[Moderator] Today our keynote speaker is Christian Dameff. He is an Assistant Professor of Emergency Medicine and Biomedical Informatics and Computer Science at UC San Diego. He's also got the title of Medical Director of Cybersecurity, correct? Wonderful, and he says hacker as well on his CV. He earned his MD at the University of Arizona, and then did his residency at Maricopa Medical Center, and then did his informatics fellowship at UC San Diego. And he is going to speak with us today about cybersecurity, and I think you can tell from the last few minutes, he's an expert in the field, and we're really lucky to have him, and I'm really looking forward to this, so thank you so much. You have your doctor's clicker. I don't think you need to speak into the mic as long as this is here.
[Christian] Perfect, can everyone hear me okay? All right, I am thankful for this opportunity again. I really appreciate it, ACEP's my home. I served on the EMRA board with Zach, and it's great to be back here at ACEP in person with the rest of my college, and this opportunity to speak to you about something I am pretty passionate about is a true honor. We're gonna go ahead and say a few things right off the bat. How many people here in this room think cyber security is not, let me rephrase that, shouldn't be your job, shouldn't be any part of your job? Raise your hand, it's okay, this is a safe environment. You're doctors, you take care of patients. When you're putting in a chest tube, you don't have to worry about multifactor authentication. Why should you have to worry about hackers attacking your network? And then how many people here think it should be part of their job? How many people want it to be part of their job? All right, how many people think it's going to become increasingly a part of their job? Great, and that's the reality. What you'll see at the end of this presentation, and this is not a new thing, this has been going on for decades. It's now becoming more and more reported in the news and as hospitals have been increasingly targeted, it's now come to the attention of our college, of our colleagues, of our clinical practice, our patients, et cetera, and that's not going away. It's only gonna get worse. And unfortunately, we're gonna talk about some really unfortunate things that both provide us some glimpse into a terrifying future and present, but also opportunities for us to lead in this space. We'll talk a little bit more about that. A brief little bit of an agenda, and if anything out of this talk, what you need to understand is that cyber attacks are like disasters. We in the emergency department take care of little disasters every single day we've been working. What's going on in triage, the traumas, the STEMIs, the chaos, that is the emergency department, and sometimes we deal with real big disasters like COVID or earthquakes or hurricanes. We are uniquely poised as emergency physicians to lead in this space because we live chaos every day and we are the specialty under the house of medicine that is best prepared for disasters, cyber attacks are disasters. Let me convince you why that's the case. Thank you for the introduction, I really appreciate that. So I get this question all the time from my clinical colleagues, what does a hacker look like? A hacker is amongst us, this is a picture of an actual hacker. We caught a picture of this person, it's exactly how they look. So if you see anyone like that, let me know, we'll call the FBI or maybe, ah, that's maybe a little bit old. Maybe you think this is what a hacker looks like. I will admit, I do own one black hoodie. I don't own any guy fox masks, if you will. But I mean, I could, it's Halloween almost, really hackers just look like regular people. I'm gonna say a potentially controversial thing right now. There are hackers in the room right now, you may not even know. Does anyone actually identify as a hacker or grew up in the hacker space or understands anything about hackers and hacker culture? Okay, how many people here like puzzles? Yeah, how many here like thinking about complex systems and how to creatively problem solve? Is that not one of the crucial skill sets of a clinical inflammation? Guess what? You're a hacker, the same exact mindset and skill set of creative problem solving and also using technical tools to achieve those are hacker traits. It's funny, there was a very famous informatician that I invited to a hacker conference and he showed up for whatever reason. I couldn't believe he actually did, I showed him around. And after the end of the conference, he comes to me, I'm not kidding, he comes to me and says, "My whole life I didn't know where I fit, I didn't fit with the jocks, I didn't fit with the geeks necessarily, I fit with this weird group of people like a lock pick and talk about social engineering and I just realize now I was a hacker." You guys, I guarantee it, deploy a lot of the same critical thinking processes and creative problem solving the hackers do, what you need to do is actually embrace that 'cause I do. Hackers do not, whether you're a hacker or not, does not define whether not you are a good or bad person. It's just what you do with that knowledge. In fact, a vast majority of the research that we're gonna talk about comes from good hackers and is the only reason we know that many medical devices are vulnerable to cyber attacks, all because good hackers took time out of their day to find vulnerabilities in systems and let us know about them so we could patch them and fix them before bad hackers or bad cyber adversaries attack. This is a common thing that you will look up on the internet, why do people do this? Don't they know we take care of sick children in our hospitals? Why would someone be so evil as to ransom a hospital? When you look up hacker motivations, you might get a silly picture like this and they tend to group hackers or some people do into these different black hats are the bad ones, white hats are the good ones, some blend of them to try to define their motivations, it's quite silly, they're just people. Really what we should be talking about is what are the core motivations for individual hackers. And really there are five, some wanna protect, we're gonna talk about, again, as I mentioned some research on medical devices that is quite frightening, that was all done by good people who want to protect patients, they want to protect their sisters, their brothers and mothers from an attack on healthcare and that's why they did it. Some want prestige, you can get on the news if you hack a medical device, that's very common. Some do it for protests, these are called hacktivists or patriotism, we'll talk about an example in 2014 of anonymous attacking Boston Children's Hospital, where the sole motivation was that of a political or a ideological purpose. Nowadays, increasingly over the last seven years or so, ransomware has proliferated across hospitals and they can make multimillion dollar ransoms paid to them in Bitcoin and has been an increasing driver. As mentioned previously, this thing called ransomware as a service where a bunch of malicious cyber attackers will band together utilizing their best skill sets to attack an institution and extract as much money from them as possible because they know that a hospital can only be down for so long before people won't tolerate it because people will die. And so these type of critical services, gas lines, hospitals, other critical infrastructure, means that they can draw profits from this. And then lastly, I mentioned who here likes puzzles. Some hackers just like to explore. In fact, the early roots of hackers was all in exploring telephone networks. Does anyone remember Mobel, the phone freakers back in the day, people who explored the early