Ransomware Attack at Hospital Leads to Patient's DeathAttack Reportedly Was Intended to Hit University
A ransomware attack that reportedly was directed at a German university but shut down emergency services at an affiliated hospital likely contributed to the death of a patient who needed urgent treatment but instead had to be transported to another hospital, delaying care, according to a news report.
The Associated Press on Thursday reported that German authorities say a "misdirected" ransomware attack meant for Heinrich Heine University caused the failure of IT systems at the affiliated University Hospital Düsseldorf last week.
The shutdown resulted in the death of a woman who needed urgent treatment on Sept. 11 for a life-threatening condition but was taken to another facility about 20 miles away, postponing critical treatment by about an hour, the AP reports. German prosecutors have launched an investigation.
In a statement issued on Sept. 10 about the cyber incident, University Hospital Düsseldorf said that due to "far-reaching IT outages" it had "opted out" of emergency care and postponed some treatments.
The justice minister in Germany's North Rhine-Westphalia state reports that 30 servers at the hospital were encrypted last week, and an extortion note that was left on one of the servers was addressed to Heinrich Heine University, the AP reports. The note did not specify a ransom amount.
Düsseldorf police contacted the attackers to tell them the hospital, and not the university, had been affected, endangering patients, according to the news report. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data.
"This is the tragic scenario that the healthcare community is working so hard to guard against."
—Greg Garcia, Healthcare and Public Health Sector Coordinating Council
Neither the hospital nor the state justice minister in North Rhine-Westphalia immediately responded to Information Security Media Group's requests for more information.
The AP reports that investigators have found that the attack exploited a vulnerability in "widely used commercial add-on software."
"While we are not aware of ransomware incidents in the U.S. that have directly resulted in patient death, this is the tragic scenario that the healthcare community is working so hard to guard against," says Greg Garcia, executive director of cybersecurity at the Healthcare and Public Health Sector Coordinating Council.
"There may be cases of inadvertent impact on hospital systems connected to targeted academic centers, but it is widely known that hackers do deliberately target hospitals because they are betting that the imperative for patient care will force healthcare providers to pay the ransom to protect patients and provider operations. But that imperative for patient care extends to the imperative for strong cybersecurity care."
An attack that apparently targeted a university, but instead crippled an affiliated hospital, "shows a lack of depth and sophistication by the threat actors who did not understand the scope or area of effect of their attack and its ultimate consequences," says forensics expert and retired FBI agent Jason G. Weiss, an attorney with the law firm Faegre Drinker Biddle & Reath LLP.
"It appears in this case the threat actors did not understand the implications or depth of the ransomware attack they launched, which is, sadly, very common," he says
Weiss says it appears that, in this incident, "the threat actors did not understand the 'operational technology' networks used by the university and the effect their attack would have on the university and the hospital."
Brett Callow, a threat analyst at security vendor Emisoft, notes that some ransomware groups claim to avoid attacking hospitals and state that, should they attack one unintentionally, they will provide a decryption key at no cost.
"It should also be noted that, even if the actors do supply a decryption key, these incidents can still cause significant disruption - and put patients' lives at risk - as restoring the impacted systems is not a speedy process," he adds.
Weiss says healthcare facilities are becoming more vulnerable "as resources become more strained by the COVID-19 pandemic. It puts more resource pressures on the healthcare providers and makes them far more susceptible to these types of attacks, since their IT departments are already stretched to capacity by the pandemic."
"It is a perfect storm for threat actors looking to financially exploit healthcare providers in this turbulent period."
Steps to Take
Weiss says hospitals and other healthcare provider organizations can take steps to mitigate the risks posed by ransomware attacks.
"There are two important things that all healthcare providers can do to being preparing for future disruptionware outbreaks - especially if they come in the form of malicious ransomware attacks," he says.
"Begin scanning your IT and OT networks for potential vulnerabilities and begin hardening these networks against obvious attacks and vulnerabilities scans. Provide the IT personnel with the resources they need to protect the network from attack. Institute password changes, add multifactor authentication and close accounts that are no longer active on the network as necessary."
Weiss also advises organizations to "build a cyber defense wall around the network using good cyber hygiene techniques that will encourage a threat actor to go somewhere else when attempting a cyberattack."