Search

Serial hackers: Grey's Anatomy

In season 14, the doctors of Grey’s Anatomy face a ransomware attack. A situation not so far from reality…

Seattle Grace Hospital was the victim of a cyber attack

Broadcasted for the first time in 2005, Grey’s Anatomy is about to embark on its 19th season. The plot takes place at the Seattle Grace Hospital, where, episode after episode, viewers are invited to follow the professional and romantic lives of surgical interns.

In the eighth episode of season fourteen, the heart monitors and then the doctors’ tablets show the first signs of dysfunction. Soon, all the hospital’s screens display a ransom demand: “Currently we control your hospital. We own your servers. We own your systems. We own your patient’s medical records. To regain access to your medical records, you need an encryption key, which only we have.” 

Unsurprisingly, the doctors panick. They realize that they are not prepared for this kind of situation.

Cyberattack: preparing as best as possible to react properly

During a cyber crisis, it is almost impossible to rely on the usual computer tools or means of communication because they are out of order or potentially compromised. The first step to take in the event of an attack such as the one experienced by the Seattle Grace doctors is to isolate the compromised machines from the network, while leaving them turned on. This allows response teams to analyze the situation and then, once the crisis is over, to conduct further investigation to identify the vulnerability that allowed the attack to occur.

This is the protocol that the characters in the series will follow. The FBI, present to help them, will ask them to turn off electronic devices or at least to isolate them from the network.

Once this first step has been completed, it is necessary to work in degraded mode. In the case of a health care institution, this is all the more crucial as patient care can become a matter of life and death. In the series, more experienced doctors, having studied when the Internet and connected objects did not yet exist, teach more traditional techniques to young doctors, so that they can continue to take care of their patients.

And as is often the case, reality is close to fiction. The same thing happened to the doctors at the Rouen University Hospital in 2019 (in France), when their establishment was hit by ransomware. “In order to prevent the virus from spreading, all computers were quickly shut down. The hospital then goes into degraded mode,“ explains Le Monde, before quoting Rémi Heym, the hospital’s communications director: “Shutting down the entire system is not insignificant for a hospital where everything is computerized: admissions, prescriptions, analyses, reports…”.

And the article goes on to say: “For medical staff, forced to return to ‘the good old paper and pencil method’, the weekend has taken a leap into the past, into the pre-computer age. With no email, the phone that keeps ringing between departments and caregivers running from unit to unit to transmit test results. In practical terms, emergency room nurses, who could no longer access patients’ medical records, wrote down all the entries on a magnetic board. The small, self-adhesive labels, which normally contained the patient’s name and which allowed them to track the patient’s progress and tests, were reduced to a single number. They had to be completed by hand, one by one."

Ransomware attack: should you pay the ransom?

Back to fiction: Miranda Bailey, chief of surgery, wants to pay the ransom. The FBI, which has, as we have seen, been called in as backup, strongly advises against it, while conceding that another hospital, also victim of this same type of attack, has recovered its data after paying the sum requested by the criminals. So, what to do in this kind of situation?

While not all cybersecurity companies have the same opinion on this particular point, Orange Cyberdefense’s position is clear: we do not recommend giving in to blackmail. The hacker will be encouraged to continue his misdeeds and will target other establishments. In addition, there are no guarantees regarding the potential recovery of the data. And nothing prevents the cybercriminal from having made a copy of the data for resale… whether he has returned it or not. According to Vincent Trély, president of the board of directors of the Apssis, questioned in February 2019 by Korii, a media company of the Slate group, “the data are resold between 30 and 200 bitcoins, so in all between 30,000 and one million euros”. By data, the professional refers to consultation reports, prescriptions and the number of consultations of a patient.

Also, in the face of a cyber crisis of this magnitude, it is better to get help. Orange Cyberdefense, like other companies specializing in cybersecurity, is qualified to respond to security incidents. What is an overwhelming event for a company will be a working day like any other for an expert in the field, who will have faced a multitude of similar situations. In the series, the doctors are assisted by the FBI, which remains, admittedly, rather unrealistic. Anyway, they are not alone.

Cyber crisis: what to do after the attack?

In Grey’s Anatomy, it is finally with the help of a former hacker who became a doctor, that the Seattle Grace manages to counter the attackers. Because it is a show, all’s well that ends well.

In reality, happy endings do happen, and more often than one might think. According to a study conducted by Sophos in 2020: “94% of companies whose data has been encrypted have retrieved it. Twice as many people have recovered it via backups (56%) rather than paying a ransom (26%).

Once the crisis is over, it is important to understand how the attacker was able to penetrate the network and implement corrective but also preventive measures: staff training, regular crisis management exercises, etc.

Simon Deterre, a cyber security consultant, advises to “conduct a post-mortem analysis of how the crisis was handled. You have to record everything, write down exactly what happened, what actions were taken, by whom and when. This documentation becomes a kind of black box and allows a cold analysis of what was done well while identifying the bad decisions that were made. The idea is obviously to improve”.

Have you experienced a cybersecurity incident that you require immediate assistance on?

Get support by calling your local hotlines

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT