Wonderful. Yes, first of all, I wanted to discuss something that I call the “ransomware from hell”. It's a scenario that I made and that I think needs to be aired here.
Let's say you're a hospital administrator. You get an email and it says, “One of your employees just clicked on that phishing email from a Saudi prince and now we're inside your system, but we are not going to hold your data for ransom or erase it.” They say they have a much better idea: that they've traversed your network and they know that you have 75 Picker X-ray units, four Siemens MRIs and 2,000 BD infusion pumps. They're all there and they all have vulnerabilities.
There are zero-day vulnerabilities in many technologies that the manufacturers don't know about.
They say they're for sale on the dark web. They say they bought them on the dark web and they need to get their money back, so you have to pay them $10 million in Bitcoin by tomorrow, and, if you don't, they're not going to encrypt your data—that's so old school—they're just going to kill a patient every day.
I did look up an article from Israel on “Seven Ways to Kill a Patient with a Picker X-Ray Unit”: from hitting them physically with it to giving them too much radiation.
The reality is that I took this to a bunch of hospital administrators in the U.S., and they said that either they would pay the ransom—and I said, “Okay, great, then they'll be back for $20 million tomorrow”—or they'd ignore it. I said, “Well, then, you'll be on the front page of the New York Times under 'Hospital Kills Grandma by Refusing to Pay Ransom'.”
They also said they'd try to air gap it. This is where we get technical. They'd say that they will separate all the different hospital systems so that they can't do this. My medical colleagues says that's nonsense because that Picker X-ray unit has to talk to the doctor, the lab computer and the intraoperative MRI. My point is that it's a tightly connected network.
The answer is—and I've taken this to everybody I know who's smart—that there is no answer.