The hackers holding hospitals to ransom
BMJ 2017; 357 doi: https://doi.org/10.1136/bmj.j2214 (Published 10 May 2017) Cite this as: BMJ 2017;357:j2214All rapid responses
Rapid responses are electronic comments to the editor. They enable our users to debate issues raised in articles published on bmj.com. A rapid response is first posted online. If you need the URL (web address) of an individual response, simply click on the response headline and copy the URL from the browser window. A proportion of responses will, after editing, be published online and in the print journal as letters, which are indexed in PubMed. Rapid responses are not indexed in PubMed and they are not journal articles. The BMJ reserves the right to remove responses which are being wilfully misrepresented as published articles or when it is brought to our attention that a response spreads misinformation.
From March 2022, the word limit for rapid responses will be 600 words not including references and author details. We will no longer post responses that exceed this limit.
The word limit for letters selected from posted responses remains 300 words.
Whilst many practices who experienced the impact of the cyber attack struggled to signpost patients to services or update them on the impact on practice IT systems, across North Staffordshire practices have developed a clever work around.
Of the 82 practices across Stoke-on-Trent and North Staffordshire, 62 regularly use social media to engage with patients. This infrastructure came into its own on the afternoon of the attack. Not only were they able to send out valuable information to their patient populations, they were also able to alert patients to the problems being experienced at Royal Stoke Hospital. Insight data shows engagement levels were significant and patient reach for the average practice was over 2,500 people. On the same weekend, practices were also able to use heightened interest in their social media Facebook pages to promote other services - a drop in heart screening session for instance reached over 40,000 people over the weekend with sessions booked up immediately.
The impact of the cyber attack clearly showed those practices that have embedded social media into their communication mix now have a valuable tool sitting outside of the network to get information out to their patients quickly and effectively.
Competing interests: No competing interests
Although we had thought it ‘behind the times’ that the computers controlling our anaesthetic machines were not wifi enabled or network connected - and so would not allow remote upgrading of operating software - following the ‘Wannacry’ ransomware cyber-attack we were relieved and reassured to know that our stand-alone, life-critical systems were safe from harm and safe to use. We now wonder if with anaesthetic machines, it’s best that contact with the ether be restricted to filling of the vaporisers.
Competing interests: No competing interests
This is regarding a possible suggestion for a future direction the NHS could take regarding its databases, information security etc. to not only potentially improve efficiency but also security and privacy concerns. This is adapted from a short article I wrote on Blockchain technology for the JIPMER (Jawaharlal Institute of Postgraduate Medical Education and Research in India) 2017 alumni reunion in the UK (the author's mother being an alumnus of JIPMER).
** Main Body of Article/Response begins here **
This is aimed at those of you who are either decision-makers, in the position to influence them, or who are looking to advocate solutions for healthcare reform either within your own trusts or across the NHS more broadly. Essentially, NHS databases and data-sharing arrangements are generally inefficient, impede effective service-delivery, and prevents optimal utilisation of data. Some of you may or may not have heard of Blockchain technology and this might be something worth exploring.
Applications of Blockchain technology are not just limited to crypto-currencies and the financial services industry. A Blockchain is a database that maintains a continuously a growing set of records. It is a distributed database, which means there is no central authority that holds the entire ‘chain’. Instead, each participating ‘node’ has a copy of the ‘chain’. It’s also ever-growing – data records are only added to the chain (so the records cannot be tampered with or modified – thereby ensuring their integrity). Fundamentally:
1. Transactions are the actions created by the participants in the system.
2. Blocks record these transactions and make sure they are in the correct sequence and have not been tampered with. Blocks also record a time stamp when the transactions were added.
Blockchain technology can, therefore, be used in tracking billions of connected devices, patient records and information, etc; it can enable the processing of transactions, and ensure the integrity of data (so that it is verifiable) whilst the cryptographic algorithms ensure peoples’ privacy. In this sense, it is secure, efficiently accessible, and enables privacy (so much so that many people use Bitcoin – which uses Blockchain technology – to illegally buy drugs, weapons, and so on, because they are confident of their anonymity being preserved).
