Death by malware

Years ago cyber security experts have expected that in coming years malware can start to kill people. If hackers attack your organization and you’re in an industry such as financial services, engineering, or manufacturing your risks are mostly monetary. But when it comes to healthcare cybersecurity, not only is there significant financial jeopardy, people’s health and wellbeing are also at risk. “Nation states and organized crime — real threat actors — are causing harm, damaging the safety and effectiveness of medical devices,” Fu warned.

Nowadays the situation is such that Someone died because of ransomware: Time to give hospitals emergency security care. Bad security in hospital systems combined with ransomware spreading criminals is a combination that seems to have contributed to deaths already. Those tragic sequence of events have drew the attention of cybercrime officials. Ransomware attacks put availability of medical devices at risk because “You can’t have a safe and effective medical device if it’s unavailable” due to ransomware. Not playing down, but likely there have been multiple cases because of services being bought to its its knees equating to time delays for critical care and resulting in death. Some incidents have already been on news:

In 2020 Cyber Attack Suspected in German Woman’s Death. German prosecutors tried to prove that a ransomware attack on a hospital was to blame for someone losing their life. On the night of September 11, paramedics in Düsseldorf, Germany, were alerted to the deteriorating condition of a 78-year-old woman suffering from an aortic aneurysm. The accident and emergency department was closed in nearest hospital due malware and the ambulance was directed to Helios University Hospital in Wuppertal, 32 kilometres away, which delayed the patient’s treatment by an hour. Following the attack, it was suggested that this may have been the first instance of death by ransomware. The ransomware attack was first spotted in the early hours of September 10, but it could have started much earlier. German police launched a negligent-homicide investigation and said they might hold the attackers responsible. But it turned out that Ransomware did not kill a German hospital patient in this case. It would have been the first time that law enforcement had considered a cyberattack to be directly responsible for a death, but it was subsequently determined that the patient died of other causes (likely would have died anyway).

The first death by malware as it could have happened already in 2019. Hackers Attacked a Hospital and Allegedly Killed a Newborn Baby and The mother is suing over what seems to be the first death caused by ransomware. “A ransomware attack against an Alabama hospital may have led to a baby’s death in 2019, one of the first known cases where a cyberattack had life-or-death consequences. … “ Wall Street Journal reported the first alleged death in a hospital attributed to ransomware happened in USA already in 2019. A 2019 cyberattack on an Alabama medical center allegedly impacted the normal operation of a fetal heartbeat monitor and a nurses’ station. Those monitors should have informed the staff of what was a life-threatening situation, alleges a medical malpractice lawsuit that Kidd has filed in the Circuit Court of Mobile County. The parents of a baby born with the umbilical cord wrapped around their neck who died nine months later following severe brain damage, are suing the hospital, which denies the allegations. This isn’t the first time that ransomware-related homicide charges have been brought, but it will be the first time that a case makes it to court.

Those are sad and worrying news. But unfortunately not unexpected. Some cyber security experts have been telling for years that it is just matter of time when malware has deadly consequences. Hospital environments is not the only case where people can be in danger if they are hit by malware gangs or cyber terrorists. Nowadays computers are everywhere, and attacks to cars, planes, trains, logistics and infrastructure (water,heating,electricity) can have deadly consequences.

Information links:

https://consoltech.com/blog/what-happens-if-your-computer-is-infected-by-malware/

Ransomware attacks put availability of medical devices at risk: FDA cyber chief
https://www.medtechdive.com/news/cyber-attacks-security-medical-devices-kevin-fu-advamed/607483/

Cyber Attack Suspected in German Woman’s Death
Prosecutors believe the woman died from delayed treatment after hackers attacked a hospital’s computers. It could be the first fatality from a ransomware attack.
https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html

Hackers Attacked a Hospital and Allegedly Killed a Newborn Baby
The mother is suing over what seems to be the first death caused by ransomware.
https://futurism.com/neoscope/hackers-hospital-allegedly-killed-newborn-baby

