The Code Dark, to limit hacks to hospitals: what it is and how it works

The Code Dark is a monitoring system implemented by the Children’s National Hospital of Washington DC to prevent a cyber attack and mitigate its consequences by signaling when to unplug or turn off devices connected to the Internet to prevent the spread of the infection. Here’s how it works

It is called Code Dark and is the new monitoring and alarm system adopted in an American hospital to counter the significant increase in cyber attacks that have hit healthcare facilities in recent months.

It is, therefore, an extra effort to limit hacks to hospitals and breaches of health data.

Cyber ​​attacks on hospitals: the numbers

The Code Dark fits into a context in which the complex of medical devices, systems and applications present in a healthcare reality is incredibly vast and heterogeneous: in fact, there are desktops, servers, computer terminals, diagnostic imaging devices, and self-service kiosks. , implantable medical devices, electronic health record systems (EHR), management software, image storage and transmission systems (PACS), medical billing systems, patient portals, and public clouds; and to these are often added several other dated systems.

This vast array of machinery and applications, which clinicians increasingly rely on to do their jobs, represent an ever-growing attack surface for the diverse hacker and/or Advanced Persistent Threat (APT) groups.

According to a report from cybersecurity firm Sophos, the number of cyber attacks on US healthcare organizations increased by 94% from 2021 to 2022. The study says more than two-thirds of healthcare organizations in the US reported having suffered an attack cyber in 2021, up from 34% in 2020.

Research by International Business Machines Corp. also found that the healthcare sector, for the twelfth consecutive year, accounted for the highest average cost in the country for breaching its infrastructure, costing more than $ 10 million.

The frequency of damage caused by cyber criminals to this type of infrastructure has warned several health institutions that have taken various measures in this regard.

The Code Dark: how it works

The system implemented by the Children’s National Hospital of Washington DC is particularly interesting. The hospital’s IT staff has in fact instituted a new type of code that alerts healthcare professionals to the presence of an ongoing IT problem. If the blue code indicates a medical emergency and the red code indicates a fire outbreak, the “Code Dark” warns of the presence of a hack on the medical devices in use.

Healthcare professionals have been trained to recognize cyber threats and have a protocol reminder at their disposal. The obligation is to notify security in the event of failures or suspicious movements on IT devices; upon the occurrence of this circumstance, the security personnel activates the Code Dark.

The start-up of the code causes an alarm for all employees who will have to turn off and disconnect the hospital IT devises to secure the infrastructure network: this will prevent the spread of infection, making the healthcare staff the first to carry out the computer rescue.

Phil Englert, director of medical device safety at the Health Information Sharing and Analysis Center, a nonprofit that coordinates safety between healthcare organizations, said hospitals should develop comprehensive plans to primarily manage isolation and the restoration of individual medical devices, as they are easy access points to hospital networks for cybercriminals.

The Board of Directors of the Children’s National Hospital in Washington DC then asked the IT security staff to find ways to mitigate the long-term effects of cyber attacks, which if normally take weeks or months to recover, in which case they should have. be limited to a few weeks. For this reason the Code Dark is fundamental, it warns employees of the ongoing threat in advance by reducing the number of compromised devices, downtime and recovery times.

Code Dark: strengthening the cyber perimeter of healthcare facilities

The introduction of the Dark Code represents an important step forward in strengthening the security perimeter of healthcare infrastructures. The attacks carried out in recent years have made it increasingly urgent to increase the level of preparedness of personnel in the face of these threats.

The priorities that hospitals must face , in addition to safeguarding patient information, concern increasing the protection of medical equipment, the possibility for operators to access data remotely, training and constant updating of healthcare personnel on the subject of cybersecurity and the replacement of obsolete equipment.

If even one of these conditions is absent, there is a risk that a malicious action paralyzes a structure in a significant way.

Particularly exposed are medical devices, especially those that operate through the Internet of Things (IoT). In addition to their design weaknesses, many of these devices are provided by third parties, which exposes them to supply chain vulnerabilities, putting a wide range of patient personal data at risk.

The growth of connected devices in hospitals and the convergence of IT and operational technology (OT) domains has made the problem even more pressing.

The challenge from a cybersecurity perspective is that unlike corporate systems, hospital networks are designed to facilitate access from different networks. In an IT environment, a cybersecurity strategy aims to protect the confidentiality, integrity and availability of information systems (CIAs).

IT / OT convergences in hospitals: the issues

In hospitals, the convergence of IT and OT technologies also places an emphasis on protecting the security of a range of different trades, ranging from sending critical patient data, which requires immediate delivery and response, to administrative information. general.

As well as other critical infrastructures, hospitals place an emphasis on network availability. For IT organizations, one of the first lines of defense is shutting down the entire system.

In hospitals, however, life-saving medical devices must be able to function permanently to ensure patient safety. In addition, these devices must be able to communicate freely throughout the facility. The same goes for other essential services, such as pharmacies and care stations. Closing is therefore not a viable option.

However, the emphasis on maintaining an open network, with the ability to quickly respond to patients’ medical needs, makes hospitals relatively easy targets for cybercriminals.

The risks are twofold: at worst, attacks could prevent critical medical devices from functioning properly; a hacked medical device could also provide access to the hospital network to steal sensitive data.

In the event that an attack does occur, security fixes on embedded devices typically require a full firmware update from the vendor, which is then manually installed on the device.

This process can greatly increase patch delays due to the time it takes for vendors to prepare and test new firmware that does not interfere with the operation of the medical device.

Also, in many cases, devices may not receive updates, because the operating system would not be supported and memory, storage, and processing limits could prevent the tools from working effectively with newer software.

similar situation occurred in 2017, when the WannaCry ransomware attack compromised some radiological examination tools, as well as causing some surgeries to be canceled.


To avoid such scenarios, it is, therefore, necessary to monitor the supply chain of hospital equipment to ensure that patches are continuously updated.

In addition to this, investments in the IT security of hospitals and the dissemination of best practices among staff, such as the use of strong passwords or constant backup of data on devices, play a central role.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts