent to a hospital 20 miles from Wuppertal and died of delays in treatment.
Cybercrime can also put an end to healthcare. The San Diego Union-Tribune journalists Greg Moran and Paul Sisson wrote2:
A ransomware attack on the Scripps Health computer network on the [first May 2021] the weekend significantly disrupted care, forcing the giant healthcare provider to … postpone appointments set for Monday and divert some intensive care patients to other hospitals … Electronic medical records are said to be down, forcing medical staff to use paper recordsâ¦ also affecting âtelemetry at mostâ. Site (s. “â¦ The incident was serious enough to put the four Scripps hospitals in Encinitas, La Jolla, San Diego and Chula Vista on emergency bypass surgery for stroke and heart attack patients,â¦ The hospitals are become permanent targets of these high-tech heists.
Even before the pandemic, a record 764 U.S. healthcare providers were affected by ransomware.1 Clinicians may wonder how they could be complicit in such catastrophes. The answer is by clicking on a link. Yes, just clicking on a link in an email or web page, which seems like a trivial thing to do, can do some damage. It’s the Internet equivalent of leaving the keys in your car with the engine running.
Clicking on web links was never meant to be dangerous, but over time technology has changed; however, our way of thinking has not changed. Here are some of the twists and turns of an unforeseen long journey.
The Road to Cyber ââMortality
In July 1945, The Atlantic monthly published “As We May Think” by Vannevar Bush, PhD.3 World War II was drawing to a close and Bush was dean of engineering at the Massachusetts Institute of Technology. During the war he was director of the US Bureau of Scientific Research and Development. By the summer of 1945, Bush already had a good idea of ââthe end of the war. However, he was thinking beyond VJ Day to come up with a new line of research that would advance the progress of progress itself. He supervised a scientific staff who were “stunned by the discoveries and conclusions of thousands of other workers – conclusions which [they] do not find the time to grasp, let alone remember, as they appear.3
Bush proposed to develop a private mechanized file and library, or “a Memex… a device in which an individual stores all [their] books, records and communications, and which is mechanized so that it can be accessed with excessive speed and flexibility. It is an intimate complement extended to [their] memory … Books of all kinds, pictures, current periodicals, newspapers, are thus obtained and deposited in place.3 Bush wanted all information to be instantly accessible with a few keystrokes or the push of a lever.
Years later, in March 1989, Tim Berners-Lee4 at the European Council for Nuclear Research (CERN) made very similar observations.5 CERN researchers struggled with so many equipment manuals and physics articles they needed Bush’s Memex. Fortunately, in the decades that followed, computer and semiconductor engineering bypassed all photographic and mechanical hurdles in Bush. Computer keyboards were plentiful, links on a screen eliminated levers, and global internet connections enabled this version of Memex to tour our earth, a World Wide Web.
Keep in mind that Bush’s little levers, now the screen links, were just meant to clear a path from one piece of information to another. Unfortunately, in 1993, a first web browser changed all that.
The Mosaic browser (now Firefox) aimed to allow computer terminals to display graphics and images, not just text.6 Window-based operating systems were becoming popular (e.g. Mac and Windows), so Mosaic’s ability to display images would make it a huge hit. Mosaic has succeeded in part by activating helper application programs. This allowed for an intelligent division of labor: the work of retrieving and linking information could be separated from the work of presenting or interacting with the information. Assistance programs would end up playing music recordings and showing cat videos.
Thanks to Mosaic’s behind-the-scenes activation of assistive applications, new types of information could be added to the web. Interested users just needed to find suitable helper apps. Note that it was important for users to choose their support programs carefully – not everyone was reading this memo. Inevitably, malicious applications found their way to the World Wide Web and were activated.
The danger of clicking on links
Clinicians never intentionally activate malicious computer applications, nor do they hide dirty coffee cups in sterile supply cabinets. So how was ransomware activated in major medical centers? The answer is a mix of human psychology and computer links: clinicians who click on links don’t think about computer applications and application activation; they plan to press a digital lever to pave the way for more information, just as Vannevar Bush dreamed.
