No one was particularly impressed a year ago when I predicted on Facebook that if we got involved in Ukraine, we could expect Russian hackers to attack American medical facilities, with worrisome consequences. Big deal, I was told. Ukraine must be defended, and if so, such costs must be discounted.
Fair enough. I just want to point out that I’m impressed with myself: it’s taken a year, but my prediction has been vindicated. Russian hackers have now attacked one medical facility in each of the 50 states of the United States. The attacks have mostly gone unnoticed, unless, I suppose, you’re a patient or provider affected by a particular attack. None of our “leaders” has said a word about them that I’ve heard. Is it that they prefer to avoid panic, or prefer to induce ignorance? Your pick. Meanwhile, the hackers, and the people behind them, are trying to show us that they can attack critical infrastructure at will. And they can. Hate to say this, but I told you so. Now, so have they.
I’m not suggesting that we should give in to their blackmail, but here’s a defeatist observation for you: we now know how our involvement in Ukraine has put us at greater risk than we faced before it. What’s less clear is how it’s made us safer, or how it ever will. Naive, I suppose, to think that safety was ever among the aims of our national security establishment. But I’d like to think that it’s among ours.
(The views I express in this post and elsewhere on this blog and website are strictly my own, written in my capacity as a private invididual, and are not intended to reflect the views of my employer, CorroHealth. None of the claims I make here or elsewhere are proprietary.)
A PS on my post: I haven’t gone through the full list of 50 medical facilities on the Killnet list, so I can’t confirm that Killnet has hit all 50. That said, mainstream reporting on this topic has been woefully inadequate and incomplete. Most reporting I’ve seen reports the number of facilities hit on a specific date, January 30, 2023, listing that as about 14. But the relevant issue is not how many facilities were hit on a specific date, but how many were hit in total.
I happen to know that Hudson Regional Hospital (Secaucus, New Jersey), a target on the Killnet list but not reported in the media, was hit by a cyberattack. The attack has caused at least a week of disruption at the hospital, and is still not resolved.
I would also view with skepticism hospitals’ claims that these attacks are mere nuisances that do no substantive harm, and don’t affect clinical practice. The first claim is extremely vague and unclear. What counts as substantive harm? Most press coverage and hospital PR, after all, doesn’t clearly or exhaustively identify what data was lost or what damage was done. The second is highly misleading. For one thing, it’s not clear what would count as evidence of clinical harm caused by a cyberattack; for another, it’s not clear what evidence is being invoked when the harm is pre-emptively minimized by hospital spokespersons.
To cite one recent example (not clear whether it’s of Russian origin or not): Centra-State Hospital in Freehold, New Jersey was hit by a cyberattack in late December, which was not formally reported to patients until February; 617,000 accounts were compromised, including Social Security numbers, and the hospital halted admissions for awhile. A data breach of that nature strikes me as ipso facto a substantive harm; indeed, some patients agree, as the hospital is under a class action suit for the breach. To say, as Centra-State did, that “Critical patient care has not been adversely affected” is not the same as saying that clinical practice wasn’t adversely affected. It seems obvious enough that a halt in admissions is at least implicitly the confession of an adverse effect on clinical practice.
Click to access Notice-of-Security-Incident.pdf
Given the thin nature of the reporting on this issue, these events typically go under the radar screen. If there is a Russian connection, it’s rarely made explicit. If there is substantive damage, it’s mostly covered up or concealed. Most of the stories themselves, sketchy to begin with, disappear within a day or so. There’s little public appreciation of the frequency of such attacks, or their gravity.
There’s something obscene about the fact that the United States government is so keen to ban TikTok, a purely hypothetical threat, when there is a direct, obvious, documented threat to the entire health care system from Russian (and likely Chinese) hackers, largely attributable in the Russian case to retaliation for US involvement in the Ukraine war. The burden of responding to these threats–including professionalized, weaponized threats from the Russian security services–has fallen directly on private actors (hospitals, payers, and vendors) that lack both the practical incentive and the technical capacities to pre-empt them. Such institutions are about “business as usual,” and are supremely confident that hacks are a mere “nuisance” they can handle on a piecemeal basis. That, of course, is how they dealt with the prospect of a pandemic before 2020, with unexpectedly devastating consequences.
So expect more “disruptions,” and worse.
(The views I express here are strictly my own, and are not intended to reflect the views or position of my employer, CorroHealth.)