Search
Close this search box.
EPISODE 151
Does Ransomware Kill Sick People?

EP 151: Does Ransomware Kill Sick People?

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

February 13, 2024

Is there any reliable evidence that sick people die at a higher rate when their hospital is disabled by ransomware? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

“Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients”
University of Minnesota – Twin Cities – School of Public Health
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4579292

“Killware” — https://www.cr-map.com/97

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them @CR-MAP.com and KLgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 151 of the Cyber Risk Management podcast?

Kip Boyle: Well, this is a really useful topic, I think. But to your earlier point when we were doing show prep, some people might think this is a little bit of a downer, but what we're going to try to do today is we're going to try to answer this question, does ransomware kill sick people?

Jake Bernstein: Wow, that is definitely a downer of a topic. Now, I want to remind folks who may not remember because it was so far back in the time of the pandemic, but we did an episode, I believe it was episode 97 and we titled it Killware. And this is kind of a follow-up, but also it stands on its own of course.

Kip Boyle: Right. You don't have to have listened to the Killware episode.

Jake Bernstein: No, you don't have to have listened. If anything it's-

Kip Boyle: But if you like this, if this is your cup of tea, go back and listen to episode 97.

Jake Bernstein: Well, I think episode 97's Killware discussion was ahead of its time. It was things that we were concerned about things might happen. But I'm guessing that you're not going to ask this question unless we're going to be able to at least answer it to some degree, which means you have to have an ace up your sleeve of some kind. And I'm guessing that that ace consists of data. So I don't know what else it would consist of, but what do you say to that?

Kip Boyle: Yeah. Okay, so it is the thing that we do on this podcast whenever we can, is to bring data into the conversation because there's no lack of opinions. And a lot of people's opinions about cybersecurity is that's theoretical, it'll never happen. And I've heard that rubbed in my face so much over the course of my career that it is now just a natural reflex that when I see something that I think is very important and deserves to be discussed, I just say, "Well, let me go find the data so that I can neutralize that old hackneyed rebuttal that I often get." So yes, we are going to look at the data behind this question. And this is good data, I think because it comes from research that was published by the University of Minnesota and specifically their School of Public Health. And if anybody's been listening to our podcast for any length of time now, you know that we make a point of examining the DBIR every year that it comes out. I know you love the DBIR, Jake, so I figured you'd go for this.

Jake Bernstein: I do. We should at least tell people what that means in case they forget. That's the Verizon Data Breach Investigations Report. It is grounded in reams and reams of real world data and solid research techniques. I think that the University of Minnesota School of Public Health is going to have excellent data-driven research and let's dive into it.

Kip Boyle: Great. So I want to just let everybody know how this thing kicked off for me. So over the recent holidays... We're recording this in early January 2024, so just a couple of weeks ago for me, I read a report about a cyber attack on Christmas Eve that knocked out the electronic health records at a hospital located-

Jake Bernstein: They're electric too.

Kip Boyle: They are electric.

Jake Bernstein: Technically,

Kip Boyle: But they're not displayed in neon. So I'm just like,

Jake Bernstein: No, they're not. Yeah, I got you.

Kip Boyle: But at a hospital, this is about 35 miles north of Boston, Massachusetts. And I'm going to try to say the name of this hospital. I think it's the Anna Jaques Hospital. I don't know French, J-A-Q-U-E-S.

Jake Bernstein: It looks right to me.

Kip Boyle: So I'm going to say that's what it is. If anybody else knows exactly how to pronounce this, please send me a note. And because their electronic health records was offline, they turned away ambulances that were trying to bring sick people to their hospital on Christmas Day. And immediately I went, wait a minute, this is not the first time that I've read about an incident like this. And I thought to myself, I know we've talked about this before and now it's starting to seem like a trend. And you know what I'm talking about, right?

Jake Bernstein: I do. I think that we talked about this several times, some of which was in that Killware episode. But there was a couple incidents that I remember, there was this one in Germany in 2020 where a patient died during a diversion to another hospital because the first destination, the University Hospital of Dusseldorf, was disabled due to ransomware. Now Kip, I think we've already answered the question for this entire episode, does ransomware kill sick people? Yes, at least one person has died. But I don't think that's all we want to talk about.