The untold story of a cyberattack, a hospital and a dying woman
German prosecutors tried to prove that a ransomware attack on a hospital was to blame for someone losing their life. Their story is a warning
https://www.wired.co.uk/article/ransomware-hospital-death-germany

Ransomware did not kill a German hospital patient
Still, police warn that it’s only a matter of time before hacking hospitals leads to tragic results.
https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/

Not playing down, but likely there have been multiple cases because of services being bought to its its knees equating to time delays for critical care and resulting in death. Imo nothing new/been an issue for a a while. Also likely magnified with the covid bs and lack of overall care resources, not to mention how bad cyber^IT systems (underfunded or lack of skills) are in places that run critical infra/services

“A ransomware attack against an Alabama hospital may have led to a baby’s death in 2019, one of the first known cases where a cyberattack had life-or-death consequences. … ”
https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/

Ransomware attack might have caused another death
https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/

HACKERS ATTACKED A HOSPITAL AND ALLEGEDLY KILLED A NEWBORN BABY
THE MOTHER IS SUING OVER WHAT SEEMS TO BE THE FIRST DEATH CAUSED BY RANSOMWARE.
https://futurism.com/neoscope/hackers-hospital-allegedly-killed-newborn-baby

Baby’s Death Alleged to Be Linked to Ransomware
https://threatpost.com/babys-death-linked-ransomware/175232/

https://hitconsultant.net/2021/01/05/death-by-ransomware-healthcare-cybersecurity/#.YViSBH2U9hE

https://thehill.com/opinion/cybersecurity/519267-someone-died-because-of-ransomware-hospitals-emergency-security

https://www.theverge.com/2021/9/27/22696097/hospital-ransomware-cyberattack-death-rates-patients

https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/

https://www.independent.co.uk/news/world/americas/hospital-ransomware-baby-death-lawsuit-b1930179.html

https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/

13 Comments

  1. Tomi Engdahl says:

    Vaarantavatko puutteet tietojärjestelmissä potilasturvallisuuden?
    Tuore tutkimus paljastaa merkittäviä ongelmia, jotka ovat ratkottavissa https://www.tivi.fi/kumppanisisallot/intersystems/vaarantavatko-puutteet-tietojarjestelmissa-potilasturvallisuuden-tuore-tutkimus-paljastaa-merkittavia-ongelmia-jotka-ovat-ratkottavissa/
    Potilasturvallisuus voi olla yllättävän usein koetuksella terveydenhoidon it-järjestelmissä, kertoo InterSystemsin teettämä hätkähdyttävä tutkimus. It-järjestelmillä on valtava potentiaali parantaa hoitoa, mutta ensin täytyy ratkaista joitain merkittäviä haasteita. Apotin, Duodecimin ja InterSystemsin johtajat kertovat, mitkä ovat kriittisimmät haasteet ja miten tilannetta voidaan korjata.

    Reply
  2. Tomi Engdahl says:

    A Death Due to Ransomware
    https://www.schneier.com/blog/archives/2021/10/a-death-due-to-ransomware.html
    The Wall Street Journal is reporting on a baby’s death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing. What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.

    Reply
  3. Tomi Engdahl says:

    Why the cybersecurity industry should treat civil society as critical infrastructure https://therecord.media/why-the-cybersecurity-industry-should-treat-civil-society-as-critical-infrastructure/
    Cybersecurity risks now affect everyone, but those risks aren’t the same everywhere. The Record spoke with Access Now’s Asia Policy Director and Senior International Counsel Raman Jit Singh Chima about how the human rights organization helps secure activists and journalists around the world. Chima, who also serves as the organization’s global security lead, shared details about risks facing human rights defenders in the Asia-Pacific regionfrom spyware and social media monitoring to disrupting access to certain apps or the entire Internet. Protecting civil society from these threats must be a key part of cybersecurity policy discussions, Chima told The Record, much like we think about how we need to protect power grids and other utilities that keep society functioning.

