When online criminals started shifting focus to patient care facilities in recent years as a target of opportunity, there was some concern that an ill-timed ransomware attack might lead directly to deaths due to lack of ability to perform needed procedures. That nightmare scenario appears to have manifested at a German hospital, where the death of a woman who needed urgent care is being blamed on equipment being unavailable due to such an attack.
Hit by ransomware, German hospital forced to turn emergency patients away
For patient privacy reasons, few details are known about the unfortunate woman who passed away as a result of the ransomware attack. It is known that she had some sort of a life-threatening condition and sought emergency treatment at the Duesseldorf University Clinic, which had been hit days earlier by a ransomware attack that was gradually knocking systems offline. The woman had to be turned away and taken to a different hospital about 20 miles away, delaying the start of her treatment by an hour. This long delay proved to be a fatal one.
The German hospital was first hit on September 10, with the attackers gaining access via some sort of “widely used” add-on software that investigators declined to publicly name. This began a cascade of systems and patient records being taken offline, and by the time the woman arrived for treatment patients seeking emergency care were being redirected to other facilities.
The ransomware attack encrypted 30 servers in total and was accompanied by a note that did not specify an amount of money but did provide contact information and ask the German hospital to get in touch. The note seemed to indicate that the attack was meant to hit Heinrich Heine University; the German hospital is located near the university and affiliated with it but is a separate facility. When Duesseldorf police contacted the attackers and informed them that a hospital had been hit, the attackers provided the decryption key and ceased communications.
Prosecutors have launched an initial investigation into a negligent manslaughter charge against the perpetrators.
Hospitals regularly targeted by ransomware attacks, but are often not prepared
Threat actors, particularly those that deal in ransomware attacks, turned their attention to patient care facilities because they cannot afford to be offline for very long. However, these are also not always the most lucrative or well-funded targets. As the case with this German hospital demonstrates, there is also the potential to catch more serious charges if patient care is disrupted.
In addition to the expected administrative functions and patient records, numerous types of hospital equipment are connected to the internet. Ransomware attacks can potentially take out x-ray and radiology machines, physiological monitors, and test equipment used in labs among other types of connected devices. It is unclear what equipment was disabled at the German hospital to force emergency patients to be diverted, but a fair guess is that the department lost the ability to monitor vital signs effectively or take blood samples.
Hospitals sometimes simply have a lack of resources with which to maintain an adequate level of full-time cybersecurity staffing. The wide range of patient care devices that now have internet connective capabilities also presents a unique challenge in terms of keeping up with patches and vulnerabilities. In some cases, very expensive pieces of equipment may not be patchable but are also too critical to be taken out of service until the hospital can source a replacement.
The trend of ransomware attacks on hospitals really took off in 2019, headlined by a string of incidents in the United States and Australia that forced some facilities to pay the ransom in a bid to quickly restore service.
Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software, expanded on the challenges that are specific to health care facilities: “As with WannaCry, it seems likely that the vulnerability exploited here was months old, so there was time to mitigate the threat in theory, but it illustrates the importance of running vulnerability scans and acting on findings at least every 30 days if not more frequently. This becomes more difficult in a 24/7 operation like a hospital or power station, where resolving the conflict between the demand for continuous uptime, and maintaining cyber security, gets really tough.”
One vector by which hospitals are exploited is one that is common to every type of business: email phishing. And as with any other type of organization, the primary defense is in raising awareness at the individual employee level via regular notices and training. Strong password policies and the implementation of multi-factor authentication help in this area.
The other major vector has been created by the push to have connected and “smart” devices distributed throughout hospitals in recent years, each of which creates a new potential point of attack for intruders looking to penetrate the network. Even an attack that aims to use a particular subset of equipment for a botnet attack or as a cryptocurrency miner could have devastating effects similar to the tragedy seen at the German hospital if the equipment slows down or crashes at the wrong moment.
Given the increased attention from cyber criminals and the potentially life-threatening stakes, the American Health Association (AHA) is recommending that cybersecurity be incorporated as a key element of governance and risk management considerations in hospitals. It is possible that governments may take a more active assistance role in terms of funding and even hands-on assistance with defense measures, given that these facilities are critical infrastructure and a potential vector of direct attack on people.