Kip Boyle: Well, and I think that that particular case really, I don't think settled the question because the prosecutors actually considered a charge of negligent homicide. And I don't know exactly what determines the level of a charge that a prosecutor would levy, but they ultimately weren't able to pursue it because they had a lack of compelling evidence. And there was an alternate narrative that said that this patient was probably going to die anyway. So it's like-

Jake Bernstein: Okay, so it's not a fair, so that does not answer the question.

Kip Boyle: No, I don't think so.

Jake Bernstein: And here's another one that I know we talked about, and this is that Springhill Medical Center in 2019. There was a newborn baby tragically who died, it has been alleged because the remote monitors at the nurse's station were disabled due to a ransomware attack. That case is still pending. And that's also very... I don't think that answers the question either, honestly. There's too much going on there. There's too much like, why wasn't someone standing there? I mean, there's just so many different-

Kip Boyle: We don't have very many facts, do we?

Jake Bernstein: We don't have good facts, and we just don't. But what I'm guessing is that this University of Minnesota School of Public Health Research report goes far more in depth. These are literally two anecdotes, three, if you count the one that you just... We don't actually know if anyone died from the Anna Jaque Hospital incident, but at best we've got these three little anecdotes and that's just not enough data. So what did you find?

Kip Boyle: But it is a trend.

Jake Bernstein: It's a trend and these are horrible, tragic examples. But the reason, Kip, that I think it's worth answering this question and I don't know if we're going to get into this more later on, is that I think that if the answer to this question is answerable in the affirmative with data support, that it's going to allow security practitioners to maybe be heard even more in healthcare settings. And it's not... Think of it like this, we know that security can be expensive and it takes resources, it takes people. We know there are problems staffing a strong security department, and security is never going to be the raison detre... There's some more French for you, of a hospital. Their job is to treat sick people and help them. And I think that there still can be an attitude that even with HIPAA and the regulation of protected health information, PHI... I was going a different direction then I switched, there's not necessarily a complete buy-in across the board. And I'm not saying that healthcare security people aren't bought in, no, don't get me wrong.

I'm just saying that ownership and leaders and non-IT people, the people that we generally have to convince may still not be fully bought in. But I think answering this type of question with data, it has to be data, could have a really strong effect to move the needle here on public health. It kind of makes ransomware into a public health issue.

Kip Boyle: Oh, yes. And you know that that's something that I think it should be, I think it should be managed as a public health issue. And so this is exciting for me in the sense that I see that it could move the needle, it could move the ball forward on this whole thing. But I can't help but to just tell you that as a person who has watched a lot of old school Star Trek, as you were talking I could hear Bones banging his fist on the table going, "Damn it, Jim, I'm a doctor, not a cyber risk manager."

Jake Bernstein: Oh, that's good, Kip. That's good. That's excellent.

Kip Boyle: But that's really what's going on is I've heard-

Jake Bernstein: That is excellent for so many reasons, but one is that I think it really helps encapsulate the problem. Is really, damn it, I'm a doctor not a cyber risk manager. So okay, let's dive into it. What evidence did you find? I know you went looking.

Kip Boyle: I did. Okay, and I have this research. So research reports can be difficult for normies to understand. There's a lot of statistics and blah blah blah. So we're not going to bring any of that up. I'm just going to try to skim through it and pull out the high points. Now, if you're listening to this episode and you do feel like, "Hey, I want to really get into this research paper and I really want to see what's going on." Great. I'm going to put the URL to it in the show notes and I invite you to go and completely read through it line by line. And if you want to send me your thoughts, I would love to hear from you. So this was published online very recently, October 2023. And first of all, let me tell you what they did. So these are self-described healthcare economists. That's what they said they were.

There's three of them. I'm not going to read their names because I'm probably going to butcher them and it'll be awful. They took a database of ransomware attacks on hospitals, that's where they started. And I'm sure that took a bit of effort to pull together because I've tried to casually search databases of cybersecurity incidents, and there is no master database anywhere. And the databases that I do find are incomplete and somewhat random, so that was a big challenge. But they did that. The next thing they did is they linked up that database of ransomware attacks with Medicare claims data. And I'm just going to let you think about that for a second. So I know all the hospitals that had ransomware attacks. I know the dates. I know when those attacks started and when they ended. And now I'm lining that up with all the Medicare claims data for those hospitals and any other hospitals in the vicinity.

