A Düsseldorf woman died when a ransomware attack against a hospital forced her to be taken to a different hospital in another city.
I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but there were no documented fatalities from that event.
The police are treating this as a homicide.
Andrew • September 23, 2020 7:48 AM
Frightening and abhorrent as that is, and much as I agree with treating the hacking as a homicide, I also find it more than a little disturbing that a computer outage can cause a patient in life-threatening condition to be diverted to another hospital causing an hour’s delay in treatment. Are we now that reliant on our computers, and should we really be?
Clive Robinson • September 23, 2020 10:08 AM
@ Bruce Schneier,
UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but there were no documented fatalities from that event.
It was not just hospitals but ambulances as well.
Whilst “officialy” there were no deaths that were treated as “homicides” or other crime, it might be worth taking a look at the “excess deaths” trend for the month following when compared to the previous five years for the same period.
I know from people inside the NHS that even emergancy operations and proceadures were cancelled and likewise cancer (oncology) and other treatments.
I find it hard to believe there were not untimely deaths that followed Wannacry.
I suspect the reason it got tonned down at the time and the reason Marcus Hutchins got lauded as much as he did when Wannacry grabbed the NHS the way it did, was the Minister of State for Health at the time. He knowing full well that the NHS was going to be vulnerable if the “Microsoft XP Ransom” was not paid decided the money should not be spent.
Wannacry happened despite warnings and not just the NHS but other Government organisations and major corporates got plunged into a world of IT hurt…
Microsoft by the way had already patched XP etc against Wannacry as the code region in MS OS’s that were vulnerable were virtually the same, and Microsoft did have some people paying for extended XP support.
So yes I realistically think there were untimley deaths and,
1, The Minister of State tried to blaim others.
2, Microsoft initialy tried to blaim the victims of it’s support policies.
However they both hid behind a “feel good story” of a “Jack and the Giant” fairy tale style. As for the avoidable death figures the PR posotion was,
“They were tragic and not our fault, (but the less said, the less likely law suites would be)”.
If people doubt the UK MSM and World MSM would fall into line with this, take a look at what is currently happening to Julian Assange… but oh wait, you can’t. Because the MSM is not reporting it just as they did not report the WannaCry human casualties…
Peter A. • September 23, 2020 10:25 AM
What did the attack affect? Some ER equipment, like monitors or respirators? Some diagnostic equipment like X-ray machines, USG etc.? Or just front desk computers? The article isn’t clear, but I’d rather assume the latter. It is therefore the doctors’ fault – they valued paperwork above the patient’s life. Which is kinda common today, almost everywhere.
Tatütata • September 23, 2020 10:27 AM
The AP report seems to be a straight condensation and paraphrasing of mainstream German media outlets. Most don’t name the software in question (from the description I thought it was Flash), excepted the ever well-informed Heise, which mentions “Citrix”, and the vulnerability CVE-2019-19781. Merely applying the patches from last January wouldn’t have sufficed, as many systems had already been back-doored.
The question of responsibility would therefore a contest between the software supplier, the user organisation and its sysadmins, and the hackers…
I wonder whether software EuLAs typically have clauses excluding life-support critical systems, like electronic component datasheets with their usage prohibition for certain applications. I’ll confess I never read one to the end. I guess I didn’t really need these kidneys after all.
<pedantic>BTW, it’s Düsseldorf.</pedantic>
Steve • September 23, 2020 10:27 AM
We trust a hospital with our lives and assume that its management follows best practice to keep us safe. Whether its sanitizing its equipment from known germs, placing a security guard in the lobby to fend off known criminals, or patching a vulnerability that’s been known since January.
Mr. H • September 23, 2020 10:37 AM
Ladies and Gents,
The LawMakers (DC based politicians) are CLUELESS (most of them anyway).
The year is 2020 and they (most politicians in DC and The WH) are technologically speaking ILLITERATE. Again, credit where it’s due, with a VERY FEW exceptions like say this guy who’s “up to date” https://en.wikipedia.org/wiki/Will_Hurd
It’s not that every politician should know how to circumvent IPS/IDS, hack a WAN Router and tamper with BGRP or know ins and outs of PCI DSS, blah blah blah…
But they should at least know enough of the “what ifs” scenarios to take this “Internets” thingy a bit more serious as our lives, jobs, safety, etc. depend on it each day more than the day before. There must be TERM LIMITS so that we no longer have Dodos and Dinosaurs in Congress and other important institutions who got their degrees shortly after WW2 and have NO CLUE about technology. There have to be LAWS on the books for how to make companies PAY for making stupid mistakes of not properly securing PII of their employees/clients/customers but instead opting to make investments/improvements in other areas/departments. Cutting the IT Department’s budget/allowance does NOT cut it anymore.
