Deadly malware and other software

Ransomware has become deadly!
It does not kill just company profits, it has started also to kill people.

Ransomware attack at German hospital leads to death of patient
https://www.bleepingcomputer.com/news/security/ransomware-attack-at-german-hospital-leads-to-death-of-patient/
“A person in a life-threatening condition passed away after being
forced to go to a more distant hospital due to a ransomware attack.”

German Hospital Hacked, Patient Taken to Another City Dies
https://www.securityweek.com/german-hospital-hacked-patient-taken-another-city-dies

“German authorities said Thursday that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.”

It kind of feels now that if this docent spring up international manhunt, then nothing will. Its one thing to ransom hospital and then entire other thing to kill someone while doing it.

Maybe there should be also a liability manhunt in hospital if the death was at least partly caused by pure neglectance by some information security boss or other responsible manager. And why the hell these sort of critical systems do not offer update themselves when updates are available?

“In this context, the BSI emphasizes that a vulnerability (CVE-2019-19781) that has been known since January 2020 in VPN products from Citrix for Cyber-Attacks being exploited,” BSI revealed in a statement.
Patches for the Citrix ADC vulnerability have been available since January 2020.

That’s terrifying, If you think this might be the first case of a computer program killing someone… but you would be wrong thinking like that.

This might not be even the first death caused by malware. WannaCry also was complicit with any NHS medical complications (hard to say how many lives it affected).
https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin

There has been several earlier documented deaths caused by computer software listed at

https://www.quora.com/What-computer-programs-have-accidentally-killed-someone

Therac-25 was propably first widely reported medical software killer bug

https://hackaday.com/2015/10/26/killed-by-a-machine-the-therac-25/
“For six unfortunate patients in 1986 and 1987, the Therac-25 did the unthinkable: it exposed them to massive overdoses of radiation, killing four and leaving two others with lifelong injuries.”
https://en.wikipedia.org/wiki/Therac-25
https://www.bugsnag.com/blog/bug-day-race-condition-therac-25

Then there are also cases a program, functioning as intended, being the direct cause of someone’s death. In those cases I am just thinking of all the software inside missiles and armed military drones… There have been also some autonomic vehicle accidents that have caused death where it was hard to say was some it software or design bug that caused the accident.

In the malware case in Germany it wasn’t the program directly, but a decision of a human based on the damage of the program.

23 Comments

  1. Tomi Engdahl says:

    A woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital. The hospital couldn’t accept emergency patients because of the attack, and the woman was sent to a health care facility around 20 miles away, the Associated Press reported.

    The cyberattack was not intended for the hospital, according to a report from the German news outlet RTL. The ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital.
    https://www.theverge.com/2020/9/17/21443851/death-ransomware-attack-hospital-germany-cybersecurity

    Reply
  2. Tomi Engdahl says:

    It was never a matter of *if* this would happen, this only a matter of *when* this would happen:

    A Patient Dies After a Ransomware Attack Hits a Hospital >

    https://www.wired.com/story/a-patient-dies-after-a-ransomware-attack-hits-a-hospital/

    Reply
  3. Tomi Engdahl says:

    In addition to criminals being liable I think the hospital management should answer the question why their organization is in such state that they can’t do any life saving treatments when their PCs are down. And why they have not treated their IT in that situation as mission critical system meaning that they would have taken care of things like security updates and backup system for most critical parts.

    Maybe some journalist should start asking those hard questions from responsible people in hospital management?

    Reply
  4. Tomi Engdahl says:

    First ransomware-related death reported in Germany
    https://www.securitymagazine.com/articles/93409-first-ransomware-related-death-reported-in-germany

    The Duesseldorf University Clinic in Germany was hit by a ransomware attack last week that forced staffers to direct emergency patients elsewhere. The cyberattack “crippled the entire IT network of the hospital.” As a result, a woman seeking emergency treatment for a life-threatening condition died after she had to be taken to another city for treatment, according to several outlets.

    Though the attack occurred earlier during the week and the phone systems was brought back online, other systems remained down.The hospital, however, said that that “there was no concrete ransom demand,” and no clear indications that data is irretrievably lost and that its IT systems are being gradually restarted, according to AP News.

    According to report from North Rhine-Westphalia state’s justice minister, 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers

    hospitals have a particularly challenging setting as they have to prioritize fighting healthcare-related fires all the time and have to work with software (and hardware) that takes years to certify for safety

    “This means the compute infrastructure lags behind due to both business (lower priority expense) and technical (expensive and risky to upgrade) reasons,” Tiwari explains. “Perhaps the shift in mindset that hospital executives have to get to is that compute infrastructure in hospitals is key to healthcare, and computing failures are healthcare failures. Further, computing flaws are highly correlated and can spread quickly — ransomware or breach of large data stores or compromise of medical equipment on a network. These systemic failures look a lot different than safety faults in a machine that would be triggered in specific conditions, and computing failures will soon get a lot harder to get insurance for. With the right investments, there is recent technology that can lift and shift certified workloads into safer virtual machines and put defenses around it, and better identity and authorization methods that prevent small errors from scaling out organization wide.”