phone systems to find out where numbers went, mythical stories of trying to find out White House numbers to try to call the president and hackers pranking people, that's the heart in essence of a lot of hacking, which is sincerely curiosity and problem solving. Okay, so we know what hackers look like, we know why they do that, and that's tongue in cheek of course, but how do they do this? So everyone if you just pull up a Google search bar and you just look for, what you need is black background and green terminal text, and if it scrolls fast, that's what you need. And then just start furiously typing on your keyboard and you'll hack things. You'll be able to say the classic phrase after that, I'm in. I'm gonna try demystify this process a lot 'cause a lot of this is caught up in popular culture and media, for example, to not really be representative of some pretty simple fundamental elements of what hacking is. And what I'll do is I'll try to show you another one of my passions, which is actually stand up arcade cabinets. Does anyone like stand up arcade cabinets, old video games? We can raise our hands, it's okay, this is a friendly group. The football team's not here. I gotta admit I'm a big fan of these. What does this have to do with hacking? Well, if you remember, when you were younger, you went to the arcade, you only had so many quarters and probably the quickest way to harsh your mellow as a teenager in an arcade was to run out of money. Well, if you think about it, if you wanna play video games, but you don't have any money, you have to be creative about how you're gonna get that next Pac-Man game. And your gaze might look downwards towards the coin slot of an arcade cabinet. It's a mechanism where you can put a coin in some currency and the mechanism is designed to identify what that is by its diameter, by its thickness, et cetera, and identify whether or not it meets a threshold for the appropriate amount of payments to be able to play a credit on a cabinet. Well, you can imagine early coin slots were really unsophisticated and you can imagine making a coin that or making a little piece of metal that looks like a coin that really isn't a quarter, would that trigger it, et cetera, to exploit a vulnerability in the design of the coin slot is essentially what hacking is. Now I have an example of a hacker deploying a very similar, let's see if that works, Donald you hacker, it's the same thing. The mechanism itself didn't block the coin after it passed a certain position. So if you put a little string on it, you could pull it back and then recycle it and recycle it. That's a vulnerability in the design of the coin slot. It's the same thing with hacking software or hacking hardware for that reason, there is a vulnerability, a flaw in the design of a system, whether or not it be something like an SQL injection or a buffer overflow or some unintended consequence of interacting with a digital system that wasn't intended that then can be exploited and then something happens, typically in hacking, they call it a payload, they'll deliver something. Once they exploit a vulnerability, they'll deliver some type of payload, they get something back after that, after they've exploited that weakness and in the case of our arcade cabinets, you get a free game of Pac-Man. But in hacking after exploiting that weakness in the software, which can be something as simple as there's web application, it asks you what your name and your birth date is, but they didn't when they designed the web application confine the input for your name, they said, why would anyone put 2,000 numbers in there? They should just put their name. They didn't anticipate that someone would do that. But perhaps if you put 2,001 characters into the name field of a web application, it crashes, it no longer works, that is a vulnerability, the exploitation is putting 2,001 characters into that input field. And then the crash afterwards is the result. Maybe it doesn't crash, maybe it will allow you to override data or in some certain cases get privileged access to systems you wouldn't otherwise have, that's how hackers hack, they identify vulnerabilities, they craft exploits, then after exploiting it, they get some type of payoff. In this case, it might be fun, exploration, it might be data like PHI, it might be money, after they deployed ransomware or maybe it's famous. One of the big drivers of early hacker culture was can you get on the news? Can you get on the radio? Can you take over a television station and play some weird video? That was one of the big motivations back in the day. All right, so everyone can perk up 'cause now I have a really boring slide, but I promise it's important, this is a CIA triad, no, it's not CIA like the intelligence organization, instead, it's this concept of confidentiality, integrity and availability, this is a common way to talk about cybersecurity and where things can go wrong. With the C in the CIA triad, being confidentiality, we talk about things like preventing data from unauthorized access, you don't want random people looking at your patient's records. That's an issue of confidentiality. And for the longest time, this was the paradigm in healthcare cyber security, why should you protect your system against hackers? Because you don't want to HIPAA breach, because you don't want a big HIPAA fine. You don't wanna go on the wall of shame. Think about things like patient data breaches, email phishing, social engineering, trying to get access to data that is protected. The other issue is one of integrity, one that was raised earlier, protect data from unauthorized manipulation. A classic horror story is changing all the allergies and electronic health record to someone who will then eventually get some penicillin and anaphtic allergic too and they'll die. But it can be more subtle than that. You can modify drug doses, you can erase data, that counts as integrity issues. I did a project where we hacked a blood gas analyzer, and we made a patient look like they were in diabetic ketoacidosis when they weren't. And that was quite trivial to do, because of this integrity issue we don't check if data's been changed, we don't have good processes in place. We worry about protecting the confidentiality of data, not the integrity of it. And we were able to show patient otherwise had a normal blood gas looks like they're in diabetic ketoacidosis, us as ED physicians, we're gonna start that patient on a insulin drip while they're not hyperglycemic, they're not in diabetic ketoacidosis. Instead they have their normal glycemic and hypoglycemia coma, seizure, death. Why would I do such a thing? Well, this was research and it was to show that this issue of integrity is underappreciated. And one that directly impacts us as clinicians because it is bad when patient's data is breached. Yes, it's bad when you get a HIPPA fine, but what we don't want are people dying. The last one is also in the same vein and it's an issue of availability, so confidentiality, integrity, the A in the CIA triad is availability, this is ransomware. These are things like denial service attacks, where in critical resources and access to data and systems is interrupted. If you can't get a CT scan on your stroke code because the CT scanner has been ransomed, that is an issue of availability. That critical resource is no longer there, inject any other clinical application or clinical system in that issue of availability and what you have is a really frightening situation where we as clinicians understand the bottlenecks of clinical care, what's most important in a stroke, it's a CT scan, is this a hemorrhagic or an ischemic stroke? Does this matter in the time course of things? This issue of availability has become increasingly important, but still is underappreciated because a vast majority of the people trying to solve this problem don't understand your clinical workflow, they're technologists, they're developers, they're network engineers, they're people on your security team and they don't know which systems are the most important to keep up. Well, how are we gonna fix that? That's getting people like you involved in security and preparation for cyber disasters. I grew up in Tucson, Arizona in a rough part of the town. And as a consequence of my upbringing and my general love of video games that preoccupied most of my time, I never really appreciated art. So when I say the following sentence, I want you to understand that when I say that this is my favorite painting, I'm not trying to be pretentious I'm trying to say this is the only painting I know the name of and this is called The Doctor. And if we can just take a minute, why did I pick this slide when I'm talking about cybersecurity? Because it reminds me of why I went into medicine and why I chose emergency medicine, we can all relate this painting. On the top right if you look, there's a woman with her face down on the table weeping, there's a man with his hand on her shoulder, I suspect these are the parents. Although this painting is called The Doctor, the doctor's not in the middle of the painting, the patient is. And that is what reminds me every day and motivates me to do what I do is that's because we are there for the patient. Now your eyes have inevitably gone to the title of the painting, which is The Doctor and we have all been that physician, have we not? I know exactly what that physician's thinking. I've tried everything I know, I don't know if this kid's gonna die. This is healthcare in 1891, this is healthcare now. And it's interesting because you all know this. And when I give this talk to nonclinical audiences, there are audible gasps, when I show them this slide, why? Because they don't often get to see ICU level of care, especially on a child this sick, but furthermore their eyes go from the middle, the patient to the periphery and all that digital connected technology that supports that patient's life. The gigabytes of data that are whizzing around this patient, invisible to our eye, wherein if any of those systems were interrupted, if any of those 10 drips didn't work, if any of that network connected vent was interrupted, the clinical care of this patient would suffer, this is the reality of us today and guess what? We helped build this, I am not without blame, this is not an issue, I'm not a lud eye, I'm not saying let's go back to pen and paper and non-connected systems, no, these systems save lives. What I'm trying to get at is that we built this, we researched this, we support this, but we didn't give an eye to cyber security. And what if we have as a consequence of that? Well, we have a terrifying dystopian future, and it starts in 2008, I mean, it starts earlier, but the big shot over the bow starts in 2008. So my favorite papers, so I said, that's one of my favorite paintings of all time, this is one of my favorite papers of all time, and actually did not get published in the medical literature, got published in the computer science literature. Group of PhDs, and one doctor, I think out of Mass Gen, Brigham Williams, or sorry, Harvard got together and they hacked implantable cardiac defibrillators. They bought a bunch of them off of eBay, they built some radios and tried to talk to these devices because they wily transmit data, and they have some cool features where in those wireless connectivity allows them to do some cool clinical things like program the pacemaker, or deliver telemetry, alert clinicians when there's a dysrhythmia and so they can have better interventions, et cetera. Well, they found that the security of these devices were essentially nonexistent. And as a consequence, not only could they extract PHI, but they could interface with the device, they could program it to do whatever they want, including removing any sensing. Okay, pacemaker AAC, it no longer senses, that's bad. Maybe they go into VTAC or something, and that would be bad. Okay, they push it further. Not only could they remove the sensing, they can pace them at 250 beats per minute, they could defibrillate a patient regardless of the underlying rhythm with a single keyboard command. 2011, we get insulin pump research. Now the researcher that did this, his name is J. Ratcliffe, he's a good friend of mine and he's a type 1 diabetic. He lived his whole life injecting insulin in himself and I asked him at a bar one day in Vegas. I said, what prompted you to do this research? And he said, "I get paid to hack banks and I'm a pretty good hacker. And one day this light bulb goes over my head and says, this device, this insulin pump that is attached to my side keeps me alive, and it connects to Bluetooth. And I, as a hacker, never realized what potential vulnerabilities they may have." So six months later he starts his research, six months later he finds some very shocking similar vulnerabilities wherein basically the manual has the admin password to it that you can easily Google. He crafted some scary software that he could inject as much insulin as he wanted by interfacing to this pump. And again, we know the consequences of too much insulin in an otherwise normal glycemic patient. I alluded to this earlier, in 2014 we get this very famous example of a hacktivist attack. This is the hacker group known as Anonymous, still active today, all over the globe, which banded together to attack Boston Children's Hospital in Boston, how timely it is, attacked Boston Children's Hospital for about three days, they launched a pretty devastating denial of service attack, and basically took this hospital off the internet for about three days. Now anecdotes of this attack were shocking, but what it came down to is that not all hackers share similar motivations, and they were trying to do this, not to get money or Bitcoins or whatever from the hospital, because they believed a patient who was on a cycle that this hospital was being held against her will and that that was an injustice to this patient. And thus they were going to hack the hospital and teach them a lesson because this adolescent was on a cycle. Luckily, some people in Anonymous said, "What are you doing? We shouldn't be attacking children's hospitals" and reason prevailed, the attack fell off, but not without a lot of collateral damage. 2015, we get some, again, shocking research into infusion pumps. And if all of you have interface with biomed, you know that there are a lot. I mean, we all we're clinicians. These are the things that beep incessantly that we go and hit silence because we don't know how to actually fix the problem and nurses fix it eventually for us. But these are all over our hospital. If you didn't know, these are also connected to the network. These Aspera pumps in 2015 were again, found to have trivial exploits that could remotely be exploited. So the hacker didn't have to be next to the device, they could attack it over a network and they could infuse as much medication from the pump as they wanted, or as little medication from the pump as they wanted. In fact, they could display on the screen that they were giving a dose when in actuality the dose being delivered to the patient was different, kind of scary. This led to the first FDA recall of a medical device for a cybersecurity reason, a huge deal. This tens of millions of dollars that Aspera had to pay out because these devices lacked basic cybersecurity principles. And this is not a one off case, there's a lot of technology, especially at critical access and rural hospitals that deploy these same pumps still. Okay, 2016, we get the Canary in the