It’s ALWAYS about the trade-off. Make it so that NOT securing your data will cost you MORE in penalties than the other way around. Do not slap corporations on their wrists and let them get away and let them operate continuously AFTER being breached/compromised many times. It will keep happening until we start making them pay for their choices of improving WRONG departments.
Al • September 23, 2020 12:55 PM
I had to wonder why they needed the computer to admit someone requiring emergency care. There may have been relevant medical history that could have been brought up, but then again, maybe not.
But, it seems a poor call was made, that time was not of the essence, when it was.
David Rudling • September 23, 2020 1:02 PM
The problem with the police treating it as homicide is that it may deflect from the charges of criminal negligence that might otherwise be brought against those whose systems were wholly inadequate to prevent this.
Marcel • September 23, 2020 1:19 PM
Well – from the German newspapers I rather understand that it is under investigation whether to treat the case as negligent homicide at this moment. At least in German this makes a big difference. Not sure how this is understood in English though.
Tatütata • September 23, 2020 1:20 PM
The cause of the death was somewhat indirect, if one believes the account of Die Zeit.
The Düsseldorf hospital had to de-register from the emergency care network because of the general failure of most systems, including phones, and was therefore unavailable to welcome any new admissions. An ambulance was instructed to take the patient to the next available facility in Wuppertal, about 30km east. The 78-year old woman had suffered an aortic dissection, according to the ZDF video report. Nowadays, the prognostic is nowadays incomparably better than a few decades ago, but every single second counts. With the added travel time, the patient landed in an ER about one hour later.
So it wasn’t as if someone had mounted a scratch monkey in the Citrix machine.
Peter A. • September 24, 2020 2:01 AM
@Tatütata: thanks for info.
It looks then like a systemic problem with emergency response/dispatch which happens to rely on unreliable comms with inadequate backup links/procedures. VoIP phones? Fine, but what’s the backup if the network or the VoiP switch fails? Couldn’t they call staff mobile phones? I am sure every doctor and manager in the hospital has one, it’s just the matter of giving the numbers to the dispatch unit, so they know who to call if the usual numbers don’t work. Doesn’t the emergency unit have trunking radio? etc.
It could have also been an inadequate/unfortunate dispatch decision – these guys have problems, let’s not cause them more trouble, we have another unit over there, send the ambulance there, patient should be fine – but then not.
The homicide charge is mostly a cover-up for a government/healthcare system failure.
Clive Robinson • September 24, 2020 5:59 AM
@ Peter A., ALL,
It looks then like a systemic problem…
One of the reasons we have “systemic problems” is reliability.
The more reliable a system is the more of a problem it creates when it goes down.
In part this is due to humans, when things go wrong regularly we develop not just “work arounds” but we keep them “fresh in memory” or if not simple “to hand” in well thumbed ring binders etc.
When things very very occasionaly go wrong, it’s unexpected and not only is there no “muscle memory” for buttons and keys to press, there is little conscious memory of what to do and in most cases “where is the bl@@dy folder?” arises as the second oath said after “Oh 5h1t”.
Training is ment to prevent these problems it’s why there is a requirment for “Emergancy Evacuation drills”[1] encoded into law.
Which brings up the question of “Why do drills have to be by law?”… The answer is that employers do not trust their enployees, and further they see no profit in drills. It’s why we also have in some places legislation to stop employers locking emergency exits and even toilets… Because employers have and in some places still do and when there has been a fire, there are lots of completely avoidable deaths, and the employer lawyers up or disapears over the border.
I suspect that there might be an element of this in the action the authorities are taking.
Unfortunately it’s likely in this case that finger pointing game will start with managment pointing at the system suppliers, they will then point at managment, the alledged hackers and anyone else. In the end it boils down to who can get the best lawyers to absolve then of any moral, ethical, regulatory or legal responsability. I’ve been part of that sort of game more often than I’m personaly comfortable with (in fact my flesh crawls). The only one I talk about is Piper Alpha because the company I worked for at the time were entirely blaimless, but you still have to go through the process because somebody will if they can point the finger at you. It is afterall what the shareholders etc demand…
[1] They used to be called “fire drills” but then people started bombing places and even flying aircraft into buildings. In other places they were part of “earthquake drills” but with sufficient exceptions that it was felt better to keep them seperate in peoples minds. Because rational thinking is something very very few people can do in an emergancy, most just stand there, hence “drils” to make the responses automatic.
default • October 15, 2020 12:57 PM
Not surprising, cyber security is not high on the priority list of hospitals.
I’ve worked with various hospitals as vendor and now work at a university hospital. Generally my impression always was that the cyber security in hospitals is even lower than in most companies.
For example it is not uncommon that user accounts are used by multiple persons (all over the hospital). User accounts are not properly disabled when the medical staff no longer works in the hospital. Users can install their own custom software, from the internet.