And I know the dates and I know what the outcomes were for the patients. So I'm merging these two data sets. And because they did that, it allowed them to look in a way more detailed way at what happened at the hospitals during the ransomware attack and what happened to the patients. And then now this is where the statistics come in, trying to quantify how harmful these ransomware attacks have been to both the hospitals as well as the patients. And that's what they did. Before I start digging into what they found, I'll just take a sip of water and ask you what you think, Jake.

Jake Bernstein: I think that that is hopefully peer reviewed because I don't have the personal expertise to understand if this methodology is statistically sound. I'm assuming that it is, but I don't know. I'm not a statistician, but I think this is what you have to do.

Kip Boyle: I do too.

Jake Bernstein: I think that what they did was hard. I'm sure that they were always worried that it was imperfect because it always will be.

Kip Boyle: But that's what the statistics are for, is to find-

Jake Bernstein: But that's what the statistics are for and I think this is exactly what you have to do. And I'm really curious to dig through what they found and have the rest of the discussion here and share that with our audience.

Kip Boyle: Now, there is a limitation that I just want to make sure people understand as we go into what they found. This is just Medicare related hospital data.

Jake Bernstein: Activity, right.

Kip Boyle: So we don't know because they were not able to pull in data for non-Medicare patients. So there could be other factors at work here, we don't know. But I think this is a wonderful first start. So here's what they found. So first of all, during the first week of a ransomware attack, they found that the volume of patients falls roughly 20%.

Jake Bernstein: Right, that's a huge number.

Kip Boyle: That's a huge number. And correspondingly revenue for the hospital decreases by that much or more. And in the emergency room setting, there's a 40% drop in revenue during the first week of a ransomware attack. So not only are patients affected, but hospital health, financial health is affected. And I think nobody will be surprised that this is happening because hospitals are forced to treat fewer patients during a ransomware attack. And in the anecdotal scenarios that we talked about at the top of the podcast, I think that connection is pretty obvious.

Jake Bernstein: That makes logical sense. If your systems are down, and it says here that they provide less care, particularly imaging and testing services which makes sense, it makes perfect sense, those are the systems that are most vulnerable to an attack. I can always drive to a hospital and a doctor can always listen to my lungs with an old-fashioned stethoscope. They don't have their electronic health records to write anything down necessarily, but I can at least be looked at. But if you want anything more sophisticated than tapping on your knee with that little reflex hammer or looking in your mouth and things like that, you're probably SOL because-

Kip Boyle: You can't even do an x-ray.

Jake Bernstein: Nope, they're all computers. Everything is computer. It's all offline.

Kip Boyle: There's no film anymore. There's no fallback.

Jake Bernstein: No, I know.

Kip Boyle: It just doesn't exist, right?

Jake Bernstein: Yeah, nope.

Kip Boyle: And so this was seen across multiple hospital care settings. So it didn't matter if it was emergency room, although that's where it was most acute, inpatient, outpatient, everything was affected in the first week of the ransomware attack but it was just most acute in the emergency room. Now, without access to the electronic health records, what they also found is that a care team in the hospital might not know what medications a patient is on, and they might not know what they're allergic to because-

Jake Bernstein: You wouldn't know unless the patient was conscious and able to tell you.

Kip Boyle: That's right. And with no imaging, the clinicians are kind of as you said, limited in their ability to make accurate diagnosis because they just have old school implements that they're limited.

Jake Bernstein: Now, do we know... So I've been watching way too much Grey's Anatomy because it's on Netflix and I'd never actually watched it. And maybe this is beyond the scope of the data or even what we can talk about here, but there's a lot of... An ultrasound machine is kind of self-contained. I totally understand that you're not going to be able to do all the fancy saving images and linking them to a patient record and all that stuff. But surely, I'm guessing that a ransomware attack maybe doesn't impact those standalone machines.

Kip Boyle: But to the extent that you have standalone machines, that's probably true. But let me ask you this, what modern medical center in 2024 has older equipment like that? I would think-

Jake Bernstein: I don't know. My honest answer is I don't know. I'm just-

Kip Boyle: So nine years ago when my wife was pregnant with the twins, that's a whole other story, when we went in for the first checkup, I vividly remember going into the examination room and they had an old school machine there to do the sonograph. And it was just a CRT plugged into the wall, and it had no network connectivity. And the reason for that was because it was just a noncritical appointment. There was no reason to believe that they needed an advanced piece of equipment in order to do this very routine appointment. But that was nine years ago. And even then, it's looked like a really old piece of gear that had been fully depreciated for a long, long time. So I am just not sure that that exists anymore.

