That link in the email could be a Trojan horse.
Cyber-crime can kill. New York Times reporters Melissa Eddy and Nicole Perlroth wrote1:
…cyber criminals hit a hospital in Düsseldorf, Germany, with so-called ransomware, in which hackers encrypt data and hold it hostage until the victim pays a ransom. The ransomware invaded 30 servers at University Hospital Düsseldorf [Sept 10, 2019], crashing systems and forcing the hospital to turn away emergency patients. As a result, German authorities said, a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays
Cyber-crime can also halt health care. The San Diego Union-Tribune reporters Greg Moran and Paul Sisson wrote2:
A ransomware attack on Scripps Health’s computer network over the [first May 2021] weekend significantly disrupted care, forcing the giant healthcare provider to… postpone appointments set for Monday and divert some critical care patients to other hospitals… Electronic medical records were said to be down, forcing medical personnel to use paper records… also affecting ‘telemetry at most sites.’… The incident was serious enough to put all four Scripps hospitals in Encinitas, La Jolla, San Diego and Chula Vista on emergency bypass for stroke and heart attack patients, … Hospitals have become perennial targets of such high-tech heists.
Even before the pandemic, a record 764 American health care providers were hit by ransomware.1 Clinicians may wonder how they could possibly be accomplices to such disasters. The answer is clicking a link. Yes, just clicking a link in an email or a web page, which seems like an innocuous thing to do, can do damage. It is the internet equivalent of leaving the keys in your car with the engine running.
Clicking web links was never meant to be dangerous, but over time, technology changed; however, our thinking has not changed. Here are some of the twists and turns on a long, unplanned trip.
The Road to Cyber Mortality
Back in July 1945, The Atlantic Monthly published “As We May Think” by Vannevar Bush, PhD.3 World War II was ending, and Bush was Dean of Engineering at the Massachusetts Institute of Technology. During the war, he served as Director of the US Office of Scientific Research and Development. By summer 1945, Bush already had a good idea how the war would end. However, he was thinking beyond V-J Day to propose a new line of research that would advance the progress of progress itself. He had been overseeing scientific staff that was “staggered by the findings and conclusions of thousands of other workers—conclusions which [they] cannot find time to grasp, much less to remember, as they appear.”3
Bush proposed developing a mechanized private file and library, or “a Memex… a device in which an individual stores all [their] books, records, and communications, and which is mechanized so that it may be consulted with exceeding speed and flexibility. It is an enlarged intimate supplement to [their] memory... Books of all sorts, pictures, current periodicals, newspapers, are thus obtained and dropped into place.”3 Bush wanted all information to be instantly accessible by taping a few keys or pushing a lever.
Years later in March 1989, Tim Berners-Lee4 at Conseil Européen pour la Recherche Nucléaire (CERN) made very similar observations.5 CERN researchers were struggling with so many equipment manuals and physics articles that they needed Bush’s Memex. Luckily, during the intervening decades, computer and semiconductor engineering bypassed all the photographic and mechanical obstacles stymieing Bush. Computer keyboards were plentiful, links on a screen eliminated the levers, and global Internet connections allowed this version of Memex to circle our earth—a World Wide Web.
Keep in mind that Bush’s little levers, now screen links, were just meant to open a path from one piece of information to another. Unfortunately, in 1993 an early web browser changed all that.
The Mosaic browser (now Firefox) aimed to let computer terminals show graphs and pictures, not just text.6 Window-based operating systems were becoming popular (eg, Mac and Windows), so Mosaic’s ability to show pictures would make it a huge success. Mosaic succeeded in part by activating helper application programs. This allowed a clever division of labor: the work of retrieving and linking information could be separated from the work of presenting or interacting with information. Helper programs would eventually play music recordings and show cat videos.
Thanks to Mosaic’s behind-the-scenes activation of helper applications, new types of information could be added to the Web. Interested users just needed to find appropriate helper applications. Mind you, it was important for users to choose their helper programs carefully—not everyone read that memo. Inevitably, rogue applications found their way to the World Wide Web and were activated.