Doctors use software like MS Teams and Dropbox to communicate patient data (sometimes with persons which shouldn’t even have access to the data), which is definitly against german and european laws regarding patient data privacy, but since they are Doctors the hospital management is generally ignoring the issue. They even managed to provide additional training regarding the use of MS Teams in the hospital.
Hell, not even the ERP and hospital information system are designed as high availability system (not even for regular maintenance) and emergency cases can’t always be processed properly.
New systems are introduced even though they are not supporting secure authentication, access and proper data privacy.
Honestly I’m far more surprised that this isn’t happening more often.
xcv • October 15, 2020 1:29 PM
@default
Not surprising, cyber security is not high on the priority list of hospitals.
People get hurt out in the country or on the farm, and they’re taken against their will to an inner-city urban hospital, where the Docs always revoke their gun rights if they haven’t done so already.
Mob Doctors and Nurses are sniffing crocodile years in brightly colored snot rags — “We’re gonna have to cripple you guys somehow to keep you safe if you can’t stop fighting and hurting and killing yourselves out there on your own.”
default • October 17, 2020 12:23 AM
@xcv I’m not sure how this is related to cyber security, maybe something was lost in translation (especially the stuff with the crocodile years and snot rags wasn’t clear).
And I’m not in the position to comment on gun rights, since I’m living in a city in germany, which means the only guns I’ve ever seen in real life were either airguns on a fair or were carried by police/military (though even this is still strange to me, when I was young police didn’t carry a gun on a regular basis).
Rémy Günter • November 15, 2020 5:38 AM
This was updated here:
https://www.wired.co.uk/article/ransomware-hospital-death-germany
no more treated as homoicide by law enforcement in Germany.
Clive Robinson • November 15, 2020 7:38 AM
@ Rémy Günter,
no more treated as homoicide by law enforcement in Germany.
I’m not realy surprised.
The key sentence in the article is,
“The standard of proof in Germany would require prosecutors to show that the attack played a “decisive role” in the death”
It’s effectively a balance of probability test one that just recently many have come face to face with over COVID-19 and lack of hospital resources. In the case of hospitals they apply a process of triage to decide not just on if a patient will survive or not but their quality of life if they do survive. This gives a qualitative score which is used to make choices.
Sad as it might appear the chance of anyone surviving the condition the patient had was very low (you can look the figures up) thus there was at best a quite slim chance the patient would survive, and if so may well be in a very low quality of life (possibly on significant support).
But aortic aneurysm figures show your likelyhood of surviving an emergancy is to a certain extent to the weekday/weekend issue. That is there is a makrd increase in mortality at the weekend compared to weekdays. A hospital thst has dropped to half of it’s emergancy capacity intake is going to be way way worse increased mortality risk than weekends so they were correct to bounce the patient to another hospital where the patients mortality risk would have been markedly less.
So it falls as to who to blaim for the fact that the malware that was used to get the ransomware into the hospitals many many systems.
From the article, the hospital claim it patched as soon as it had the patches available. However there was a largish window of opportunity beyween the vulnarability being known and the software supplier in which the vulnarability was found making a patch available.
As I’ve noted befor mitigation these days has to be proactive not reactive. Patching is at best a very slow form of reactive security that can be months or years after a vunarability has started being used.
Thus reactive mitigation by patching is bound to fail not just occasionaly but frequently. In fact we know this because often new attack vectors have been used to attack systems and the signs of them can be found in AV company upload databases from long before the vector becomes known to the companies. With care an attacker can use a vulnarability for months or more which gets us into APT territory. So the chances were that AV software at the hospital perimeter did not pick up the malware either.
This is because AV matching software in the traditional sense, is as bad a reactive mitigation as patching is.
Which brings up the question of what a proactive mitigation might be. Perhaps the strongest is “total issolation” if your systems do not connect to any kind of communications they can not be attacked by an outsider. Whilst this reduces the external attack surface significantly, it does not stop either insider attacks or attacks from those who get in by visiting the site physically and effectively becoming an insider. Hospitals almost by definition of what they do are very open to visiting criminals, as the number of petty thefts they suffer show. Thus someone playing for much bigger returns such as Ransomware users would not be very much encumbered by visiting the site.
Whilst there are some proqctive mitigations to insider / on site attacks they tend to be resource intensive as well as placing significant constraint on usability.
Thus the best proactive mitigation would be by the software systems developing organisations. But then people have been saying this in atleast every one of the past four decades to my certain knowledge, and there are papers showing some systems design for security back in the 1950’s… So not exactly a new problem, yet the system suppliers have effectively ignored it for entire lifetimes…
Thus I know on balance of probability about the ransomware where the blaim originates and that is back in those corporate HQ’s.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Petre Peter • September 23, 2020 6:44 AM
Forget about your data, it is about life and property now.