Jake Bernstein: I know. We don't know. And certainly look if the operating system, and one thing I know for sure is that all modern equipment like that is going to hook up to some kind of computer, obviously. And if it's a network computer, it's potentially attackable by ransomware. So it might be that the ultrasound itself works just fine, except that you can't actually do anything with it because its control computer is hosed. I don't know, that's a good question.

Kip Boyle: Well, if anybody's listening to this and you do know, drop us a note and we'd love to hear from you because obviously we don't work in the healthcare setting. But I am a patient.

Jake Bernstein: Yeah, not like that.

Kip Boyle: I am a patient and I don't want to be seen that a hospital with a ransomware attack going on. I can tell you that. Okay, so now in-

Jake Bernstein: Hold on, this next bullet point is great because again, watching way too much Grey's Anatomy, when lab results have to be hand-delivered instead of uploaded to a patient's chart, treatment is delayed. Absolutely, the problem is that you get used to the modern technology really fast. And I think that that kind of stuff is a big difference.

Kip Boyle: Yeah, and then the next thing that they found kind of goes with the story that we told at the top of the show about the infant who died due to complications. And the allegation is a lack of monitoring from the central nursing station. But they call that out here, is that the nursing staff might not be able to monitor a patient's condition without physically being in the room. And I don't know the last time you were in a hospital, Jake, but the last time I was in one, not as a patient but just visiting somebody was only a few months ago, and the nurse's station is just brimming with monitors because then they can see a patient's status without having to visit each room in turn, and they can do other things. And that might mean the hospital doesn't need as many nurses.

Jake Bernstein: And look, even so Kip, even back in the day, you still didn't have have one nurse per room. You just never did ever. So it's not like-

Kip Boyle: Right. And so that's why doctors do rounds and nurses do rounds.

Jake Bernstein: Yeah, and that's why... You just didn't, so this is just-

Kip Boyle: But then you staff for the fact that you've got all these systems doing the heavy lifting, but then when those systems drop down you don't just automatically unpack a new nurse.

Jake Bernstein: And just to remind listeners and I guess myself, we're reporting findings. These last few things that we've been saying, for example, without imaging clinicians fly blind as they make inaudible, we're not making that up. This is what the data showed in this report.

Kip Boyle: Yeah, I'm just pulling out the readable, understandable bits from the report. If you go to the report, you can see everything behind this. Okay, now, if an emergency room has activated their ambulance diversion protocols because they do have them, then what the research found is that patients are going to spend precious time traveling to an alternate facility before they can receive care.

Jake Bernstein: And that's obvious.

Kip Boyle: Yeah, but here's the kicker, is that some people who are being transported to healthcare have time-sensitive conditions. Heart attack and stroke, we know it's been well-documented that time to treat those particular conditions is crucial. The longer you wait, the more likely it is that the patient's going to die or suffer from a life changing implication.

Jake Bernstein: Yes, outcome is what they say in the-

Kip Boyle: Well, you watch Grey's Anatomy, I don't.

Jake Bernstein: Yeah. Well, you used that term previously, patient outcomes. But no, I think this one is kind of the like, oh yeah, everyone should be able to quickly understand this particular issue. And then there's other reasons that ERs may have to activate ambulance diversion protocols, a big accident, a multicolor pile up that just simply overflows their capacity.

Kip Boyle: That's right. An airplane crash, power outage.

Jake Bernstein: There's all kinds things, power outage.

Kip Boyle: There's all kinds of things.

Jake Bernstein: A lot of that is... But I think losing the ER to a ransomware attack is a little harder to handle than losing it to overflow because something else happened. There are very different reasons.

Kip Boyle: So I would even go so far as to say that a ransomware attack is distinctively different because it's manmade. It's entirely manmade, whereas all these other reasons are as a result of accidents and mishaps, and acts of God, and hurricanes, and earthquakes or whatever.

Jake Bernstein: Yeah, that's true.

Kip Boyle: And so that's why this one really bothers me so much is because this is people being awful to other people. And I think it just takes on a special sort of crappy connotation.

Jake Bernstein: It does.

