The main point of this workshop is that the health industry can be and in some cases already is a target for terrorist organizations. Awareness of this subject has to be raised because very few security measures exist to face this threat. The terrorist threat to the health industry is very broad; it can target health facilities, drugs, medical devices, etc. There are also various kinds of attacks that can be launched; there could be attacks against an individual target through the recuperation of medical information or the hijacking medical devices, but also through mass targets, if a facility is attacked or drugs are counterfeit. Because the health industry is essential and developing, the potential for terrorist attacks is growing. Regulators and governments should create security guidance for health industries and facilities. It’s essential to educate medical staff and health workers about this threat in order to close this security gap before terrorists can massively swoop in.
Co- Chair: Dr. Boaz GanorFounder & Executive Director, International Institute for Counter-Terrorism (ICT), Ronald Lauder Chair for Counter-Terrorism & Dean of the Lauder School of Government, Diplomacy & Strategy, IDC Herzliya, Israel
Co- Chair: Dr. Miriam Halperin WernliVice President, Deputy Head Global Clinical Development, Head of Global Business and Science Affairs, Actelion Pharmaceuticals Ltd, Switzerland
Mr. Mickey ArieliDirector, Division of Enforcement and Inspection, Ministry of Health, Israel
Prof. Benoît MorelAssociate Teaching Professor of Engineering and Public Policy, and Physics, Emeritus, Carnegie Mellon University, United States of America
Mr. Joram RubinsteinDirector of Security and Protection Division, Ministry of Health, Israel
Prof. Shmuel ShapiraDirector General, Israel Institute for Biological Research (IIBR), Israel
Dr. Boaz Ganor
The threat of terrorism to the health industry may not be obvious, but for Dr. Ganor, the security gaps and the fragile security systems of the health industry are a real concern. For example, after more in depth research on this subject, he was able to find strong evidence that Hezbollah is very involved in the health industry. However, he explained that today, it is still hard to raise awareness about this threat, as its nature and goals are not easily understandable. For Dr. Ganor, the most efficient way to understand the reality and the magnitude of the threat to the health industry is to see a video clip of an attack of Al-Qaeda Arabian Peninsula on a hospital in Yemen. In this surveillance video, AQAP detonates a bomb behind the main entrance of the hospital, and then brutally assassinates all the staff and patients. For Dr. Ganor, this is proof that hospitals should be concerned by terrorist threats, even though they must treat terrorists like any other patient. Dr. Ganor also underlines the existence of various other kinds of threats like cyber threats, which can lead to a very kinetic outcome. In general, the lack of awareness of the public and of the health industry creates a gap for terrorism to exploit. Dr. Ganor argues that terrorists are in many cases innovative and trying to appropriate new scientific knowledge and capabilities. For this reason, we need to think ahead and try to understand how terrorists might use our day-to-day technology. He explains that classical terrorism was individual terrorism, focused on a specific target. The health industry is an opportunity for this through poisoning or disruption of medical treatment. For Dr. Ganor, the most important issue today is to raise the awareness of security personnel to this specific threat.
Dr. Miriam Halperin WernliDr. Halperin Wernli argued that we should be concerned about the security of medical devices. Indeed, medical devices rely heavily on software for connectivity and communication. She underlines the difference between peripheral medical devices that need to be connected to a “traditional computer system,” which cannot be controlled by the vendor of the device, and independent medical devices, which are embedded in our bodies. She explains that these devices, by their nature, need a lot of wireless options and thus offer the largest surface for attack. Dr. Halperin Wernli wants to focus on implantable medical devices (IMDs), such as pacemakers, ICD, and drug pumps. There are two categories of risks: unintentional and intentional malfunctions. An example of an unintentional malfunction would be the incident in 2010 when McAfee paralyzed computers in a hospital because the software update went wrong. Dr. Halperin Wernli believes that an intentional attack could focus on three areas of vulnerability: an insider attack (linked to the programmer), a passive outside attack (eavesdropping on private information), or an active outside attack (affecting patients’ physiology). She explains that today there is no mention of security in approval processes for medical devices, and for this reason the medical industry should itself take care of this security breach. She gives possible ideas for securing medical devices, such as adding security services, patient notification, or a key to access the system. Dr. Halperin Wernli argues that as the medical devices industry is growing, it’s going to expand the number of devices, and create more computerization and longer range communication. There will be bidirectional use of the Internet, and even cooperation among devices inside the body of a patient. This evolution will lead to more and more security and privacy issues. If risks today are mainly related to unintentional malfunctions, terrorists will soon be able to change this and take advantage of the security issues.