coal mine. This is Hollywood Presbyterian in Los Angeles. This is a SamSam ransomware, this was the one of the first wipey reported hospitals to get hit with ransomware. And why do I bring this up? SamSam's the name of the particular virus or ransomware itself? It did not mean to infect this hospital. The hackers that made SamSam did not know it was going to hit this hospital, spreads across the internet like a plague, and just so happened to hit this hospital because they hadn't deployed some basic security patches. Well, once it gets into your network it spreads like wildfire and all of the works stations and some of the other critical services hospital were inoperable for multiple days. Anecdotally reported to me, they were so worried about the patients in the ICU at this hospital, they considered transferring them to adjacent Los Angeles hospitals in rush hour traffic, patients on vents and multiple drips. You can imagine you have to transfer out your whole ICU because of a cyber attack, that's not good. They did not actually end up transferring their patients, but they considered it. Can't have a conversation about healthcare cybersecurity without talking about the big one, which is the 2017 attack WannaCry. Is anyone else more interested in this topic since stuff started talking? Yeah, do yourself a favor, there's a podcast called Dark Net Diaries, I have no disclosure, I don't have any stock in Dark Net Diaries podcast, but there's a podcast on the WannaCry attack. This attack is wild. I'm gonna give you the quick too long didn't read. The NSA lost a bunch of their fanciest cyber weapons, that got leaked to Russian hackers. These Russian hackers gave it to the Russian government, the Russian government released it on the internet pretending to be hackers to embarrass the US government, North Korean hackers got those cyber weapons and made WannaCry, I can't make this stuff up, okay? It's like a soap opera. This WannaCry ransomware spread across the globe, hit the National Health Service of the United Kingdom and impacted four weeks of variable degrees, over 30% of the entire capacity of the national health system, let me just reframe that, can you imagine if one out of three hospitals in the United States got hit with ransomware? What would our conversation be today in the United States? It blows my mind how pervasive this was and why was this possible? Well, because of something mentioned earlier, as hospital systems have consolidated, there are less of them, and as regulatory demands have pushed them to more technology solutions for things like electronic health records and because of the desire to reduce costs, they've consolidated not only into less and less health systems, but onto more and more concentrated network infrastructure, wherein a single health center will deploy all of their tools on a single, all their solutions on a single platform. It's great, and that's probably the way we should be doing it. However, you have a significant vulnerability at that time wherein it only takes one of your systems to be compromised for it to spread laterally to a bunch of other hospitals. Which is what happened in 2020 with the UHS attack, 400 facilities across the United States, these were various psych hospitals, clinics, hospitals, including George Washington University in DC, the level one trauma center that Ronald Reagan went to when he got shot. We're talking small places, large places got hit with UHS', this was Ryuk, a Russian cyber gang made a ransomware called Ryuk and it hit these 400 facilities, again, because they were on a shared network that was able to spread. Why didn't you hear about this? 400 facilities went down? Well, it was just right before the election and there was a lot of stuff going on in the news. So we didn't get a lot of attention on what otherwise would've been multi-day news cycle. My neck of the woods, so my research is in cyber security and healthcare, I'm trying to measure the impacts of cyber attacks on patient care, things like severe sepsis, what's your timely antibiotics if your hospital's been hit with ransomware, what's happening to your strokes, what's happening to your STEMIs because I care about the clinical outcomes of cyber attacks and an awful thing happened right in my neck of the woods. Scripps got hacked, so Scripps delivers about 40 to 50% of the care of San Diego County. They had five hospitals get hit with Conti ransomware. And why am I bringing this up? I mean, we're talking a lot about ransomware. This was five hospitals in a relatively small geographic area. The UHS attack was 400 facilities across the country, the effects get diluted. This is five hospitals basically within San Diego. That takes care of almost a majority of the entire patients in San Diego. What did we see? I'll tell you this happened on a Saturday night at 4:00 p.m. I get a call, our security team goes wild, we don't wanna get hit with this, I don't work at Scripps, I work at UCSD, an adjacent system, but I'll tell you that Sunday and that Monday after the absolute worst days I've worked in the emergency department, why? We got huge spillover effects from this ransomware attack, our ambulance traffic for the first week of their cyber attack doubled. Can you imagine like that, your ambulance census, your ambulance rivals doubles. They had three stroke centers and one trauma center, went on diversion because of this ransomware attack. Our trauma center basically said, you have to go off a diversion, we are getting hammered with so many traumas, we can't handle this. They had to transfer semis to us. This is the reality of hyper connected vulnerable healthcare, and this awful thing that happened just to me shows how vulnerable we are and how you don't even have to prepare just for the cybersecurity incidences at your particular institutions. But you as frontline ED providers are gonna deal with the spillover effects of an adjacent system's cybersecurity disaster. And that we work in an ecosystem of care. We're clinical informaticians and we're ER docs. We facilitate and accelerate hyper connected technology dependent healthcare. I've been accused of being a Luddite, I promise you, I am not, but I will just say with great power comes great responsibility. And we did a lot to connect these systems mostly because of regulatory pressures. And we did not pay the commensutory respect to the technologies vulnerabilities. We have also not invested enough in cybersecurity, and we're seeing the consequences of that now. And it would've been nice to do that before. So I promise not all my lectures are this much of a downer and most of the time I pepper more jokes into my presentation, so we're just gonna take a breath for a minute and say, it's okay. I'm not trying to paint this giant doomsday picture of healthcare cybersecurity, although it is bleak, because, and I promise this is sincere, I look in the audience of people who are engaged and I realize now that you may be more aware of the risks, you're gonna be advocates for your patients and that because of your positions, your expertise and your knowledge, you are a uniquely positioned to make the problem better. You are a bridge, I said this earlier, you bridge the clinical workflows, the clinical systems, the patient care, the sick child in the painting. You bridge that with the technology that supports that care, and only you can talk to people about what's important, what to bring up first, what to prioritize, how we should prepare and plan and to highlight, if this system goes down someone's gonna die. You have a role in delivering that expertise now in a preparatory manner, but you also will offer tremendous strategic advice and be a part of the incident response. I asked earlier how many people thought this shouldn't be