Kip Boyle: Yeah. Now, here's where the research really gets down to it. It really, really answers our question, does ransomware kill sick people? So the research showed that ransomware attacks do increase in hospital mortality for patients who are admitted to attacked hospitals. So check this out. In normal times, roughly three out of every 100 hospitalized Medicare patients will die in the hospital. So that's the baseline. But during a ransomware attack, that number goes up to four out of 100. And from 2016 to 2021 which was the dates of the data that they had assembled, they estimated that ransomware attacks killed between 42 and 67 Medicare patients across the entire dataset.

Jake Bernstein: Wow. And if you're thinking to yourself, oh, that's only one in 100 people. Look, if COVID had killed one in 100 people, it would've been even scarier than it was.

Kip Boyle: Right. And now there's other ways that you really need to look at this as well. But let's just also put another caveat on this, which is we're just talking about Medicare patients. So you have to think that the true number of deaths caused by ransomware is likely even larger if you were able to add patients with other types of health insurance coverage into the dataset, which they don't have that. And so we'd have to go into the research report, and I didn't pull this out but we'd have to find out is there an estimate for, okay, of Medicare patients in the dataset, what percentage of all patients would that represent? And to begin to understand just how many more deaths might be attributable to ransomware because we don't have a full dataset. But I think what we've discovered so far is pretty shocking. Now, one thing that the research does not attack, which is the morbidity effects of ransomware, which is to say, how are delays in care making existing conditions worse?

So people aren't dying, but maybe they're recovering longer. Maybe they're recovering in a more poor way so that they're not making full recoveries. Maybe partial recoveries, and we just don't know what the morbidity effects are. But I think it's reasonable to assume that that should be studied because there probably is effects.

Jake Bernstein: I'm sure there is. And I think we tend as a society to focus on the number of people who die of something, and we don't spend enough time talking about the people who are dramatically impacted but don't die. And I think we fail to understand in some ways, and not to be utilitarian about it, but the suffering is probably higher of people who survive with debilitating physical or mental conditions compared to the people who do actually die. And so I think my point is just that the morbidity effects of a ransomware attack should be just as concerning as deaths.

Kip Boyle: Right, because not only do you get... And again, utilitarian caveat sustained here, but not only do you get more human suffering but you probably end up with more costs.

Jake Bernstein: Oh, for sure.

Kip Boyle: So the insurance companies are going to have to pay more for somebody who has lost some kind of mobility. Let's say because of the ransomware attack, now they have this permanent condition where they need assistance with basic tasks like toileting or whatever.

Jake Bernstein: Yeah. No, it's absolutely the case. I think, and this is a broader issue of just the way that we talk about just the use of statistics in general in the healthcare or even just casualty, whether it's a mass shooting or an accident or any terrible event, the media will always report deaths and injuries. And the problem is that the injuries could be worse in a lot of ways for an ongoing to deal with them and live with them. So again, I think that studying that is worthwhile.

Kip Boyle: Yep, definitely.

Jake Bernstein: So okay, did they say anything else worth sharing? I want to know.

Kip Boyle: Yeah, there were a couple of other things that I think we should mention. And one thing just kind of leads naturally from what we were just talking about, which is impact. So what they say in there is that the data set of ransomware attacks shows that less than 5% of US hospitals have experienced a ransomware attack between 2016 and 2021. And you might say, "Oh, well, that's not so bad."

Jake Bernstein: Honestly, that's still a lot.

Kip Boyle: Yeah, I think it is.

Jake Bernstein: That's still a lot of hospitals.

Kip Boyle: It is, but actually the problem is understated. So what the researchers said is that a better way to capture the true impact is to realize that approximately 25% of all-

Jake Bernstein: That's a quarter.

Kip Boyle: Yeah, of all hospital markets, not hospitals but hospital markets, experienced a ransomware attack in its spillover effects because-

Jake Bernstein: That's big.

Kip Boyle: You know why?

Jake Bernstein: Because all the hospitals in any given area are necessarily a system. And if one hospital gets shut down because they can't take people, then that puts the burden on all the other hospitals in the area. And their staff gets overworked and or something's going to get missed. Unless the hospital that gets hit is a rural hospital out in the middle of nowhere literally, in which case it's just really, really bad. Even in a city where you can go to other hospitals, this still has a major effect.