The Danger of Clicking Links
Clinicians never intentionally activate rogue computer applications, any more than they stash dirty coffee cups in sterile supply cabinets. So how were ransomware activated in major medical centers? The answer is a mash-up of human psychology and computer links: Clinicians who click links are not thinking about computer applications and application activation; they are thinking about tapping a digital lever to open a path to more information, exactly as Vannevar Bush dreamed.
This conceptual gap is an unlocked door, an opportunity to hijack a hospital information system. Clinical staff conceptualize clicking links as quite different from starting an application program. Staff usually describe starting a program as double-clicking an icon on the computer’s desktop. Unfortunately, clicking links can start applications, creating a sort of Trojan horse.
Must hospital and software security depend on clinicians understanding and speaking clearly about web browsers? The short answer is yes. Unthinking behavior, even with simple technology, can be disastrous. Take car keys, for example. WTNH staff Emma Rybacki, Ken Houston, and Sabina Kuriakose reported7:
[luckily, a] mother is now reunited with her 5-year-old daughter after someone stole her car with the child still inside... she feared for her daughter’s life. She says she made a mistake leaving the car running [just outside a store] but... her son was in pain from [a] sports injury and she was [running in] to get him Tylenol. She told us, ‘... any single mom has done that before... I just didn’t think, I was [just] trying to [get] Tylenol.’
Though most clinicians drive safely and lock their cars without incident, any one conceptual breakdown (eg, the idea that carrying-out a task is harmless) can lead to terrible consequences.
Why do not Apple, Microsoft, and Linux contributors and their colleagues build more secure computer systems? The short answer is they do, but consumers discover some programs will not run smoothly on secure versions. Individuals like to download and run software that they feel meets their needs, even if a particular application opens the front door—the Trojan horse remains irresistible.
We must think before we click, download, and buy software. Who is the source? Who vetted it? Does it behave appropriately? The effort is an annoyance, but so is locking cars and reading product reviews. Added layers of software protection are available for link surveillance, antivirus, and training: these software guardians automatically examine links before our browsers actually access content, inspect programs if we download them, and test us personally with mock-ups of suspicious emails.8-10 It is clear our patients’ lives depend on Internet vigilance, at least until hospital systems are significantly safer than cars.
Dr Powsner is professor of Psychiatry & Emergency Medicine at Yale University School of Medicine and a member of the Yale Center for Medical Informatics.
1. Eddy M, Perlroth N. Cyber attack suspected in German woman’s death. The New York Times. September 18, 2020. Accessed June 22, 2021. https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html
2. Moran G, Sisson P. Scripps Health targeted by cyberattack. The San Diego Union-Tribune. May 2, 2021. Accessed June 22, 2021. https://www.sandiegouniontribune.com/breaking/story/2021-05-02/scripps-hospitals-it-by-it-security-incident-but-patient-care-go
3. Bush V. As we may think. The Atlantic. July 1945. Accessed June 22, 2021. https://www.theatlantic.com/magazine/archive/1945/07/as-we-may-think/303881/
4. Berners-Lee T. Information management: a proposal. May 1989. Accessed June 22, 2021. https://www.w3.org/History/1989/proposal.html
5. Conseil Européen pour la Recherche Nucléaire. About CERN. Accessed June 22, 2021. https://home.cern/about
6. Mosaic browser—history of the NCSA Mosaic internet browser. History Computer. Accessed June 22, 2021. https://history-computer.com/mosaic-browser-history-of-the-ncsa-mosaic-internet-web-browser/
7. Rybacki E, Houston K, Kuriakose S. Wolcott PD search for carjacking suspects following kidnapping of 5-year-old; child found safe. WTNH. May 3, 2021. Accessed June 22, 2021. https://www.wtnh.com/news/connecticut/new-haven/wolcott-pd-searching-for-carjacking-suspects-following-kidnapping-of-5-year-old-child-found-safe/
8. Traffic Light Browser (url) Protection. BitDefender website. Accessed June 22, 2021. https://www.bitdefender.com/solutions/trafficlight.html
9. Safe Links in Microsoft Defender for Office 365. Accessed June 22, 2021. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide
10. Proofpoint Security Awareness Training. Accessed June 22, 2021. https://www.proofpoint.com/us/products/security-awareness-training