In a world-first, a cyberattack on a hospital has resulted in the death of a patient. Experts, however, are not surprised.
For the first time ever a cyberattack has been ruled as the cause of death of a patient after cybercriminals hit a hospital in Düsseldorf, Germany. Police have launched a “negligent homicide” investigation after ransomware disrupted emergency care at the hospital.
The female patient from Düsseldorf was scheduled to undergo critical care at the hospital when the attack disabled systems on September 9. She was transferred 30 kilometres away to another hospital for treatment but died as a result of the delay. According to the BBC, the hackers could be held responsible as a result.
“If confirmed, this tragedy would be the first known case of a death directly linked to a cyberattack,” Ciaran Martin, formerly the chief executive of the UK’s National Cyber Security Centre, said in a speech at the Royal United Services Institute. “Although the purpose of ransomware is to make money, it stops systems working. So if you attack a hospital, then things like this are likely to happen. There were a few near misses across Europe earlier in the year, and this looks, sadly, like the worst might have come to pass.”
Ransomware is malicious software that encrypts the victim’s data, holding it hostage until a ransom is paid. This extortion method is a billion-dollar criminal industry that typically preys on cashed-up businesses (e.g. Tesla and Garmin), though hospitals have seen themselves targeted more and more in recent years. As hospitals urgently need to access health records and computer systems to care for patients, the likelihood that the extortionist will be paid is increased. With the rise in hospital attacks, it was widely feared that a patient death was only a matter of time.
“If confirmed, this tragedy would be the first known case of a death directly linked to a cyberattack,” Ciaran Martin, formerly the chief executive of the UK’s National Cyber Security Centre, said in a speech at the Royal United Services Institute.
“Hospitals can’t afford downtime, which means they may be more likely to pay — and quickly with minimal negotiation — to restore their services,” Brett Callow, a threat analyst at Emsisoft, the New Zealand security firm, said Friday. “That makes them a prime target.”
The bridge between cyber-crime and human morality has been erected. Such a threat is no longer theoretical, which should hopefully give urgency to fixing fundamental problems. German authorities claim that the hackers took advantage of a vulnerability in Citrix virtual private network software that was officially known since January but which the hospital had failed to address.
While the hackers may be blamed for the deaths and could face manslaughter charges, it is unlikely they will be arrested—most ransomware outfits are based in Russia, where authorities have protected hackers from extradition. To date, Russian hackers have only been arrested while travelling abroad.