Kip Boyle: It does because they're going to see higher patient volumes during this situation, and it's going to overwork people. And I agree with you, it increases the probability that mistakes are going to be made, and sometimes those could be really awful life impacting mistakes for people. So I just-

Jake Bernstein: Capacity is capacity. You can only operate at more than 100% capacity for so long before bad things happen.

Kip Boyle: Right. So anyway, so I just wanted to mention that kind of as a wraparound thing that they said to sort of tamp down the naysayers again, who might say, "Well, this is very interesting data but we're talking about less than 5% of the hospitals, so how bad could it possibly be?" And I think I really appreciate that the researchers went this extra distance to say, "Don't trivialize this, everybody."

Jake Bernstein: No, it should not be trivial. First of all, I think 5% is a lot right there. Okay, so what's being done about this Kip? I think, has anyone come up with anything specific? Obviously we can sit here and say, "Harden your systems, manage your cyber risk." All the things-

Kip Boyle: Things we always say.

Jake Bernstein: Things we always say. Is there anything specific though that is being looked at for this type of thing?

Kip Boyle: Well, there is, and I do want to unpack that a little bit before we wrap up the episode. But I just want to caveat it by saying I feel mixed about this because on the one hand, I think that what they're doing is something that I would tell any organization to do to become more cyber resilient. But on the other side, we're talking about safety of life. We're not talking about, "Hey, can I get enough bottles of juice through the production lines so that I can ship all the orders." I can fulfill all the orders that we have and have economic consequences, which are bad. But this to me takes on an extra dimension of difficulty because we are talking about people's lives and we're talking about the quality of their lives.

And so what's happening is that several hospitals are designing specific incident response protocols in an attempt to boost patient safety when they are in a cyber crisis. And so if anybody does not know this and I'm not an expert, but what the research said is that in healthcare they have different codes to signify emergency situations throughout the hospital. And maybe you've been in a healthcare center where you've heard somebody come on the public address system and said, "Code blue, code blue." And then a whole bunch of other jargon-

Jake Bernstein: And then people start running all over the place and things happen. Oh, here's a Grey's Anatomy piece of trivia, code pink at least hypothetically could mean a missing child.

Kip Boyle: Okay, yeah. So there's a lot of codes. So there's code blue that means an emergency with an adult patient, probably somebody is like cardiac arrest or something, I don't know. A code red fire, that kind of makes sense. Code pink, there's a whole list of them. Well, at the Children's National Hospital in Washington, DC, and I'm pulling them out specifically because I did a little bit of research and I found this out, they have another code in their facility and I got to assume this is being adopted in other places, and it's called code dark when there is a cyber attack.

Jake Bernstein: Interesting.

Kip Boyle: Yeah. And so on one hand I think, well, this is good because they're becoming more resilient. But on the other hand I'm like, oh my gosh, what does it say about the state of affairs where people say, "Well, can't stop the cyber attacks and can't stop people from getting hurt?"

Jake Bernstein: I'm going to argue a little, I'm going to argue with you a little bit-

Kip Boyle: I guess we better just normalize it.

Jake Bernstein: Yeah, I'll argue with you a little bit here. Look, take code red for fire. Obviously we're doing everything we can to prevent fire but fire might still happen. I'm not going to fault anyone for planning for the bad situations. I think having a code dark which by the way, I'm going to steal your thunder, it's an acronym which I kind of love, but I have problems with it. So what it means is disconnect, await, report and know. And what it means is disconnect your workstation and internet connected devices, await instructions from your IT department before reconnecting computers, report to your managers for department specific downtime actions and know and follow your department's emergency policies and procedures. So my problem with this is how many devices are wireless and how are you going to disconnect that easily? It's a little too cute almost.

Kip Boyle: Yeah, a little too theatrical.

Jake Bernstein: I don't know. A little too... Well, I don't know. It's-

Kip Boyle: If you can't do it then it's theater, right?

Jake Bernstein: It's theater, yeah. Yeah. I will say this, for security reasons and operational reasons, I think a lot of things are wired to an ethernet port in a hospital.

Kip Boyle: But not everything, like infusion pumps for example, are wireless now.

Jake Bernstein: No, for sure not everything. Oh God, infusion pumps I... We don't think about how many things in a hospital or computer controlled. That's actually really scary now that you mention it.