    Reply
  4. Tomi Engdahl says:

    Suit Blames Baby’s Death on Cyberattack at Alabama Hospital
    https://www.securityweek.com/suit-blames-babys-death-cyberattack-alabama-hospital

    An Alabama woman whose 9-month-old daughter died has filed suit against the hospital where she was born claiming it did not disclose that its computer systems had been crippled by a cyberattack, which resulted in diminished care that resulted in the baby’s death.

    Springhill Medical Center was deep in the midst of a ransomware attack when Nicko Silar was born July 17, 2019, and the resulting failure of electronic devices meant a doctor could not properly monitor the child’s condition during delivery, according to the lawsuit by Teiranni Kidd, the child’s mother.

    Left with severe brain injuries and other problems, the baby died last year after months of intensive care at another hospital.

    The lawsuit, initially filed in Mobile County in 2019 while Nicko was still alive, was first reported by The Wall Street Journal on Thursday.

    Reply
  5. Tomi Engdahl says:

    https://www.schneier.com/blog/archives/2021/10/a-death-due-to-ransomware.html

    What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.

    Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.

    They’re certainly never going to be held accountable.

    Reply
  6. Tomi Engdahl says:

    Is this the first ransomware death in the USA?
    https://www.pandasecurity.com/en/mediacenter/security/first-ransomware-death/
    A baby born in Alabama might be the first-ever death in the USA caused by a ransomware attack. According to a lawsuit filed in Alabama, a newborn baby ended up with severe brain injury because an expecting mother did not receive all necessary tests when admitted to a hospital to deliver her baby. The lawsuit alleges that if the hospital was functioning correctly, the tests she missed because of an ongoing cyber-attack would have shown that the babys umbilical cord was wrapped around the fetus neck that eventually caused brain damages.
    The baby died nine months later.

    Reply
  7. Tomi Engdahl says:

    The next big cyberthreat isn’t ransomware. It’s killware. And it’s just as bad as it sounds.
    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.usatoday.com%2Fstory%2Fnews%2Fpolitics%2F2021%2F10%2F12%2Fcybersecurity-experts-warn-killware-attacks-rival-ransomware%2F6042745001%2F&h=AT0424mINaKA5rhQye0p_Dxf_210ZoV6Ntq8_FWJDsWeHJ_a2hhbVKaHn32HrKhdSRTwjn98YR6Ifjm5qKY6VmagyEe9TgjkQjfhVYXoTw8bZQFy0YLqb_qj5sRyzfMxZA

    Hackers increasingly target infrastructure – from hospitals and water supplies to banks and transit – in ways that could injure or kill.

    As most Americans are still learning about the hacking-for-cash crime of ransomware, the nation’s top homeland security official is worried about an even more dire digital danger: killware, or cyberattacks that can literally end lives.

    But “there was a cyber incident that very fortunately did not succeed,” he added. “And that is an attempted hack of a water treatment facility in Florida, and the fact that that attack was not for financial gain but rather purely to do harm.”

    That attack on the Oldsmar, Florida, water system in February was intended to  distribute contaminated water to residents, “and that should have gripped our entire country,” Mayorkas said. 

    Mayorkas and cybersecurity experts said the Oldsmar intrusion was one of many indications that malicious hackers increasingly are targeting critical parts of the nation’s infrastructure – everything from hospitals and water supplies to banks, police departments and transportation – in ways that could injure or even kill people.

    “The attempted hack of this water treatment facility in February 2021 demonstrated the grave risks that malicious cyber activity poses to public health and safety,” Mayorkas told USA TODAY in a follow-up exchange. “The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us.”

    Like Mayorkas, private-sector computer security experts warn that so-called cyber-physical security incidents involving a wide range of critical national infrastructure targets could lead to loss of life. Those include oil and gas manufacturing and other elements of the energy sector, as well as water and chemical systems, transportation and aviation and dams.

