Previously on Grey's Anatomy… Grey Sloan Memorial Hospital's network was taken over by a hacker who demanded millions in Bitcoin, in what was essentially a ransomware attack.
After a two-month hiatus – during which time Bitcoin plummeted in value (sorry, extortionist) – the ABC drama resolved the cliffhanger in its Jan. 18 midseason premier.
To gauge the accuracy of the episode, SC Media invited back the same three health care cyber experts who analyzed “part one” back in November:
- Taylor Lehmann, CISO at Wellforce health system and Tufts Medical Center in Boston, Mass.
- Elie Nasrallah, director of cybersecurity strategy at HITRUST, the Health Information Trust Alliance
- Clyde Hewitt, VP of security strategy at health care IT consulting firm CynergisTek
The follow is a summary of the hacker plot, replete with expert commentary:
If locking doctors out of their patients' electronic records and sealing the blood bank doors weren't evil enough, the hacker continued torturing the hospital's inhabitants by cranking up the thermostat, forcing everyone to sweat it out.
CH: Larger buildings' HVAC, power, and utility distribution systems are many times managed with Supervisory Control and Data Acquisition (SCADA) networked components. This system can monitor and control everything from the HVAC system, to the lights and power. Not only is it possible to adjust thermostats, but hackers can also disrupt the primary coolers and humidity controls. The temperature change would be gradual; however, data centers could see a rapid rise in temperature.
TL: Many modern thermostats, including common ones used in homes (e.g., NEST), can be controlled over a network. In fact, many attacks are focused on compromising these types of devices. In addition to cranking up or down the heat, they could shut down the HVAC system entirely. Imagine: shutting down the heating system in a hospital in the middle of winter could create a truly life threatening scenario for thousands of people – by just compromising one system!
Surprisingly, the show resisted the temptation to use the rising temperature as an excuse for the doctors to remove their clothing. However, we do learn later that the machines used to dispense fresh medical scrubs are also affected by the hack, forcing Drs. Jackson Avery (Jesse Williams) and Maggie Pierce (Kelly McCreary) to sit around in nothing but towels in the co-ed locker room. Our experts said it is realistic that these machines would be connected to the network.
EN: The electronic scrub-dispensing machines are digitally connected and will utilize PINs as well as hospital ID badges for tracking whereby, making those digitized records vulnerable to attack.
TL: These devices, like thermostats, cameras, and other common control devices, are network-enabled and permit remote control of almost all of their functions. Instructing a machine to simply empty its contents or deny access could shut down and deny a hospital from administering care.
In the midst of this chaos, a hero emerges in the form of Dr. Casey Parker (Alex Blue Davis), a new intern who rather conveniently happens to possess a background in cyber. Yet he is reluctant to use his particular set of skills because he is a former hacker who is no longer allowed to practice his craft, by a judge's order. (Fortunately, his crime was a victimless one, as he merely hacked into the DMV, which – let's face it – rates well below cybercriminals in terms of overall likability.
The resourceful doc manages to MacGyver open the sealed blood bank doors by hooking up a defibrillator to the vault's security keypad and delivering an electric charge that overrides the security system… somehow.
TL: Unless that defibrillator came loaded with Kali Linux or some type of capability to exploit the blood banks system, this is a very low likelihood scenario.
CH: Hollywood has to make it interesting and needed a quick solution to the blood bank door problem. I'm not one for testing this theory, as the high-voltage shock has a higher potential for more damage to other components connected to the facilities' networks, acting just like a small lightning bolt. Ethernet and power cables in the door controller were never designed for that amount of voltage.
Impressed with the intern's ingenuity, Chief of Surgery Miranda Bailey (Chandra Wilson) asks Casey for additional help. He advises her to ask the FBI agents investigating the incident if they scanned the hospital's log dumps for unwanted guest Wi-Fi traffic. The agent in charge says yes, they have, which is how they found the hacker's IP address. This implies not only that the hacker somehow leveraged the hospital's Wi-Fi network in order to take control of the central servers and systems – but also that the hacker was doing all this locally, within Wi-Fi range.
TL: Wi-Fi systems, in general, can be very poorly implemented and hard to fix. Most concerning about this scenario is that the guest Wi-Fi network appears to allow anyone, including any other guest, to directly access the hospital's critical systems. Typically, a network used by guests would have a firewall between it and the networks these critical systems can be accessed from. Also, if the attacker has clear line of sight to the hospital, he/she could simply use a directional antennae… and connect to the guest Wi-Fi network from up to 3,000-5,000 feet away – that's almost a mile!
EN: Wi-Fi systems are typically open within hospital networks that provide Internet access. Depending upon network architecture and design security, paths technically could exist into production networks should basic security principles be ignored and not implemented.
CH: This scenario was designed to quickly wrap up the ransomware event… The writers… needed a quick way to wrap up the ransomware attack introduced in the season finale. The timeline in the January 18, 2018 episode accomplished their goal, but they had to take greater liberties with reality.
Knowing now that the hacker's IP address has been exposed, Casey suggests that the hospital “hack back” the hackers — a suggestion that hits upon an interesting ethical and legal dilemma in the infosec community. But the FBI agent in charge dismisses this tactic because it would tip off the hacker before his physical location could be determined, allowing him to pull up stakes and flee. Miranda pointedly asks if the FBI cares more about catching the hacker than saving her patients.
TL: Sophisticated attackers use appropriate means to disguise their physical location – trying to locate an attacker's true source is often impossible. That said, "hacking back" in this scenario might be used to disrupt the attackers current campaign, but it wouldn't necessarily reveal his identity… It's certainly an ethical dilemma. Currently, most forms of hacking back are considered highly illegal and can get one into big trouble.
EN: Tipping off the hacker is a real-life scenario whereby sandboxing technology can mask the detection of attacks.
Fed up, Miranda permits Casey to secretly do his hacker thing and take back the hospital, using her own laptop (which for some reason remained somewhat usable – perhaps it had not yet been connected to the network). It's not entirely clear what Casey does, but he makes the lights flicker to confirm that he's gained back control. Moments later, he brings the systems back up and running, much to the relief of the staff. But the question remains: how could Casey have accomplished this?
TL: Depends on the attack, but most common “responses" include finding and shutting down the processes that are allowing the attacker to remotely control the systems, changing administrative passwords on all compromised computers, and beginning to “hunt" for what's left. Responding to these types of incidents is a tricky affair, as sophisticated attackers often plant various methods to return to a network and continue an attack during the original attack. Being able to “persist" in the network helps make sure the attacker can take his/her time planning their attack over days/weeks/months. Finding how an attack is persisting, figuring out the tools they are using against you, and then addressing them methodically to cleanse the network can take a long time.
CH: The thought that an individual could stop and reverse the impacts of a ransomware is unrealistic, except for one scenario. In the first ransomware attacks, the hacker reused the same key, so the decryption method was known. The unlock keys for the first generation of ransomware have been published. Subsequent attackers have not made that mistake. Even if an organization obtains a key to unlock their data (by paying, or through other means) still must remove the malware that caused the infection in the first place. The hacker can just as easily re-encrypt the data with a different key and demand a second (or third) ransom. Disinfecting the thousands of workstations, servers, medical devices, and other IoT devices will take weeks. [With that said, it seems this may have been more of a complete systems takeover than an actual malware infection, per se.]
Another crisis averted at Grey Sloan Memorial. And amazingly, nobody died. Well, technically, Dr. Jo' Wilson's abusive husband Paul was hit by a car, ultimately leading to his death in the following episode. But unless the car was hacked, that doesn't count.