This conceptual gap is an unlocked door, an opportunity to hijack a hospital information system. Clinical staff consider that clicking on links is quite different from starting an application program. Staff generally describe starting a program as double-clicking an icon on the computer desktop. Unfortunately, by clicking on links can start applications, creating a kind of Trojan horse.
Should hospital and software safety depend on a clear understanding and understanding of web browsers by clinicians? The short answer is yes. Thoughtless behavior, even with simple technology, can be disastrous. Take car keys, for example. WTNH staff Emma Rybacki, Ken Houston and Sabina Kuriakose reported7:
[luckily, a] the mother is now reunited with her 5 year old daughter after someone stole her car with the child still inside … she feared for her daughter’s life. She says she made a mistake leaving the car running [just outside a store] but … her son suffered from [a] sports injury and she was [running in] to get him Tylenol. She told us: ‘… any single mom has ever done this … I just didn’t think I was [just] try [get] Tylenol. ‘
Although most clinicians drive safely and lock their cars without incident, any conceptual breakdown (for example, the idea that performing a task is harmless) can have dire consequences.
Why don’t Apple, Microsoft and Linux contributors and their colleagues build more secure computer systems? The short answer is that they do, but consumers find that some programs will not work properly on secure versions. People like to download and run software that they think meets their needs, even if a particular application opens the door – the Trojan remains irresistible.
We need to think before we click, download, and buy software. Who is the source? Who verified it? Is he behaving correctly? The effort is boring, but so are locking cars and reading product reviews. Additional layers of software protection are available for link monitoring, antivirus and training: these software guardians automatically examine links before our browsers actually access content, inspect programs if we download them, and test us personally with suspicious email mockups.8-10 It is clear that the lives of our patients depend on the vigilance of the Internet, at least until hospital systems are significantly safer than cars.
Dr Powsner is Professor of Psychiatry and Emergency Medicine at Yale University School of Medicine and a member of the Yale Center for Medical Informatics.
1. Eddy M, Perlroth N. Suspected cyberattack in death of German woman. The New York Times. September 18, 2020. Accessed June 22, 2021. https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html
2. Moran G, Sisson P. Scripps Health targeted by cyber attack. The San Diego Union-Tribune. May 2, 2021. Accessed June 22, 2021. https://www.sandiegouniontribune.com/breaking/story/2021-05-02/scripps-hospitals-it-by-it-security-incident-but-patient-care – go
3. Bush V. As you might think. Atlantic. July 1945. Accessed June 22, 2021. https://www.theatlantic.com/magazine/archive/1945/07/as-we-may-think/303881/
4. Berners-Lee T. Information Management: A Proposal. May 1989. Accessed June 22, 2021. https://www.w3.org/History/1989/proposal.html
5. European Council for Nuclear Research. About CERN. Accessed June 22, 2021. https://home.cern/about
6. Mosaic Browser: History of the NCSA Mosaic Internet browser. History computer. Accessed June 22, 2021. https://history-computer.com/mosaic-browser-history-of-the-ncsa-mosaic-internet-web-browser/
7. Rybacki E, Houston K, Kuriakose S. Wolcott PD look for carjacking suspects after 5 year old kidnapped; child found safe and sound. WTNH. May 3, 2021. Accessed June 22, 2021. https://www.wtnh.com/news/connecticut/new-haven/wolcott-pd-searching-for-carjacking-suspects-following-kidnapping-of-5-year – old-foundling-safe /
8. Protection of traffic light browser (url). BitDefender website. Accessed June 22, 2021. https://www.bitdefender.com/solutions/trafficlight.html
9. Secure Links in Microsoft Defender for Office 365. Accessed June 22, 2021. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view = o365-global
10. Proofpoint Security Awareness Training. Accessed June 22, 2021. https://www.proofpoint.com/us/products/security-awareness-training