their job, or it won't be their job, et cetera. I'm gonna say if your hospital gets hacked and there's a decent chance, it will, you will probably be brought into this conversation, whether you like it or not because of your position and the importance of what you do and the knowledge you possess. So probably best to start working on it now. There is a person probably at your institution, and I know all hospital systems, not all hospital systems have chief information security officers. That's a person that's non-clinical usually, whose role it is to help secure the health enterprise. Have a conversation with your CISO, I'll tell you what? I've met a lot of CISOs before in my life, and I guarantee you there's probably one or two that would not appreciate a conversation with you. The vast majority of them would say, "I can't believe a cool ED doc is in my office and wants to talk to me about cyber disaster preparedness." Why? Because they recognize that they don't have that important knowledge that you possess, that even discussion to start off an initiative to prepare your department for cyber attacks will mean a lot. Talk to your chief information security officer, see where their pain points are, lend your experience when you can and then take that momentum forward to back to your department's leadership to then start forming a plan. I'm increasingly convinced that you cannot rely on the disaster plans of your hospital. The broad non-specific ones that are in some cupboard somewhere collecting dust, that they made because they had some joint commission site visit two years ago and had to show something that they're prepared for cyber disasters. That plan's gonna mean nothing to your department. If you didn't have a hand in actually crafting it, I don't think it's gonna help much at all. I'm increasingly convinced that what we should be working towards is every department coming up with an individual plan, because I'll tell you what, I don't know what's important to interventional radiology. I'm a clinician, I understand some of the cases they're gonna go through, but if their institution, or sorry, if we get hit with ransomware, I have no idea what patients are gonna make them sweat and which ones are gonna keep them up at night. Until the Scripps attack, I didn't even think about a scenario wherein their dialysis machines don't work and the thought of, oh, wow, what are we gonna do with our hundreds of dialysis patients that are not gonna get dialyzed in the next week. Talking in nephrology, they'll understand that. You can catalyze that discussion and maybe you're only responsible for your own individual little system, but I will say this, you have to start somewhere and you can start in your own department and talk to everyone if our electronic health record goes down, if our packs goes down, what are we gonna do in our department? How are we gonna triage the patients in the waiting room and communicate when patients are really sick or when they're deteriorating? Because what happens in every single one of these attacks is your waiting room explodes, and the time to actually get care increases. I mentioned this earlier, we under the house of medicine are the specialty best poised to prepare for cyber disasters because we get training in disaster medicine. It's part of the ACGME residency requirements. And there is a subspecialization in emergency medicine called disaster medicine. We have sections at ACEP, we should treat these like disasters because their impacts are analogous, except I'm gonna say there are two important distinctions. Yes, it can be as impactful as an earthquake or a power outage or a flood. But here's the thing, with normal disasters you can prepare for them because disasters tend to have a geographic predilection. If you are in tornado alley, if your hospitals in tornado alley, you have a disaster plan that's pretty good for tornadoes. I'm in California, we have a decent wildfire disaster response, as well as an earthquake one. Cyber disasters know no geographic predilection. They can strike anywhere that there's internet connectivity, the ability, so you don't get any storm announcement before, you don't know something's coming like a hurricane and they can spread quicker than maybe any other natural disaster. Hackers get in your system. Sorry, not all hackers, malicious hackers, bad hackers, cyber attackers, get into your network stealthily, they take a look around at what they have and they laterally move and all the meanwhile preparing for them to drop the hammer. Especially the sophisticated ransomware gangs that are hitting hospitals, they know your network pretty darn good before they deploy the malware. And then when it happens, five hospitals within minutes, that's very different. So let's put that uniqueness that I think we need to start taking the reins of this and leading the house of medicine and with your help, I'm hopeful that we can have a better national defense posture. This is not just me speaking, this is grabbing the attention of Congress, it's grabbing the attention of regulatory bodies, like the Joint Commission and I'm excited to hear that, I think our college is getting more and more interested in this particular topic because it's important, our patients deserve it and we can lead in it. Just a little time check. Okay, so let's apply some of the science and knowledge of disaster medicine preparedness to this. You remember this from residency or perhaps you're an expert in this, emergency management has stages, preparedness, response, recovery, mitigation, these are all commonalities between disasters that apply in cyber disasters. In fact, I'm sorry you won't be able to see a lot of this, but it's in the paper that I had a screenshot of earlier, and it's actually at the end in the references. If you wanna look at this a little bit deeper, but there are gonna be things like, sorry, preparing, you need an all hazard cyber risk assessment, you need to do cyber drills and you need to talk about incorporation of cyber into the emergency operations plan, you need to be doing drills. Under the response, you're gotta be talking about containing the actual attack, be talking about manually handling critical processes. What are we doing with our troponins in our patients? What do we do about our EKGs and chest pain? These are the types of things we need to be talking about before, but when you're actually responding to them, if you don't have a plan that works, you need to be figuring that out sooner rather than later, prioritizing the patients. In my opinion, that have the highest risk of morbidity or mortality. And I won't belabor this anymore. These steps of applying disaster medicine principles of cyber attack is unique. We need to develop an evidence base for this and become more familiar with this in crafting our individual departmental plans. I alluded to this, if you get anything from my talk, is that not all hackers are bad and this isn't going away and that you should do a drill. You don't have to lead the drill. You don't have to know anything about cybersecurity, but you need to whip up the people at your institution that know about emergency management and say, "Hey, let's have a drill." And they'll say, "I don't know how to craft a drill." That's okay, there are templates online. I put a reference at the end of these slides on where you can get some of these tabletop simulations that are already written for you. But the point of this is once you do this drill, there's a light bulb moment for everyone at that drill. How many times you've been to a meeting where someone knows everything that's gonna happen and knows what's going on, they're just going through the motions, that doesn't happen at a cyber drill like this because you're gonna