A postmortem of the Grey’s Anatomy ransomware episode: Accurate or Hollywood hyperbole?

Medical drama Grey's Anatomy has killed off a lot of characters in its 14-year run. But in the Nov. 16 mid-season finale, titled “Out of Nowhere,” Grey-Sloan Memorial Hospital itself was on life support after its network became infected with ransomware, causing machines all over the facility to malfunction. The storyline was no doubt a timely one, following a string of real-life ransomware attacks on hospitals and health-care facilities over the past two years. But how accurate was it in terms of portraying what an actual ransomware attack looks like? SC Media consulted with three leading health care cybersecurity experts to find out what was realistic and what was dramatic license. (Sadly, however, we could not persuade them to weigh in on the McDreamy vs. McSteamy debate.) Our experts:

Taylor Lehmann, CISO at Wellforce health system and Tufts Medical Center in Boston, Mass.
Elie Nasrallah, director of cybersecurity strategy at HITRUST, the Health Information Trust Alliance
Clyde Hewitt, VP of security strategy at health care IT consulting firm CynergisTek

In the first major sign of tech trouble, patients' monitoring systems all begin to flatline at once, even though there is no medical emergency. One doctor even mistakenly shocks a sleeping man with a defibrillator because it falsely appeared as if his heart stopped. Taylor Lehman (TL): While not impossible, doing this would be counter to the attacker's purpose, which was clearly to make money via ransomware… Learning how to make that software exhibit those behaviors would take more time than what would typically be expected by someone who is motivated for financial returns exclusively. Elie Nasrallah (EN): Yes, it is possible they could all flatline, but, as Taylor suggests, not likely in the case of a financially motivated threat actor… [If attackers] get control of a computer, they can show what they choose, but more likely in real life, they will show a ransom note screenshot instead. So there may be some artistic license here. Clyde Hewitt (CH): I think that's dramatic effect... In many instances, the staff would not know there's a ransomware attack underway until the IT department told them… IT's going to notice it first when network traffic goes crazy, CPUs start [malfunctioning] – there are a whole lot of flags on the back end before those [patient] monitors go down. But it's not just the monitoring systems that are disabled. So, too, are any devices connected to the network, including VOIP phones, CT scanners and scope monitors. According to our experts, it's not unusual to see all of this equipment networked together. TL: Many organizations rely on openly networked equipment to provide unfettered access to patient information... In many cases, these networks are “flat” or unsegmented and not protected by internal firewalls. It's plausible that compromising one device could impact all other devices on the same network. EN: We live in a connected world. Many organizations have a simplistic network connected to single switches, but many have network segmentation. CH: In my experience, it is one big flat happy family. There are hospitals that are progressive that are starting to isolate these things, but eventually they come back together – and the reason for that is the data in a lot of these medical devices get fed back into the EHR (Electronic Health Record system). Some hospitals are starting to put biomedical equipment on a separate wireless network... [Other exceptions include] certain modalities or certain systems in an operating room – they have a different router, because everything that's physically inside the operating room is on this little microenvironment, and there's a router or a gateway that then connects that to the main hospital environment. So that's going to act like a firewall potentially. However, one issue that Grey's Anatomy failed to consider, or chose to ignore, is that many of these networked machines run on disparate software and operating systems (or versions of the same OS). This is especially true, noted Hewitt, because device manufacturers often stipulate in their terms of service that users cannot apply updates or patches. CH: I would anticipate that the average life expectancy of a piece of biomedical equipment in a hospital is probably 15 years. And as a result of that, the underlying operating systems for these things may be Windows 2007, but more than likely Windows XP or Windows 95, maybe Windows 2003 or Windows 2000, or maybe some old Linux or Unix. There's going to be a hodgepodge of stuff out there. And not every piece of equipment has all of its services running, It's overhead, it's not needed. So therefore, vulnerabilities [related to these services can't be exploited]. If an attacker does get in, they're not going to be successful at everything. It will be sporadic. So maybe it's a piece of a piece of lab equipment, maybe it's a heart monitor, maybe it's an EKG machine, maybe it's an IV pump. but it's not going to be everything, more than likely, because if a hacker gets in, they're going to get in with one, maybe two, vulnerabilities… It appeared in the TV show that [almost] everything was compromised. And while we can say the possibility of that happening is greater than zero, the probability of everything in the hospital being compromised is very remote. TL: Of course, differences in software could make it hard for the same attack to work exactly the same on two machines running different software. But that's not how this stuff works: most bad software isn't written so that it works across multiple devices; [rather,] it looks for and finds ways to exploit common vulnerabilities. These vulnerabilities may be present in lots of different types of software. In many cases, these vulnerabilities exist and can be exploited in new software as well as software from 10-15 years ago. During the episode, the doctors are unable to look up their patients' medical charts. In