Recently, the US Department of Health and Human Services (a Federal Government agency) sponsored a blockchain research contest (the ‘Blockchain Challenge’) and the Chamber of Digital Commerce (a leading trade association representing the digital asset and blockchain industry) provided an executive overview of “over 70 white papers from industry and academics” within its report: ‘Blockchain Healthcare & Policy Synopsis’. Amongst “the main areas for the application of blockchain in healthcare were thought to be: real item verification of doctor’s license status, drug delivery supply chain auditability, insurance claim fraud detection, continuing education validation, and digital wallets could be used to store a set of medical records, allowing the patient to have their records in digital form, giving them control of who sees their medical information.”
There is also the potential to ensure that the Blockchain can help secure the Internet of Things (IoT) as it pertains to healthcare because, according to an article entitled “Inside Risks: The Future of the Internet of Things” by Ulf Lindqvist and Peter Neumann, healthcare establishments already use devices that are remotely-controlled and accessible; this includes patient monitors, body scanners, pacemakers, defibrillators, infusion pumps, main and auxiliary power, lighting, and air conditioning. If compromised, people could literally be killed through malicious software and actors remotely – Blockchain technology can, therefore, help ensure security, integrity, human safety and health.
Ideas can be spread through both top-down and bottom-up approaches – indeed, an idea often only materialises effectively in large organisations when a combination of both is used (at least to some degree). If you think this is something your practice, your trust, or the NHS could benefit from more broadly, it is worth investigating and speaking to others, raising it in various fora and seeing whether the idea gains traction. I don’t proclaim to have significant expertise but there is a lot of research going into Blockchain technology – Guardtime is the world’s largest Blockchain company by revenue (and they have implemented Blockchain solutions in many contexts) whilst, in the UK, University College London hosts the UCL Research Centre for Blockchain.
As Doctors, you have the opportunity to make recommendations about improving healthcare services that are taken more seriously by service-users than your ordinary policymakers and NHS management. Data-sharing and NHS databases are a source of major inefficiency throughout our healthcare system – it can be dealt with. Now, the need for improving the NHS Cyber Security apparatus presents a potential opportunity to kill two birds with one stone.
Competing interests: No competing interests
Dr Chinthapalli is obviously a visionary clinician in that his observation article about Trusts needing to prepare proactively to ensure that their IT systems are protected from viruses such as 'ransomware' was published on the very day that 40 or so Trusts in England were so infected. Similarly I as the clinical lead for our STP's digital workstream for adoption of Technology Enabled Care Services (TECS) updated the county-wide code of practice for TECS for all Trusts/CCGs and Local Authorities across Staffordshire in March '17 ( http://www.digitalhealthsot.nhs.uk/index.php/clinicians-learning-centre/...) to include the element 'to improve and sustain cyber security' in line with the National Data Guardian for Health and Care's Review of data security, consent and opt-outs in 2016. (https://www.gov.uk/government/publications/review-of-data-security-conse....) Clinical leaders are great at spotting blips in the system and raising concerns - so NHS managers please listen to us and we can rapidly sort clinically driven organizational solutions together.
Competing interests: Clinical lead for technology enabled care services for Staffordshire STP digital workstream
Post-OS-update malaise is a problem familiar to anyone who owns a computer. No wonder that NHS institutions, with hundreds of terminals needing attention and thousands of users to support, stuck with a tried and tested operating system.
Even if members of staff aren’t covertly checking Facebook, realistically malware is going to get in somewhere, sometime.
Why aren’t patients holding their own medical records on a smart card? Patient-held records wouldn’t have prevented all the problems caused last week’s attack, but at least an independent copy of each patient’s record would exist. Patients would have turned up to their appointment with their medical histories, and even without the hospital’s records a functional appointment would be possible, if not an operation. Sure, some patients would forget or lose their records, but hospitals do that all the time, and as we now know they can be totally disrupted by cyberattacks.