recognize, well, how do we deal with a cyber attack? Oh, we put a ticket into ServiceNow, ServiceNow doesn't work, it's been ransomed, we'd use Slack. You're gonna deploy Slack with 500 employees, what are you gonna use with their logins? Nurse 1234, no. So every one of these drills I've been to, regardless of people have been in drills 100 times before they learn something, because we don't have visibility in the entirety of our health enterprise and every time you do this, you're recognizing that there's another thing that someone forgot or an important piece that needs to be secured and prepared for. I'm sorry to say, that's quite daunting and it's not to dissuade you from doing a drill, but it's to say, you're only gonna get to recognizing those threats when you do these, these are great exercises, bring people to the table like your security team, your emergency managers, leadership in your department, and slowly build out to other adjacents. We need to do this tabletop with radiology because we're a stroke center, we gotta do the trauma, et cetera. I have nightmares about the head trauma surgeon at UCSD during a cyber attack and me being in that bay. I don't wanna do it, I don't wanna have that conversation. I wanna have that conversation before, it supposed to get chuckled. No one else scared the trauma surgeons? Residual residency baggage, I guess. I don't think this tweet's real but I still include it. This is a probably a fake tweet from the government of the Ukraine. Some of our government agencies, private firms were hit by a virus, no need to panic. We're putting utmost efforts to tackle this issue. And if you know that meme, it's like, everything's on fire, but everything's okay. When something happens to your institution, this might be the sentiment that is being communicated to your employees or the media. And you're the 6:00 a.m doc below and with the fire around you, why do I bring up this? It's chaotic no matter how much you prepare for it, I've given you a couple anecdotes. You can talk to anyone who's been hit with a cyber attack, it's a nightmare to work clinically in that type of environment. However, people push through and with many of the cyber attacks I had mentioned, there is a step wide restoration of clinical systems. There are in some more prepared institutions, decent downtime procedures. I will say this though, as mentioned previously, cyber attack down times are only increasing in length. So the SamSam ransomware that hit Hollywood Presbyterian maybe a week at the most to get full clinical system restoration, the Scripps ransomware attack was a month long. Why is it getting longer? It's because the adversaries are more intelligent and they're not just willy nilly infecting a couple systems you can contain again, they're hacking the whole enterprise, much harder to restore those systems, that's not going away. If you think you can get hit with ransomware and you can be up the next day, I don't know who's telling you that, that's just not possible. One of your important roles is gonna be table topping, it's going to be handling the actual incident response to the best your ability, communicating to your C-Suite, your other clinical leaders about what the emergency department needs, because we get hit the most during a cyber attack is cancel clinic visits, is cancel elective cases. We don't cancel the emergency department. I've only heard of one example of a hospital got hit with a ransomware attack where they literally had to close their emergency department, but it was very small. We have EMTALA requirements, et cetera. And we have an expectation due to our patients, so you you're gonna be dealing with this. You can also be a communication vehicle between critical information from the IT informatic side to your colleagues and communicating that in disaster response is really important. Please don't go outside your approved communication channels, I've seen this happen before, people reporting, oh, it's just gonna take a couple days as mentioned previously or saying things that's not true. So make sure you get approval, but you're going to be the person. Who here gets random text messages from their colleagues. You're the geeky doc, can you fix my computer for me? Yeah, you're gonna be getting like, we got hit with ransomware, who in our department knows anything about computers? They're gonna be bombarding you, so be prepared to take some of that communication and help alleviate some of those concerns. But then also just being an advocate to prepare for cyber disasters now that we've talked a little bit about what the implications truly are. I don't have any disclosures, I don't make any money, I don't own any cyber companies. So I can say this, everyone here needs to go and talk to their leadership about how we should invest more, either in personnel, or money, or both in the cyber security. It's not going away, this will only getting worse. Here's some references, the first one's the public private governmental healthcare sector coordinating council for cyber. They have a lot of really great resources for your individual institution about how to do cyber drills, how to communicate with clinicians. There's even a lot of great technical documents in there to give to your security teams. I have a scary statistic, in 2017 a Congressional task force issued a report on healthcare cyber security. I know most of the people on that and one of the biggest things they highlighted was that they did a survey, the methodology isn't the best, but they estimated that 70% of hospitals in the United States lack a single full-time security professional on their staff. Let me repeat that, in 2017, 70% of hospitals in the United States lacked a single full-time security professional on their staff. I don't know how much better that is because cyber talent is expensive and there's not a lot of it. So I'm gonna venture to say, it's probably not much better than 70. So if your hospital doesn't even have security-minded individuals on staff trying to fix a lot of these vulnerabilities, patching these systems, making your hospital actually defensible from even run in the mill cyber attacks, let alone sophisticated ones, they're gonna need all the help they can, there's a lot of documents in that first link. Same thing with ASPR Tracie, if you're familiar with the disaster response from the federal government and healthcare, they've done a lot of COVID response. That's the ASPR and Tracie, they have a whole section of their website dedicated to healthcare cybersecurity. That third link is a link to a paper describing cyber disasters as, sorry, cyber attacks as disasters if you wanna learn more about that. And the last one is even HIMSS is getting more and more into this. In fact, if you've been into HIMSS the last five years, there's a growing vendor space of security vendors. And I think that speaks more to HIMSS and other large organizations getting more and more into cybersecurity. And so with this, I'm sorry, I think I have five minutes for questions, is that reasonable? You can ask me any question you want, I might not answer it, but you can ask me any question you want. That's my Twitter handle, that's my email. If you want me to come and give a virtual grand rounds at your institution or whatever, you just let me know. Or if you wanna collaborate with me on research, I always need data. So if you have some cyber disaster research, please let me know, we'll get published in a big journal. That's my hope, that's my dream.
[Man 1] It's a two part question because I've heard several answers to one part of it, but what is your recommendation for, I'm working and I click on a link and all of a sudden I go, oh, I've been hacked, what do I do next? And how much time do I have to do it?
[Christian] Great question, so the question was, say you think you've made a mistake, you're on a workstation at your hospital, or you're on your computer and you happen to be on the VPN, you're finishing notes at your home, you make a browser, you open up a browser, you go to some scary website and all of a sudden things are looking bad. Remove yourself from the network as quick as possible. Now malware, so the common thing is like if we were getting hit with ransomware and I knew it was ransomware, I would go to the network switch and try to pull us all off the internet as quick as possible. It takes some time to propagate, depending on the malware, really sophisticated fancy malware, that's optimized, it spreads like wildfire in a matter of seconds. And it also depends on the vulnerability and a few other things, but some malware can spread slower. So we would be trying to take off every end point workstation we could, and as well as trying to isolate certain very important sections of our network in real time, the long story short, it's probably not gonna do much, to tell the truth, especially with some of these big game hunting type of ransomware attacks with these ransomware gangs, they're already everywhere on your network. They're able to deploy them malware very quickly. And so it's not gonna matter in that situation. Now, what do you mean like if you click a link and you're like, oh, no, something bad happened? Often what is the case now is ransomware is a service, There's really good hackers that are really good malicious hackers at getting into systems, but they don't wanna be the ones that do the ransoms, so once they get into a system, they sell access to another gang who then goes in and deploys their particular brand of ransomware. What does that mean? If you think you click a bad link and nothing obvious is happening, report to your security team, share the link with your security team. Say, is there something bad here? They may tip them off and they can investigate that particular link to see if any malware has been deployed. You may have time then to give a heads up to people on their network, to look for what are called indications of compromise or IOC, evidence that the hackers have been there and shut them down before they pull the trigger.
[Man 1] This all more personal level. So I probably get 10 to 15 phishing event a day.
[Christian] They really want you.
[Man 2] And it's across five different. There are some just likes unsolicitation that says at the bottom, click here to unsubscribe. And when you click on it, usually it takes two things. You put your email address in there, and then you push the button and you assume that that's taken, then you get additional solicitations. So did I just verify my email address again or is that actually legitimate thing to do?
[Christian] Great question, so phishing is a type of social engineering attack. Malicious hackers have been using social engineering attacks since the dawn of hacking, calling pretending to be someone, calling you pretending to be your boss, whatever it's gonna be, one of the most common ones now because it's very low effort is to do phishing. So for those of you not familiar with phishing, these are typically emails or other types of communications. I've seen phishing done by text message. Well, they'll communicate to you and they'll deploy the same tactics. They'll pretend to be your boss, and they'll say, "Hey, I need you to buy these gift cards for a speaker that's coming into town, please go here and do this and send me the links to the gift cards when you're done." Or they potentially tried to trick you into giving them your credentials. Click this link, the link takes you to a webpage, it looks just like Google's Gmail or your work email portal. And you don't know the difference, 'cause it looks the same. You put in your username and password and all of a sudden now the bad people have your credentials. To answer your question about the situation wherein you get an unsolicited email, you click on a link to unsubscribe, and then you put your email address in that. It's hard to tell whether or not that's actually a phishing attempt or not. When people send emails, especially with phishing emails, they'll try to enumerate email addresses, they'll try to figure out whose email address works and whose is whose. They can often go to your website to figure that out. They often don't need to verify your email address, but maybe they're trying to figure out if your accounts active or whatever. Maybe they'll do something like that. But more and more increasingly, they're gonna be making sophisticated emails to try to get your credentials. They want your username and your password because you have the keys to the kingdom. They wanna get on the VPN and deploy malware. That's why multifactor authentication, and please raise your hand, we're not taking any recordings of this, I'm just curious, how many people have multifactor authentication at duo, some other type of thing where they have to log in their VPN and sends them a message in their text message or in their email, whatever it is. Good, so that would prevent something like a phishing attack from happening. So even if you give them your credentials, you get tricked, when they try to go log in, they don't have access to your cell phone. So they don't get that little message. So even if they have their username and password, they don't have your multifactor, they don't have your other way of proving that you are who you are because you possess some privileged device. That's why those things are really effective, not perfect, but really effective at just run of the mills phishing attacks. Now, there are something called spear phishing, and this is people, these are hackers that are trying to get your CEO or your CISO or someone really important, and they're gonna craft a really convincing message. They're gonna dedicate more resources. So they're gonna get your credentials, they're gonna try to log in. And then when you're multifactor authentication dings, they're gonna call you and pretend to be the IT team and saying, "Hey, there's an unusual activity on your account. Did you just get a ding for your duo or your multifactor application?" Yeah, I did, that's really concerning. Oh yeah, we agree, someone's trying to hack you, please read us at digits. Oh, it's 64321, and they just got your account. So they're tricky, these are not hurricanes, mindless earthquakes or tornadoes. These are intelligent adversaries whose jobs and livelihood depend on tricking you and thinking up the latest and greatest new way to hack your hospital. That's human nature, that's not going away. We're not fixing the problem of cyber security ever, in my opinion, it's just a byproduct of the technology we use. And even when we have artificial intelligence and Skynet, there's still gonna be cyber security vulnerabilities.
[Man 3] So it was in the news recently, the Blake Media of the first lawsuit regarding hospitals being with ransomware, how is that going to affect the future of healthcare and cybersecurity?
[Christian] Great question, so there's a question about legal liability and patient harm coming from cyber attacks. Now I get asked this question a lot, show me someone who's died from a ransomware attack and I will believe you. It's quite frustrating to tell you the truth, one, because I think we lack speaking the telemetry and sophistication to measure the impacts of cyber attacks, but there have been two well reported examples of patients being impacted by cyber attacks and potentially killing them. The first was reported in Germany. An academic medical center got attacked with ransomware and the system went down. There was an ambulance transfer, sorry, there was a patient with an aortic dissection that was going to this academic medical center to get treatment. And they had to divert the ambulance because they got ransom and they had to go an extra 30 minutes to another hospital to receive care for their dissection, that patient expired. The reports initially were that that diversion caused the patient to die. Now I don't know the case, and I'm not a vascular surgeon to say if that 30 minutes or so was a difference between, well, not that dissection lived or died, but what the real consequence was is that there's a demonstrable impact on patient transfer, an additional 20 or 30 minutes required directly resulted from that cyber attack. So that was the first one. And then most recently the Wall Street Journal reported a horrible case, I believe in Alabama, of a mother in labor who had a very concerning strip indicating fetal distress. The hospital was under active ransomware attack. And the fetal monitoring was not being shunted to central monitoring where the nurses and OB could see all the strips. As a consequence, it's reported that the nurses did not notice the fetal distress and reported to the clinician until the emergency C-section, the baby subsequently died, had severe anoxic brain injury and died. There are some damning text messages from the obstetrician to the charge nurse, basically they'll be saying, "Why didn't you let me know about this strip? Had I known about this strip I would've sectioned earlier, this was preventable" and the cyber attack is responsible for it essentially. That's getting litigated, I imagine this will usher a whole new concerning era of litigation where when hospitals get ransom it's no longer patient suing about the breach of their protected health information, which goes hand in hand with ransomware, they'll ransom your system, they'll do what's called double extortion, they'll take all your patient data and then ransom it and they'll say, if you don't pay the ransom, we'll release all your PHI. So not only now are ransomware attacks publicly being reported to be a HIPAA concern, but more and more patient safety concerns. I imagine we'll see a lot of litigation, bad outcomes associated. And as this becomes more and more public, I think we're gonna have more reported patient harm, stuff that happened for the last five or seven years that just never got publicly reported. That was the side effects of ransomware attacks. Again, I promise not all my talks are this much of a downer, I stick more with our arcade cabinets, I think next time.