    According to a recent Check Point report, 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier – and more than 20 percent of the attacks used vulnerabilities that are at least seven years old. Jackson adds, “Patch management is a critical component to network security.”

    Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software, warns this incident won’t be the last time that cybersecurity has such a direct impact on human lives. ”

    “As the indiscriminate distribution of ransomware hits more IT systems and operational technology underpinning critical infrastructure, like hospitals, energy, and rail and traffic management, we will all be affected more by hacker-instigated disruption,”

    Reply
  5. Tomi Engdahl says:

    Earlier case in UK:
    WannaCry also was complicit with many NHS medical complications.

    https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin

    Reply
  6. Tomi Engdahl says:

    Cyber Attack Suspected in German Woman’s Death
    https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html

    Prosecutors believe the woman died from delayed treatment after hackers attacked a hospital’s computers. It could be the first fatality from a ransomware attack.

    Reply
  7. Tomi Engdahl says:

    A patient has died after ransomware hackers hit a German hospital
    This is the first ever case of a fatality being linked to a cyberattack.
    https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/

    Reply
  8. Tomi Engdahl says:

    Police launch homicide inquiry after German hospital hack
    https://www.bbc.com/news/technology-54204356

    Prosecutors open homicide case after cyber-attack on German hospital
    Incident in Düsseldorf could be first death caused by a cyber-attack, says UK’s former head of cybersecurity
    https://www.theguardian.com/technology/2020/sep/18/prosecutors-open-homicide-case-after-cyber-attack-on-german-hospital

    Reply
  9. Tomi Engdahl says:

    https://www.iflscience.com/technology/critical-patient-dies-after-cyber-attack-disables-hospital-computers/

    A woman has died following a serious cyber attack on Düsseldorf University Hospital that disabled computer systems, marking what could be the first death directly caused by hackers.

    The patient, who was due to be moved to Düsseldorf University Hospital for critical care on September 11, instead had to be transferred to a hospital much further away. The lengthy transfer potentially denied the woman the care she needed, and she passed away in a hospital in Wuppertal, 30 kilometers (19 miles) away.

    Reply
  10. Tomi Engdahl says:

    https://www.iflscience.com/technology/critical-patient-dies-after-cyber-attack-disables-hospital-computers/

    “If confirmed, this tragedy would be the first known case of a death directly linked to a cyber-attack. It is not surprising that the cause of this is a ransomware attack by criminals rather than an attack by a nation state or terrorists,” said Ciaran Martin, former chief executive of the UK’s National Cyber Security Centre, in a statement.

    Reply
  11. Tomi Engdahl says:

    From discussion at https://m.facebook.com/groups/2344226875800424?view=permalink&id=2836379343251839

    “Tomi Engdahl hospital should just not be targeted, it is very low ethics, they spend money to buy materiel to save live, why would they waste million on IT security while they can open more bed with that money?”

    My comments:

    Yves Prignon I can agree that hospital should just not be targeted, but thinking like that does not help in securing hospitals. Telling that attacking hospitals is wrong and will be punished strongly might reduce some targeted attacks, but does not do practically nothing in helping to solve the problem of those non-targeted attacks agains pretty random targets that are not protected. If they do not protect themselves, their systems will be automatically encrypted before the attacker might not have done any research what their automatic system is attacking. In this case that seemed to happen, and when the attackers finally get info that the target was indeed hospital they let them free without need to pay. So there is often no ethics in attacking and there can be some ethical thinking at the time of payment (some who they think got wrongfully attacked can get free pass out).

    They spend money to buy materiel to save lives, they they waste million on IT systems and then do not seem to be willing to pay some more money to keep them reasonably safe. For example in Finland the new healthcare IT system being built is expected to cost over 600 million euros! Hundreds of dollars per patient!

    The hospital needs to either secure their IT or desing their processes so that they will be able to work without IT one day or when someone leaks out the sensitive info. That’ s the world the hospitals need to adapt to work in. They have to invest something on security if they want to be networked, they need to invest on physical security to keep everybody safe and they need to invest on doctors and nurses and beds, medical devices and medicine and building maintenance.

    If they just open more bed with all money, and do not spens on other necessities, sooner or later they hit a disaster situation. That’s the cold reality.

    Yves Prignon
    “Perhaps the shift in mindset that hospital executives have to get to is that compute infrastructure in hospitals is key to healthcare, and computing failures are healthcare failures. Further, computing flaws are highly correlated and can spread quickly”
    “As the indiscriminate distribution of ransomware hits more IT systems and operational technology underpinning critical infrastructure, like hospitals, energy, and rail and traffic management, we will all be affected more by hacker-instigated disruption,”
    Source: https://www.securitymagazine.com/articles/93409-first-ransomware-related-death-reported-in-germany

    Reply
  12. Tomi Engdahl says:

    A Brief History of: The killer Therac-25 Radiotherapy machine (Short Documentary)
    https://www.youtube.com/watch?v=-7gVqBY52MY

    Today we are looking at the Therac-25 Radiotherapy unit and its victims, however unlike other radiotherapy units on this channel the death toll was equated to a fault with the units software giving dangerous doses of radiation.

