Information Warfare: Decrypting the Cyber Threat for EMS Part 2

This is part two of a three-part series on cyber threats in EMS. In part one of the series, key terms relating to cyber threats were defined, and the motives behind a cyber attack were discussed. Also covered was the different types of cyber terrorism. In part two, we take a look at the possible scope of an attack on an EMS system, and what the attackers could do if they gain access to an EMS agency’s cyber network. You can find part one of the series here.

Sadly, it would be impossible to list all the ways in which EMS would be vulnerable to cyber crime. Given the speed with which technology is changing how we do business, new vulnerabilities seem to be emerging constantly. So for the purposes of this article, I’ll discuss a few prime examples of vulnerabilities; both within the EMS system, and in systems which EMS may be dependent upon.

Personal data acquisition – The most obvious way in which EMS could be targeted is for the acquisition of personal protected data. Think about how many times in one day you have asked a complete stranger for their name, date of birth, home address and social security number. When I first started in EMS, I was shocked with how easily people gave this information to medical providers. We store that information on computers and we transfer that information to a third party billing company (well, most of us do anyway). There could be holes anywhere along those lines by which criminals could access and acquire that personal information.

Medical record acquisition or change – Another use of cyber intrusion could be to acquire information about particular individuals. There could be any number of motivating factors for accessing someone’s personal medical information. These range from companies using this information for the purpose of targeted advertising, selling medical information about a celebrity or changing the dosages of medications patients are receiving. In 1994, a nurse in the UK hacked into his hospital’s computer system and changed the prescriptions of two patients, almost killing them.¹ There is also a currently unsubstantiated tale on the internet of an Italian mob boss who was shot. While recovering in a hospital, rivals hacked into the hospital’s computer systems, changed his dosages, then changed them back after he died so it looked like the attending nurse made the mistake. It does seem like one of the great urban legends, however, it certainly is a possibility.

Medical device tampering – How often do we have to connect important medical equipment like heart monitors and pumps to computers and run manufacturer’s recommended updates? Have you ever given thought to the possibility of viruses or other bugs being loaded into the computers within those pieces of equipment? This could leave equipment open to malicious codes that could facilitate denial of service attacks or remote access Trojans. Consider the chaos that could be created by a remote access Trojan implanted in a particular batch of insulin pumps, giving the attacker control over dosages. This very scenario was demonstrated at a recent conference on cyber terrorism. Many have deemed it an impractical tool of mass destruction, but the possibility was successfully demonstrated.

Public safety communications – My head begins to swirl when I think about all the possibilities associated with 9-1-1 dispatching and communications. By definition, Enhanced 911 uses computer aided dispatch and other technology to improve emergency response. How reliant are we upon the proper functioning of our dispatch centers? Consider what would happen if your trunked radio system was remotely turned off. Not exactly an earth shattering, apocalyptic scenario…unless of course you don’t have a back up. But even a minor inconvenience could put a damper on your response. Are your ambulances tracked by GPS? What would happen if those units weren’t appearing on the screens of the dispatchers tracking you? I’ve worked with paramedics who would consider this a blessing, but again, it would be a nuisance that could create delays in your response to people in need. Now consider if something were to happen to cause 9-1-1 calls from the public to not reach the dispatch centers. That suddenly becomes more than a nuisance or an inconvenience. The good news is most 9-1-1 systems nowadays are closed systems, meaning someone from the outside would have an extremely difficult time hacking into the system, but closed systems can be undone with a thumb drive and a disgruntled employee, just ask the Pentagon. And while the 9-1-1 communications center may be a closed system, it relies upon the major telecommunications carriers to relay the calls, leaving a larger vulnerability.

Agency website defacement – A common weapon of social hacktivists or disgruntled employees would be to log onto your agency’s website and post negative, malicious or misleading information. This information could be directly derogatory about your agency, or written in such a way as to cause public panic. During a recent cyber exercise, the U.S. Virgin Islands tested the response of it agencies to a cyber hacktivist group posting tsunami warnings on various government websites. Consider the public panic that could be created if such information was posted on your agency’s website (Okay, so maybe if you live in some place like Oklahoma, you may want to replace ‘tsunami’ with ‘tornado’ to get the full effect of that statement, but you see where I’m coming from). Even after the message or defacement is removed, you will still have to deal with the fallout from people who read the message and now have lost confidence in your ability to protect them.

This doesn’t even begin to touch upon all the many ways in which society in general could be impacted by cyber attacks that create mass casualties. Tampering with industrial controls at chemical plants resulting in hazardous materials releases, altering the system controls at water pump stations resulting in loss of water pressure and allowing fires to spread unchecked, altering of traffic light patterns to create major traffic accidents…the tragic possibilities are endless.

References

1. Brenner, Susan, “(Attempted) Computer Murder,” Cybercrime.

Devin Kerins is the regional exercise officer for FEMA Region II. In this role, he has helped develop and conduct cyber-terrorism exercises in New York, New Jersey, Puerto Rico and the U.S. Virgin Islands, as well as assisting in the development of cyber exercises nationwide. He is a part-time paramedic with Holy Name Hospital in Teaneck, NJ. Devin is also the author of several books, including the “EMS: The Job of Your Life” series.