Dr. Benoit MorelAccording to Dr. Benoit Morel, terrorists exploit the fact that democratic society is open and free. Medical devices are a very new phenomenon, and they can be a point of entry to cyber terrorism. Our society is generating vulnerabilities because when we modernize airplanes, computer, and cars, we expose our society to more cyber attacks. Today, most systems, including in the health industry, use a password, but it’s getting easier to crack passwords. Dr. Morel explains that there is no such thing as a safe password, which means that potentially you can program a medical device from anywhere in the world. For him, even systems that are certified can actually be used against the patients, as there is not yet a good way to control medical devices before commercialization. Dr. Morel argues that hackers are the one driving cyber security. However, producers of medical devices do not give them to hackers for testing because producers are reluctant to check security breaches. Another problem is also that medical devices have a life cycle of fifteen years, and they are not updated with new software. For example, today in hospitals and most medical devices, Windows XP is still in use. New functionalities are added to an old system, but the software is still the same. The challenge is therefore that medical devices are not cutting edge high tech. For Dr. Morel, there is no easy strategy as damages are difficult to appreciate fully and there are also commercial interests at stakes.
Mr. Mickey ArieliMr. Mickey Arieli underlines the threat of pharmaceutical crime. This is mainly cyber crime involving counterfeit and stolen drugs, which are sold on the Internet. Counterfeit drugs are mostly produced with stocks of drugs that were meant to be destroyed, and instead were repacked. Today, two million counterfeit insulator pumps have infiltrated the U.S. market. For Mr. Arieli, the problem is that the distribution chain of counterfeit drugs is very long, and most of the raw material suppliers are in China. However, the distributors are mainly in Israel and in Europe. In Israel, for example, we have found counterfeit materials sold in pharmacies. He explains that 70% of counterfeit drugs come in from the Middle East, and terrorist organizations work closely with organized pharmaceutical crime groups to finance their activity. The modus operandi is very similar to arms or drug smuggling. We know that terrorist groups are involved in producing and trafficking counterfeit drugs. As the supply line is very long, it’s hard to trace all the brokers and wholesaler retailers. For this reason, counterfeit drugs are found all over the world: in the United States, Germany United Kingdom, and Italy, just to mention the most recent cases. Mr. Arieli emphasizes that the most efficient way to fight this threat is to secure the supply line by tracking the product’s journey.
Prof. Shmuel ShapiraFor Prof. Shmuel Shapira, the connection between terrorism and medicine emerged as evidence in 1975 when he was working at Magen David Adom in Jerusalem. He assesses that hospitals play a central role in responding to terrorism. However, the level of security in hospitals is very low. It’s a place of mass traffic; in Israel for example, there are about 20,000 people coming everyday into hospitals, and the entrances and exits are not watched. Moreover, when staff is recruited there is no security background check. He gives another example of low security measures: medical confidentiality is not very protected, as most computers are unlocked. Prof. Shapira also explains that in hospital energy centers, medical gas storage or piping systems are not protected, and hospitals can also be resources for toxic materials. Unfortunately, security is not a core issue of the health system, and is hardly taken into account. For Prof. Shapira, hospital organizations should be more aware of security threats, and should perform regular risks assessments. It’s also important to educate the staff about security and potential threats. He argues that easy steps could already have been taken to improve security in health facilities, such as fences, security cameras, controlled entries, ID cards for staff, etc.
Dr. Joram RubinsteinFor Dr. Joram Rubinstein, it might be obvious why some places like planes or banks need security, but it’s not for hospitals because people don’t think about terror there. For our western minds, attacking a hospital is against the basic laws of war. But to face terror, we need to raise awareness that terror can see hospitals as targets. Hospitals are very difficult to protect, and thus make easy targets. Dr. Rubinstein argues that in fact because they are easy targets, thus hospitals are indeed more attractive to terror. In hospitals, access must be easy and fast, and it would be very expensive to add technology that could check IDs and bags fast enough. He explains that as security is not the “core business” of hospitals, the budget is very limited for it. In order to get more resources, awareness needs to be raised, and we should prove that security is needed. According to Dr. Rubinstein, the basic ways to improve health facilities’ security are: the use of various security layers, the combination of human resources and technology, the use of behavioral pattern recognition, and the improvement of security awareness. He emphasizes that the security approach should be active and not passive; we should not wait for the first attack to react.