In the winter finale of the popular television show “Grey’s Anatomy,” there was an unexpected guest star: ransomware.
After years of dealing with natural disasters, surgical regulations, human error, lawsuits and medical accidents, the staff at Grey Sloan Memorial Hospital was forced to confront one of today’s most prominent and worrying threats to the health care industry. In the episode, the hospital’s electronic equipment fizzled out, causing life-saving patient information and diagnostic tools to stop working while the hospital’s staff was dealing with a slew of patients.
Doctors received a message on their monitors — “We own your servers. We own your systems. We own your patients’ medical records.” — demanding 4,932 bitcoin (worth $20 million when the episode taped, around $40 million as of this article’s publish date) if they wished to have their systems restored to normal.
While computers sputtering and loudly shutting off isn’t necessarily a true depiction of a ransomware incident, the ABC show sought to demonstrate the human effect of an attack by highlighting how it would cripple the hospital’s ability to care for its patients.
“Think of the implications if every person with a certain type of pacemaker suddenly had their embedded pacemaker — a device they rely on to live — suddenly “bricked,” said Jennifer McArdle, Assistant Professor of Cyber Defense at Salve Regina University, and a co-creator of the school’s graduate program in cybersecurity and health care.
Prior to this episode, the hospital had been portrayed as an exceedingly modern environment, further showing how even the most progressive institutions can be successfully targeted by, as one of the characters put it, “a cheeto-stained pirate nerd.”
CyberScoop previously reported on a type of malware called Defray – which was specially tailored to target hospitals and doctors offices and spread through networks via a simple phishing campaign.
Matt McMahon, a security expert who focuses on healthcare, told CyberScoop that the medical devices industry is inundated with 25-year-old unpatched Windows machines with outdated operating systems, giving ransomware the chance to easily proliferate.
“The medical device industry could accurately be called the ‘Internet of XPed things,” McMahon said. In some cases, it’s unclear exactly what kind of software a device might be running.
McMahon added that hospital networks are notoriously flat – as opposed to segmented – which allows ransomware to “spread like the bubonic plague.”
Additionally, the episode included scenes of medical devices rendered useless, such as CT scanners and blood type registries.
McMahon says these types of medical devices represent very real vulnerabilities to hospitals.
“The biggest hurdle with medical devices is effectively patching systems in a timely manner,” he said. “WannaCry took out numerous medical devices across vendors that simply weren’t patched.”
While private companies — like the company who runs the hospital in the show — could certainly pay ransomware demands, the FBI agents in the show warned the hospital against paying.
According to McArdle, as recently as 2016, the FBI had highly advised health care organizations against paying ransoms, which does not guarantee the return of their data.
“However, more recently, it appears the FBI is only encouraging health care organizations to pay a ransom unless all other options have been exhausted,” said McArdle.
Although the show positioned the hacker as purely motivated by money – the attack occurred after it was publicized that an anonymous donor was funding a special contest at the hospital – many actors employing ransomware often have other political, business or personal reasons for targeting a specific institution.
The episode closed on a cliffhanger — a main character pledged to find the anonymous donor in order to pay the ransom — so there may be time to intervene before the staff at Grey Sloan runs afoul of real-life FBI advice.