The Surgical Hack

Stealing patient data, changing medication dosages or bugging surgical robots—there’s a whole lot of damage cybercriminals can do to hospitals

Shiv sat across from me in my office, a pleasant man in his mid-forties with a neatly mowed salt-and-pepper lawn atop his head. “I took your appointment to ask about my mother’s spine. I’ve been told she needs an operation, and I wanted a second opinion,” he added, pulling out his phone from a purple and silver striped suit pocket to show me some reports. “She’s back home in Delhi and has severe lower back pain going down both calves. She’s 70 and can’t walk for more than 10 minutes. There are pins and needles in the feet, the legs feel heavy,” he described all the typical symptoms of lumbar stenosis – nerve compression in the lower spine.

I began to type notes on my desktop. "Wait! Before I trust you with her life, are you still running Windows XP?" he interjected. I didn’t know what the hell he was talking about. “What’s that got to do with your mother’s spine?” I asked, a little perturbed. “I can hack into your system and gain access to all your hospital data, meddle with patient records, and tamper with billing,” he confessed. “Why would you do that?” I asked, a little testily. “Not me,” he smiled, easing me up a little. “I’m a cyber security expert and my job is to catch the guys who do it,” he told me. “Cybercriminals aren’t just locking up files for ransom anymore; they are shutting down life-saving medical devices, altering patient prescriptions, and even targeting hospitals for sabotage.”

He asked me if I wanted to hear a shocking story. I nodded. He told me it was about two rival hospitals in Mumbai. I asked him for names. He refused. A suspected cyberattack, possibly orchestrated by one hospital against the other, changed the medication dosage in the system from 50 mg to 500 mg. Nurses, following protocols, unknowingly gave patients incorrect medication. Within hours, four patients had died, and the hospital was thrown into chaos. “The news wasn’t allowed to come into the media,” Shiv said grimly.

He continued. “You won’t believe me, but a cyber security colleague of mine is admitted in another city hospital as we speak, and she wanted to know why her surgery was getting delayed. She gained access of the entire operation theatre on her phone, found out which patient was undergoing what procedure, what stage each operation was on, and how much longer it would be for her turn. “What!” I exclaimed. “In my hospital, with me being inside the operation theatre, I don’t have all this information!” I joked. He pulled out screenshots on his phone sent by his friend to show me.

“I believe, purely on humanitarian grounds, just as the Geneva Conventions protect medical personnel and facilities in times of war, the cybercriminal world should exempt health care from their attacks. There should be some value for the lives we’re struggling to save. Regular medical complications hurt patients (and doctors) anyway, and now we’re adding cyberattacks to the mix,” I lamented.

Shiv went on to narrate how in 2020, somewhere in Germany, a cyberattack crippled a hospital’s systems, forcing emergency patients to be rerouted to another facility 32 km away, which resulted in one patient dying. Recently, a major laboratory services provider for NHS hospitals in London was hacked, leading to mass cancellations of surgeries and blood tests and jeopardizing thousands of lives.

“You have a robot in your hospital?” he asked. I acknowledged. “I could gain access to it from my phone and make it cut 2 cm deeper than what you programmed it to,” he told me. I suggested in jest that perhaps he should perform his mother’s operation himself.

“Did you know that Putin won’t take a dump in a foreign hotel?” he continued, as I stared at him aghast. “Instead, his bodily waste is collected and transported back to Russia to prevent medical details from being analysed by hostile intelligence agencies.” This extreme level of precaution underscores how medical data is a goldmine for adversaries, containing insights into a person’s health, genetic vulnerabilities, psychological state, and even undisclosed conditions that could be used for manipulation. I wish my shit was that valuable.

“Listen, can I have your number? I feel I might need your help before you need mine!” I told Shiv. “Of course, happy to help,” he responded, as we fixed a date for his mom’s procedure.

I picked up my phone to save his number and entered my password to unlock my phone. “Is 123456 really your password?” he asked with his mouth open. I looked at him in sheer embarrassment. He took my phone to start changing it. & “Don’t worry, he said. “I won’t use your date of birth either!”