The theoretical has now become real. As connected devices cropped up throughout hospitals over the past years, experts worried about the possibility of a cyberattack on a hospital network harming patients. That has now happened. A German patient died after being re-routed from a hospital in Duesseldorf that couldn’t provide services following a ransomware attack on its network on Sept. 10. The patient, who needed urgent medical care, was sent to a hospital nearly 20 miles away in a different town, where she died.
This is reported to be the first death linked to a cyberattack, and it’s just one of many ransomware attacks that target hospitals every day. In fact, earlier this week Universal Health Services was hit with what appears to be one of the largest cyberattacks ever on a medical provider in the United States. As a result, hospitals had to switch to pen and paper to log patient information and label medications. And a medical center in Ohio got hit with a ransomware attack on Monday that led them to postpone surgeries.
Ransomware attacks against hospitals have been ramping up in recent years, including attacks that impacted more than 700 healthcare providers in 2019 alone, according to one report. Hospitals are attractive targets because they can’t afford downtime and are therefore more likely to pay. The most notorious ransomware attack was WannaCry, which hit tens of thousands of hospitals around the world in 2017, crippling hospitals and prompting them to turn patients away.
The death in Germany is particularly tragic because it appears that the ransomware attack may have been intended for a different target; the ransomware note was addressed to a university that was affiliated with the hospital. After learning that a hospital had been hit instead, the attackers reportedly halted the attack and sent the key to decrypt the data held hostage — an unprecedented move. German authorities are investigating the case as a negligent homicide.
Even if the ransomware attack was a misfire, someone died.
This event should serve as a wake-up call for the healthcare industry and the U.S. government to take immediate action to address this serious problem. Here are some actions that I recommend.
Sanctions
The U.S. government should consider imposing sanctions on governments that don’t enforce international computer crime laws. While many ransomware gangs act with impunity within their own country — and some even operate on behalf of their government — others are left alone out of convenience and lack of resources.
Many governments don’t have incentive to go after criminals if their own businesses aren’t the victims. But now that it’s clear that ransomware attacks can lead to patient deaths, U.S. officials should pressure foreign governments to enforce laws just like they do in other circumstances when U.S. lives are lost.
Funding
There have been calls for the federal government to provide more support to industries that are under constant cyberattack. If ever there was a need for it, this is it. Federal law enforcement officials need to prioritize ransomware as a serious threat to critical infrastructure that puts public health at risk.
The federal government has provided funding to state election agencies to help them improve the security of their systems ahead of elections. Today, cash-strapped hospitals that also are under attack from cyber criminals should have similar aid from the government. Research published last year suggests that cyberattacks have led to deaths already. Analysis of the U.S. Department of Health and Human Services involving 3,000 hospitals between 2012 and 2016 found an increase in deaths at hospitals following ransomware attacks and data breaches.
The funding could be designated specifically to help hospitals avoid getting compromised and to ensure they have adequate backup systems.
Supply chain
One of the biggest problems in the tech industry overall, and particularly with connected devices in hospitals, is the lack of integrity in the supply chain. An overwhelming number of devices are shipped with little to no security by default. Many devices can’t easily be updated when vulnerabilities are found. Under-resourced hospitals don’t have the ability to adequately vet devices for misconfigurations, weak security settings and updates. We can’t have vulnerable devices in hospitals where patients’ lives depend on them.
Solving these challenges will require not only regulatory requirements around minimum device security features and capabilities, but also re-considering the collaborative design of standardized patching and recertification requirements by governing bodies. In many cases, healthcare service providers refrain from updating devices not only due to the technical effort involved, but the time and effort required to have each updated device re-certified.
A true solution to this challenge requires that all parties come to the table on the modern technical and procedural requirements and corresponding regulations required to enforce these requirements.
None of this will change the fact that someone appears to have died because attackers disabled a hospital’s network with malware for payment. If we don’t treat this as the serious warning that it is, it won’t be the last needless death we see.
Curtis Simpson is the chief information security officer at Armis Security, an IoT security company. He previously served as vice president and global chief information security officer at Sysco, a Fortune 54 corporation.