In 2006 an ice sheet on a steep slope put me in a French hospital for surgery. I will spare you the details, just google “Tibial Plateau Fracture” if you’re interested in those things. Later, I was repatriated to the Netherlands by airplane (the Dutch call them “plaster cast flights”). When I entered the hospital there, for some reason personnel missed that I had come from France, and I didn’t realize it was important. I vividly remember the young doctor turning pale when I casually mentioned my plaster cast flight from Chambery. Many things happened at once.
I turned out to be at an elevated risk for MRSA, a flesh eating, antibiotic resistant, contagious bacterium, capable of wreaking havoc in hospitals. Again, google it. The hospital wasn’t taking any risks and activated multiple emergency procedures. The entire hospital wing was put on lock down, with quarantine controls and cleaners in hazmat suits, methodically cleaning the wing, and every patient and employee was tested for MRSA. I later learned I didn’t have MRSA and didn’t infect anyone either.
Reflecting on this, having seen first hand hospitals mindset to fight threats like these, it struck me as very interesting everyone assumes hospitals have a heightened vulnerability for cyber-attacks.
Infections need vulnerabilities. In this case, antibiotics are used in abundance in hospitals, and MRSA is resistant to the majority of them. French hospitals were at an elevated risk, and patients transferring from French hospitals to the Netherlands were supposed to be treated in quarantines. When the protocol wasn’t followed, the hospital assumed outbreak, and contained, investigated, rescheduled and cleaned for days until they could be sure the situation was under control.
If you read all of this; you would think hospitals are prime examples of organizations well equipped and trained to deal with crisis, whether they’re an MRSA or a Wannacry outbreak. Keeping the threat out is one, but if that fails, how you respond is equally important. Keep it contained, use compartmentalization to isolate more vulnerable processes, build a quarantine process in your network, build detection to spot the outbreak as early as possible and then run emergency responses. Treat the infections, normalize the situation, and lift the quarantines.
To me it seems hospitals have the right people and mindset to do all of this, as long as they have access to knowledge about processes and technology to support them. ICT and healthcare might be more similar than we think, as long as we can spot the process parallels and realize that MRSA and ransomware are not that different.
By the way, I am fine now, thanks for asking.