Competing interests: No competing interests
In “The hackers holding hospitals to ransom” Dr. Chinthapalli makes a strong case that hospitals need to be better prepared for ransomware attacks. This is a good start but we need to go further [1]. In a recent publication we outlined a multifaceted, sociotechnical approach that both hospital-based information technology professionals and users of these computer systems need to adopt to make them more impenetrable [2]. Over centuries, we have learned how to protect ourselves from various types of physical criminal activities by taking established security precautions. We lock entrances to our homes or businesses with high-quality locks, check identities of those attempting to enter, become aware of our surroundings, report unusual activities to a trusted source, keep our valuables in a safe place, be cautious of strangers who appear excessively friendly, and know how to call for help. We need to build a similar culture and social environment of safety to implement basic security techniques when working with computers.
These basic computer-based security techniques often have direct analogs in the physical world. For example, a network-attached computer (whether by physical wires or a wireless mechanism) has many "ports" or entry points. Those that are not required for routine work should be closed and locked. Those that are needed (e.g., to access the internet) should be closely guarded and only allow access to known and trusted associates. If one does not know how to close and lock these ports, you need to ask for help from trusted associates.
In more social terms, we now know that the overly-friendly "Nigerian prince" of internet fame does not have 25 million pounds that he wants to deposit directly into our accounts [3]. Similarly unsolicited requests for passwords from unknown people whether via telephone or email should not be honored. Finally, we need to keep an up-to-date copy of our important data in a safe, secure, non-network attached location, similar to the valuables we keep in a safe deposit box at our local bank.
The most important lesson to learn from these recent attacks is that they can be mitigated and even prevented. The answer to these events is not to permanently turn off all computers or stop sharing information, rather it is to learn from our mistakes and begin implementing the appropriate information technology-related security measures. Currently, there is a lack of consistent implementation of best practices for information technology security across healthcare organizations. Recently, we developed guides to promote the implementation of safety-related practices in electronic health record-based environments, including security and ransomware related practices [4]. Following these basic sociotechnical physical and virtual security processes will ensure that our valuables, including electronic data, are safe from nefarious agents.
References
1. Chinthapalli K. The hackers holding hospitals to ransom. BMJ 2017;357:j2214 (Published 10 May 2017)
2. Sittig DF, Singh H. A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks. Appl Clin Inform. 2016 Jun 29;7(2):624-32. doi: 10.4338/ACI-2016-04-SOA-0064. Available at: https://www.schattauer.de/index.php?id=5236&mid=26013&L=1
3. Herley C. Why Do Nigerian Scammers Say They are From Nigeria? WEIS, June 1, 2012. Available at: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/Pers...
4. Office of the National Coordinator for Health Information Technology. Contingency Planning SAFER Guide. April 2017. Available at: https://www.healthit.gov/safer/
Competing interests: No competing interests
How extraordinary that this piece should appear on the same day as some 40 hospitals and GP practices lost access to their data following a major hack. There are several levels of defence:
1. Up to date software; Windows XP is no longer supported by Microsoft, and is thus highly vulnerable
2. Separation of internal and external systems. Most malware is downloaded from malicious emails that are opened by mistake, because they appear to be genuine or important. If data systems were isolated from the Internet most problems would vanish.
3. Use of malware detection programs. The fact that so many institutions have been affected is pretty clear evidence that such programs are simply not installed
4. Backup to a server run at least every six hours. This won't eliminate problems but will minimise data loss.
The potential for trouble in the NHS IT systems has been highlighted by IT specialists for years, yet not enough has been done, and here is the result. It is time to sort the problem out. If all patients carried their own USB stick then much of the problem of data loss would be mitigated. What price security of data over patient safety? An individual who loses their credit card is probably at greater risk than one who loses their data stick.
Competing interests: No competing interests
This article was published on the 10th of May?!
Competing interests: No competing interests
'Spookily prescient' for this to be published 10 May in view of the events of 12 May.
Competing interests: No competing interests
Re: The hackers holding hospitals to ransom? No, you the computerisers are at fault
Please ladies and gentlemen!
Don't forget that many and increasing numbers of Brits are either incapable of finger tapping or hate the social media. They do not Face Book or Twitter.
Talking of the number of practices using these toys, games, is irrelevant. Tell us how many of your patients, percentage wise, are using these " media" .
Every single computer is imported from the Far East. You are giving yourselves and us as hostages. Most of our soft-ware is under foreign control. Right?
Has our Parliament yet investigated the possible sources of illegal practices in the computer world?
Competing interests: No competing interests