    Reply
  13. Tomi Engdahl says:

    Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity.

    Why is your personal health information worth 350 dollars on the black market?
    https://cybernews.com/editorial/why-is-your-personal-health-information-worth-350-dollars-on-the-black-market/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=health_information_350_dollars

    A woman who died in Duesseldorf University Hospital during a ransomware attack might be the first victim linked to a cyberattack on a hospital. Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity. At the moment, the healthcare system worldwide doesn’t invest enough to shield themselves from cyberattacks.

    Reply
  14. Tomi Engdahl says:

    Major hospital system hit with cyberattack, potentially largest in U.S. history
    https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm

    Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend.

    A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history.

    Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.

    Reply
  15. Tomi Engdahl says:

    UHS hospitals hit by reported country-wide Ryuk ransomware attack
    https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
    Universal Health Services (UHS), a Fortune 500 hospital and healthcare
    services provider, has reportedly shut down systems at healthcare
    facilities around the US after a cyber-attack that hit its network
    during early Sunday morning. UHS operates over 400 healthcare
    facilities in the US and the UK, has more than 90, 000 employees and
    provides healthcare services to approximately 3.5 million patients
    each year.

    Reply
  16. Tomi Engdahl says:

    UK, US hospital computers are down, early unofficial diagnosis is a
    suspected outbreak of Ryuk ransomware
    https://www.theregister.com/2020/09/28/united_health_services_ransomware/
    We’ve switched to back-up offline procedures, says Universal Health
    Services. Universal Health Services, which operates over 400 hospitals
    and healthcare facilities in the US, Puerto Rico, and the UK, said on
    Monday that its IT network was offline due to an unspecified
    cybersecurity issue.

    Reply
  17. Tomi Engdahl says:

    UK, US hospital computers are down, early unofficial diagnosis is a suspected outbreak of Ryuk ransomware
    We’ve switched to back-up offline procedures, says Universal Health Services
    https://www.theregister.com/2020/09/28/united_health_services_ransomware/

    Reply
  18. Tomi Engdahl says:

    Other hospitals get attached:

    Hacked Hospital Chain Says All 250 US Facilities Affected
    https://www.securityweek.com/hacked-hospital-chain-says-all-250-us-facilities-affected

    The hospital chain Universal Health Services said Thursday that computer services at all 250 of its U.S. facilities were hobbled in last weekend’s malware attack and efforts to restore hospital networks were continuing.

    Doctors and nurses at affected hospitals and clinics, many already burdened with coronavirus care, have had to rely on manual record-keeping, with lab work slowed. Employees have described chaotic conditions impeding patient care.

    The chain has not commented on reports it was hit by ransomware, though its description of the attack in a statement Thursday was consistent with malware variety that encrypts data into gibberish that can only be restored with software keys after ransoms are paid.

    King of Prussia, Pennsylvania-based UHS said its “systems were quickly disconnected and the network was shut down in order to prevent further propagation.”

    The company, with 90,000 employees, said electronic medical records systems were not impacted by the attack and it was making steady progress restoring and reconnecting systems.

    UHS Shuts Down Systems in U.S. Hospitals Following Cyberattack
    https://www.securityweek.com/uhs-shuts-down-systems-us-hospitals-following-cyberattack

    Universal Health Services (UHS) over the weekend shut down the IT networks at multiple hospitals in the United States, after being hit with a cyberattack.

    A Fortune 500 company operating more than 400 facilities in the United States, Puerto Rico, and the United Kingdom, the healthcare services provider has approximately 90,000 employees and claimed an annual revenue of $11.4 billion for 2019.

    Reply
  19. Tomi Engdahl says:

    Itäeurooppalaiset rikolliset sairaaloiden kimpussa kiristyshaittaohjelmilla – ”voi johtaa potilaiden kuolemiin”
    https://www.tivi.fi/uutiset/tv/24196353-70a1-4a02-be4e-6e09c8b0fea9

    Reply
  20. Tomi Engdahl says:

    Gartner predicts privacy law changes, consolidation of cybersecurity services and ransomware laws for next 4 years
    Gartner analysts also think weaponized operational technology will result in human casualties by 2025.
    https://www.zdnet.com/article/gartner-predicts-privacy-law-changes-consolidation-of-cybersecurity-services-and-ransomware-laws-for-next-4-years/

    The predictions ranged from potential legislation to how the market for certain technologies will change from now until 2025. Gartner analysts predicted weaponized OT environments will result in human casualties by 2025 due to malware that they believe will spread at “wirespeeds.” The analysts say by that time, cybercriminals will shift from business disruption to physical harm, leading to regulations placing liability on CEOs.

    For 2023, Gartner expects 75% of the world to be covered under some kind of privacy law with built-in subject rights requests and consent. The key, they said, will be whether privacy management programs can be automated.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*