RUTHFULLY YOURS

T he American health-care system is under siege. Not only by a deadly novel coronavirus, unleashed by the evil and inept Chinese Communist Party, but also by cyberterrorists whose acts of aggression are just as condemnable and deadly as those of a suicide bomber or hijacker.

On October 28, the University of Vermont (UV) Health Center in Burlington was crippled by an attack on its systems. At the time, the nation’s eyes were set — solely and squarely — on the upcoming election. Thankfully, Ellen Barry and Nicole Perlroth at the New York Times have done yeoman’s work reporting on the attack and its aftermath. So now that the election is behind us, we can identify, name, and address this new kind of national-security threat.

“We expect panic,” declared one hacker in the run-up to the attack. To be sure, for staff working the day the attack came, panic set in when workstations were suddenly rendered inoperable, as were the backup computers. So were the pneumatic tubes used for transporting blood samples and test results, and — worst of all — the electronic medical-record system, which was only restored on November 22, nearly a month after the attack.

The attack on the UV Health Center is not the first act of cyber terror on U.S. health-care infrastructure. The Russian group believed to be responsible for the Burlington attack has, per the FBI, made somewhere around $61 million in ransoms over a 21-month period in 2018 and 2019. In early October, eResearchTechnology, a Philadelphia firm that sells software used in clinical trials — including for certain coronavirus vaccines — was locked out of its data by ransomware — a kind of malware that remains in place until the hackers who have sicced it on you are paid. Hospitals in California, Oregon, Montana, Tennessee, and upstate New York have been similarly afflicted by hackers, who have even gone so far as to release patient data — Social Security numbers, dates of birth, ages, hiring dates, and contact details — on the dark web.

To focus on Barry and Perlroth’s account of what’s happening in Vermont is not to downplay these other cases. But the Vermont case is especially affecting, and helps clarify what these hacks are: not nuisances, not crimes, but acts of terror committed on American soil, targeting our most vulnerable populations.

Cancer patients have been the chief victims of the events in Burlington. Hundreds have been turned away from the hospital as the loss of the electronic medical record set the department back “months and months and months,” according to one nurse. Staff have worked feverishly to triage their patients and reconstruct patient histories and treatment protocols from memory without any of the medical systems that they’re used to leaning on. Even with their prodigious efforts, the Center has been able to operate at only 25 percent of its typical capacity. The three-quarters of patients seeking care at Burlington who have been turned away have been forced to find it elsewhere, with some making a three-and-a-half-hour trek to Boston.Other services have been limited as well. Cancer screenings for survivors and at-risk groups have been delayed. Patients with previously scheduled appointments with the cardiology department have been forced to endure cancellations. In the chaos, they are still waiting to be contacted about rescheduling these vital visits.

Attacks such as the one on the University of Vermont Health Center lack the drama and, for lack of a better word, “excitement” of typical terror attacks. There’s no explosion, no immediate casualties to report, no tearful interviews with family members, no group immediately recognizable to American ears like al-Qaeda or ISIS taking credit. But a nurse working in the UV cancer center nonetheless compares the feeling of helplessness at the hospital to that which she felt treating burn victims after the 2013 Boston Marathon bombing.

There are unlikely to be any deaths officially attributed to the cyberattacks on American health infrastructure — no crawl on Fox or CNN listing the names of victims. Nevertheless, innocent Americans will doubtlessly perish or see their long-term health otherwise harmed or jeopardized because of the hundreds or perhaps even thousands of treatment sessions, screenings, and other appointments missed as a result of these attacks.

What, then, can we do? First, we can recognize the groups responsible for these attacks as foreign terror organizations. That the consequences of their actions are less immediately apparent and that the actions themselves are less noticeably destructive than those of the groups we traditionally associate with terrorism are beside the point. Under Executive Order 13224, signed by then-President George W. Bush to allow the secretaries of State and Treasury to designate entities as foreign terrorist organizations, terrorism is defined as “activity that” both “involves a violent act or an act dangerous to human life, property, or infrastructure” and “appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion; or to affect the conduct of a government by mass destruction, assassination, kidnapping, or hostage-taking.”

The attacks plainly meet the first requirement. The second is somewhat trickier, as many hackers are chiefly motivated by the financial rewards they can reap by way of ransoms. However, some attacks, including the one on the University of Vermont, are not followed by any ransom demands, leading experts to believe that they’re not about money, but about sending a message. Moreover, some experts have speculated that the latest wave of attacks is meant as retribution for the U.S.’s successful effort ahead of the 2020 election to cripple TrickBot, “a vast network of infected computers used for cyberattacks.” This would clearly constitute an attempt at influencing government policy through an act “dangerous to human life, property or infrastructure.”

It’s also imperative that the U.S. draw a line in the sand to dissuade its enemies from funding or carrying out attacks like this moving forward. If hostile foreign governments and radical groups seeking to do the U.S. harm aren’t already supporting some of these attacks, how long will it be until they are? The U.S.’s vulnerability to attacks on its health-care system represents a significant threat to the country’s national security.

Designating hospital hackers as terrorists will not only put financial pressure on them, but also raise awareness of their misdeeds and the threat they pose, putting political pressure on our own leaders to address this pressing but oft-forgotten issue by working more closely with hospital administrators to prevent and to respond to these attacks.

Cybercrime has become a topic of increasing interest in recent years, particularly in the contexts of Russian meddling in the 2016 presidential election and Chinese intellectual-property theft. Though public awareness of these issues is improving, devastating acts of terror on vulnerable U.S. populations and medical infrastructure continue to fly under the radar, even as a pandemic that has robbed us of a quarter-million of our fellow Americans rages on. To combat this new, insidious threat, we need not just technical skill, but also moral clarity.