Kip Boyle: Right. Imagine hijacking an infusion pump and just, I'm going to double the dosage of this medicine. I don't know what's going to happen, let's find out. It's awful.

Jake Bernstein: Or you stop the medicine.

Kip Boyle: Or you stop it, absolutely.

Jake Bernstein: Yeah. No, there's that. Now you've scared me even more. Anyway, I think the code dark is coming from the right place of let's increase our cyber resilience. If this does happen, I think it's absolutely worth having a plan. I think what you are trying to say, Kip, and I am deliberately putting words in your mouth in an attempt to give that initial opinion the benefit of the doubt is that, this cannot be a replacement for anything. You add a concept like code dark at the very end of your cyber risk management process. It's not like if anyone were to say to me, "Well, we are using code dark and we decided not to go with a backup system just because it's easier and cheaper." I'd be like, slap them upside the head like, no, wrong move. Code dark is good, but you still better have done everything you reasonably could have done to prevent the ransomware attack in the first place.

Kip Boyle: Yeah, and I agree with that. And I don't want to disparage the people who've created code dark because I agree with you, it's a reasonable thing to do given the state of affairs. Now, having said that, I think the state of affairs is awful, horrible. And again, I'll go back to my point which is fires, people getting into cardiac arrest, those are not man-made problems from somebody in a facility 4,000 miles away from me and across an ocean. That's the part of this that I really cannot let go of yet, is the idea that this is completely man-made. And as I've said before, our governance functions, our law enforcement, our military, our legislative, all this judiciary is pretty impotent when it comes to dealing with this. And that's the part that really makes it dark for me.

Jake Bernstein: It does. And I think Kip, maybe what we're saying is that we want to see the ransomware protocols more resemble active shooter protocols than fire protocols.

Kip Boyle: Well, I'm just hoping for the day where the risk of a fire is really low, and anybody who's read my book or listened to this podcast for any length of time knows that I like to use fire as an example of a static risk that humanity has controlled, sufficiently to where we don't really worry about fire anymore.

Jake Bernstein: No, because fire, Kip, doesn't innovate.

Kip Boyle: That's right. So thank you for the segue. I long for the day and I don't know if I'll ever see it, where we have a cyber attack protocol but we barely ever use it because it barely ever happens like a fire protocol.

Jake Bernstein: Kip, I'm not sure that that is even theoretically possible because why? Because humans do innovate. That's what we do. What you're basically saying is maybe someday if we had world peace where everybody got along perfectly and nobody was greedy enough to ever want, that's honestly what you're saying.

Kip Boyle: I'm idealistic. I admit it.

Jake Bernstein: You are. No, no, no, I-

Kip Boyle: I'm completely idealistic in this.

Jake Bernstein: But except that the point is actually super important, which is that we can quote unquote "control fire" because it doesn't change. We know exactly what causes it. You need oxygen and fuel and a spark and heat, blah, blah, blah. Cyber attacks are just different, and it's just always, always worth repeating that these are adversaries. And honestly, even the active shooter thing isn't as helpful as it might seem. Active shooters oftentimes... Think of it this way, and this is a terrible thing to even have to think about but it has happened in the world, this isn't like a typical active shooter. This is more like a coordinated attack. And we've seen those.

Kip Boyle: Oh, yeah. It's not just one person who has gone mental or whatever. This is cold, calculated, deliberate action for money.

Jake Bernstein: And that's what makes it even... It's just-

Kip Boyle: It's just money. It's a money grab.

Jake Bernstein: Ransomware honestly it's awful everywhere you go, but in the context of hospitals it honestly makes me sick to my stomach to think about it.

Kip Boyle: And that is exactly what I'm trying to say, I really appreciate you giving me a chance to find better words for this feeling that I have. And so thank you. Anyway, so there you go, everybody. That's the research that I wanted to share with you. And again, I'll have the URL to the research in the show notes. If you have any feedback for us on it, I would love to hear from you so that we can get smarter. Anything else, Jake, that you wanted to mention?

Jake Bernstein: No, let's wrap up this episode. And hopefully next time won't be quite as, well, dark.

Kip Boyle: Okay, so that wraps up this dark episode of the Cyber Risk Management podcast. And today we tried to answer the question, does ransomware kill sick people? I think based on the research, it appears that it does which is truly awful. But we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us @CR-MAP-com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.