- [Man 4] So much of work of informaticist is trying to improve efficiency and usability, which is also efficiency maybe can be measured, well, usability sometimes not, but how do you weigh that against risk, which can also be hard to measure?
[Christian] Great question, and I think emergency medicine is one of those clear examples of, I don't wanna have to wait for my multifactor authentication before I pull out some cardamine for a dissection or whatever, right? I get it, and I'm not a cyber security at the expense of patient care type of person. What I think we should be doing is, where are the crown jewels? Where are the worst vulnerabilities on the network wherein if they're hacked or attacked, we would suffer severe patient consequences? Let's put appropriate and potentially a little bit more restrictive cybersecurity controls around those. But for things in critical time sensitive conditions, the trauma bay, other types of things, let's design more intelligent workflows that take into consideration effortless cyber security. There are ways that we can build workflows to be far more secure than they currently are with little to no impact on the actual workflow. These require a lot of frankly money and intelligence and workflow understanding that you all possess. So that's the other side of this. If we go crazy and lock everything down, I think one of the best examples of this is I used to moonlight the VA when I was in fellowship, oh God, I have nightmares about how long it took me to log into their five different systems to take care of a sick patient. And a lot of times those type of archaic poorly designed security controls were hindrances to timely care. It's just, unfortunately, it's a hard problem and where that balance is, I don't think anyone's figured that out perfectly, which speaks to the lot of work we have. And of all you out here to help me figure this out, help everyone else figuring out, and my solution to my shop is not gonna work for your shop. That's why this is everyone's job now, you can have more and more cyber security responsibilities in my opinion moving forward, especially as there's more and more litigation, there's more and more liability. A lot of hospitals said we solved the cyber security problem because we had cyber insurance. You can actually buy cyber insurance as a hospital. When you get hacked, you get a payout. Those are going away because adversaries, well, not going away, they're becoming so expensive that a lot of hospitals can't afford them anymore because the adversaries are winning and they're getting the ransoming. And in fact, this has not been verified but there was a ransomware gang that claims to have hacked a cybersecurity insurance broker, got the list of all their clients so they knew who had cyber insurance and used that to triage who they would attack because they would know they would get a payout, 'cause in their insurance contract it said, if you get hit with ransom, we'll pay up to $5 million. So they knew which ones had cyber insurance and which ones they could target, and which ones could pay. What has that meant? Is that I don't think cyber insurance is gonna be affordable for many institutions, and that's not the solution just to buy insurance for it anymore. Weird world, I didn't know if you guys say this is weird stuff.
[Man 5] You made comment on the other pattern we've seen, which is when organization gets hit, they go quiet 'cause they don't wanna alert everybody that, "Hey, come hit us while we're down."
[Christian] Huge problem, I'm sorry, I just have to say this. I went in front of Congress, in front of Energy and Commerce and that was one of my biggest points to them was just listen, we have a data void. I don't know which hospitals got hit with ransom or they won't even report it, primarily because the posture right after you get hit with ransomwares, your legal team, your PR teams all say shut your mouth, don't even tell people you got hacked, don't tell your patients, don't tell your employees. Scripps, their entire payroll system went out. So for weeks their employees didn't get paid. The institution wouldn't even confirm to their own employees that they got hit with ransomware. This is a problem, there is no reason for them, there's no incentive for them to report it because all it does is increase liability. If they publicly report we got hit with ransomware, this is the issue, lawyers line up to sue them, sue the hospital and now they have a problem, not only did they breach a bunch of information, they're gonna get the HIPAA fine, but now they're gonna get these lawsuits saying, why didn't you invest in cybersecurity so that your hospital didn't get hacked, for example? So you're right, there's no incentive for hospitals to publicly report or communicate when they've been hit with an attack. It's a huge problem because we can't get accurate numbers. I went to the federal government and I said, "Give me a number of which hospitals have actually been hit with ransomware." They said, "We don't even have it." The only way they know if a hospital's been hit is if they report it in their OCR report, when they have their breach. There are people that have successfully argued that they can't prove they had data exfiltrated. So they were hit with ransomware. They say, "Hey, we can't prove that there was data exfiltrated, we don't think there was." So we never find out about this because there is no OCR, HIPAA report, this is the problem. And I think that Congress is fed up with it and I hope in the future we're gonna have laws about mandatory reporting, I'm hoping to add to those laws. I've been trying to lobby Congress to say, when you required to report ransomware attacks, you also have to report adverse patient outcomes. That would be a dream of mine and we should develop something like a, I've been calling it the national cyber harm registry, not just in healthcare, but what if your pipelines go down? Remember when the pipeline got ransomed, everyone remember that? What if that was in the winter and people freeze to death and that cyber attack on that pipeline resulted in not just patient harm, but people harm in their own homes 'cause they couldn't heat their homes, or water or whatever it may be. We need to have a registry about cyber attacks harming people, not just in healthcare, but all over the place. I'm over, I'm sorry.
[Moderator] Don't be, that was absolutely incredible. Thank you very, very much.
[Christian] Appreciate it.
[Moderator] Thank you so much. I mean, that was just superb, really was.