one case, Dr. Alex Karev (Justin Chambers) doesn't know whether or not to administer the blood-thinner Heparin to Frankie, a seven-year-old blood disorder patient, because he can't determine whether a staff nurse already gave him vitamin K, which would cause a fatal drug interaction. This suggests that the doctors at Grey-Sloan Memorial don't keep paper backups in the event of technological difficulties. CH: I think that that is probably one of the more accurate depictions in the show. As hospitals move more and more into full electronics, paper's going away. So that is what keeps security professionals up at night: Not being able to get into the chart, not being able to find the history. That is a scary thought. Now, some organizations are looking to keep… an offline copy of the electronic charts, so that they can access it. TL: Many organizations plan for scenarios just like this and do have procedures to print information on patients under their care as a way of providing backup in case systems go down. Most organizations drill on these procedures regularly to be ready for this. In addition, most in-patient areas are staffed on 12-hour shifts, allowing the nurses and caretakers to establish an understanding of the treatment history during their time. While not a replacement for a medical record, the continuity in nursing staff provides a frame of reference when dealing with specific patients. The hacker demands a 4,932 bitcoin ransom, which in this episode equates to $20 million – although in real life, it's actually worth closer to $51.2 million as of Nov. 28. Granted, the hacker chose this figure presumably because the hospital had announced a multimillion-dollar contest, but the experts still found this plot point a little hard to digest. TL: Bitcoin recently experienced a surge in value, making it very, very, very expensive to trade in. This seems like a demand that has not been seen elsewhere. If it were to be presented in this day and age, it would likely signal the attacker doesn't actually want to be paid – why demand an amount no one can afford? – and has alternative motives (e.g., destruction, extortion, access to specific records, etc.). EN: Hollywood Presbyterian paid $17,000 in ransom – at today's value that would be only two bitcoins. However, the outage and recovery costs can be in the hundreds of thousands of dollars. Later, a splenectomy surgery requiring a blood transfusion is endangered when an intern is unable to open a door to the blood bank, because the electronic keypad lock is affected by the attack. To make matters worse, the hospital's power starts fading in and out. CH: Not a high probability, because the SCADA systems that control the facility power and the access control systems may or may not be connected [to the network]. Now generally, for the physical access control system, there's a central server that downloads the access control codes to the individual doors. If the server goes down… the keypad doesn't need access to the server because it [the code] is stored locally. Normally, if a hacker's going to come in, they're going to go for the high-impact systems, like trying to take down the EHR or breaking into the EHR and taking medical records or doing ransomware across all of the desktops and mobile computers because that's going to have the most impact. Within hours of the ransomware attack (perhaps even under an hour), the FBI swoops into the hospital, ordering the staff to turn off their computers and even their mobile Wi-Fi connectivity. TL: Not realistic. The FBI's response would be far more measured and would avoid any kneejerk reactions, like shutting systems down. Instead, the FBI and IT would be advised to do the basics to prevent proliferation of bad software, but would implement steps and measures to ensure they can figure out who did what, how they're doing it, and what's next. You can't do that if you shut the computer systems down as the FBI indicated they should. EN: The FBI showing up in minutes only works in Hollywood. In most cases they are there to identify the threat actor and only act in an advisory capacity. CH: In reality if you call them, they're going to leave you alone for days until they call back. I found that to be highly Hollywood. The doctors and FBI engage in a feisty ethical debate over whether or not to pay off the hacker – at act that will spare the hospital and its patients, but could encourage similar attacks in the future. Ultimately, Chief of Surgery Miranda Bailey (Chandra Wilson) resolves to pay the ransom (although this would normally be the decision of an administrator, notes Hewitt). TL: Every attack is different. Some are destructive, some are looking for financial gain, while others are looking for payback. These conclusions matter to determine the right response; attribution is important. At this point, many hospitals are maturing their cyber programs to address the technical gaps in controls that could create those ethical dilemmas. In many cases, organizations should NOT pay and instead ensure they have appropriate backups of their data and ability to restore easily. EN: This depends on the organization, since every situation might be handled differently. However, many hospitals have been forced to pay due to lack of good, clean backups and a timely process method to restore. This episode showed how quickly they needed the issue to stop, how they were scrambling under pressure to retain patient safety, and how little the doctors understood the magnitude of the attack. Ultimately, paying doesn't guarantee the systems will be restored. CH: They… made the decision to go ahead and pay the ransom, whereas that discussion generally doesn't even come up until it's days into the incident recovery process. Number one, they're going to say, ‘How good are our backups? Can we recover? What's the timeline? And even then the FBI says – and we echo that – don't pay. You're dealing with criminals. You can't trust them. Who's to say they're not going to come back for more money?