In January I carried out an investigation for a British newspaper that exposed the extent to which “smart” healthcare systems were becoming vulnerable to hackers.
The report, published in the Daily Mail, revealed that in the previous year alone, at least 28 hospital trusts in the United Kingdom had been hit by so-called “ransomware”, a form of computer virus that first encrypts every file on a server, and then demands payment, usually via bitcoin, to free them. Most often it finds its way on to servers when computer users in an organisation carelessly click on a link in an email.
But even more disturbing to read was the growing evidence that many of the smart medical devices – ranging from automated pumps administering drugs to patients in hospitals to pacemakers designed to transmit information to and from remotely located doctors via broadband – were shockingly vulnerable to being hacked.
An independent report by a software security company in the United States had found that one widely used home bedside monitoring system could be used “to reprogram and issue ... commands to pacemakers and implantable cardioverter defibrillators, to drain batteries, turn devices off, or even deliver a heart-stopping fatal T-wave shock”. Even a moderately talented hacker, concluded the report, could easily “convert the devices into weapons”.
To those in the know, none of this is particularly new. In 2013, former US vice president Dick Cheney’s cardiologist revealed that he had had the wireless function of his patient’s pacemaker disabled because “a sophisticated attacker might wirelessly access the device, reprogram it, and … kill the vice president”.
None of this seemed to bother the UK’s National Health Service when I approached officials for comment. Ransomware? Storm in a teacup. As for the potential for remote assassination via embedded smart medical device, the Medicines and Healthcare Products Regulatory Agency said that, while it was “aware of the potential for cybersecurity attacks”, there had been “no UK reports of any incidents”.
Now comes the news that on Friday 48 NHS organisations have again been hit by ransomware, in an attack that disrupted blood supplies and surgery schedules, locked patient notes, interfered with electronic prescription systems and caused prime minister Theresa May to convene a meeting of Cobra, the government’s national emergency committee.
The NHS was not alone. Security experts say 45,000 organisations in countries around the world were hit in the same, randomly targeted attack.
This episode should, but almost certainly won’t, give us pause for thought. Stampeded by technology and telecoms industries that have been wildly successful in convincing us that access to high-speed internet is nothing short of a human right, we are rushing headlong into an era of unprecedented interconnectivity, without any real grasp of the possible consequences.
Connectivity sounds like a good thing. How convenient to be able to switch on the lights or air-conditioning in our homes via an app on our smartphone or to be able to store our digital photographs and sensitive documents on devices thousands of kilometres away. But how much of this “progress” is actually necessary, or even desirable?
Superficially, it is possible to make a more convincing case for connected medical devices. Manufacturers conjure visions of a world in which devices installed in your home can make a diagnosis at a distance, saving time and money at every step in the care chain.
But for whom? The benefits for the corporations developing the devices, and for the healthcare organisations hoping to cut their costs by deploying them, are obvious, but for the individual they are illusory.
We are in the grip of a fast-moving technological revolution, driven by economic rather than social imperatives. The primary driver of the growth of the so-called internet of things, according to an industry-angled paper by the International Institute for Analytics, is “the broader adoption and deployment of sensors and smart devices [which are now] smaller, cheaper and require less power … they are literally everywhere, from the traffic signal helping to optimise traffic flow to the watch that is monitoring your vital signs”.
But this revolution is also evolutionary in effect, and therein lies the ultimate danger of surrendering ourselves to a wired, interconnected and interdependent existence.
A recent study of students at a university in the US found that those who relied upon the internet for information could not recall the facts they found, but could remember where to go to find those facts again. In short, their brains had become subservient hard drives, devoid of the capacity to store real data.
If we become utterly reliant on the internet of things for every aspect of our existence, how will that existence fare if, one day, the Wi-Fi fails or one of the major corporations controlling all our data goes bust?
Last year, after millions of connected devices around the world were hijacked to effect a denial-of-service attack that took sites such as Twitter, Reddit and Netflix temporarily offline, a computer security expert writing in New York magazine warned that “we are building a world-size robot, and we don’t even realise it”. While that robot was not yet too smart, “it’ll get smarter [and] more powerful and more capable through all the interconnections we’re building. It’ll also get much more dangerous.”
Consider that the next time you’re tempted to buy a product packaged with the prefix “smart”, or when your heart surgeon offers to fit you with the very latest in “smart” pacemakers. Taking the smart option could be the dumbest thing you, and the human race, ever did.
Jonathan Gornall is a frequent contributor to The National