    The rise of consumer-based products such as smart thermostats and autonomous vehicles means Americans live in a “ubiquitous cyber-physical systems world” that has become a potential minefield of threats, said Wam Voster, senior research director at the security firm Gartner.

    “The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” Voster wrote in an accompanying article.     

    In a report July 21, Gartner said there is enough evidence of increasingly debilitating and dangerous attacks to expect that by 2025, “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.”

    Another example, Voster wrote, was the Triton malware that was first identified in December 2017 on the operational technology systems of a petrochemical facility. It was designed to disable the safety systems put in place to shut down the plant in case of a hazardous event.

    “If the malware had been effective, then loss of life was highly likely,” Voster wrote. “It is not unreasonable to assume that this was an intended result. Hence ‘malware’ has now entered the realm of ‘killware.’”

    A frightening target: Hospitals

    However, U.S. officials are concerned about the rash of ransomware attacks on hospitals, which have had to divert patients and cancel or defer critical surgeries, tests and other medical procedures, as was the case in a nationwide cyberattack on Universal Health Services, one of the largest U.S. health care providers, in September 2020.

    In hospital hacks, patients could die or suffer life-threatening complications, but it would be nearly impossible to find out unless medical centers offered that information, said a senior Department of Homeland Security official speaking on the condition of anonymity because he was not authorized to discuss security concerns.

    A year ago, the FBI, DHS and the Department of Health and Human Services issued a warning about attacks on hospitals, describing the tactics, techniques and procedures used by cybercriminals to infect systems with ransomware for financial gain.

    In Alabama, a woman sued a hospital this year, alleging that its failure to disclose a cyberattack on its systems resulted in diminished care that caused her baby’s death.

    Last year, a hacker attack caused the failure of information technology systems at a major hospital in Germany. That forced a woman who needed urgent admission to be taken to another city for treatment, where she died.

    Reply
  8. Tomi Engdahl says:

    Cybersecurity experts warn government and corporate leaders that they could be held financially or legally liable if breaches of computerized systems they oversee are found to have had a human impact.

     The firm estimated that the financial impact of cyber-physical security attacks resulting in fatalities will surpass $50 billion within a few years.

    “Even without taking the actual value of a human life into the equation,” Gartner concluded, “the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.”

    While ransomware attacks dominate the headlines, Mayorkas has begun sounding the alarm about cyber intrusions such as the one in Florida in which money wasn’t the primary motive.

    Several nations, including Iran, Russia and China, have penetrated elements of critical U.S. infrastructure, but there have been few instances of them taking any action.

    https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.usatoday.com%2Fstory%2Fnews%2Fpolitics%2F2021%2F10%2F12%2Fcybersecurity-experts-warn-killware-attacks-rival-ransomware%2F6042745001%2F&h=AT0424mINaKA5rhQye0p_Dxf_210ZoV6Ntq8_FWJDsWeHJ_a2hhbVKaHn32HrKhdSRTwjn98YR6Ifjm5qKY6VmagyEe9TgjkQjfhVYXoTw8bZQFy0YLqb_qj5sRyzfMxZA

    Reply
  9. Tomi Engdahl says:

    The core problem is this belief that you can secure a computer to make it impenetrable. The only computer that is hack-proof, these days, is one with no power.

    We need to recognize that operational sides of these facilities need to be cut off from remote access. China and Russia, for the most part, have declared open season on infrastructure in the West.

    Reply
  10. Tomi Engdahl says:

    Did a hospital ransomware attack cause a baby’s death?
    https://www.advisory.com/daily-briefing/2021/10/12/ransomware

    In May, the Federal Bureau of Investigation warned ongoing ransomware attacks on medical providers and first responders could endanger the public and risk medical care delays. In addition, Joshua Corman, a senior advisor at the Cybersecurity and Infrastructure Security Agency, said ransomware can lead to dire consequences for hospitals and patients.

    “We can see that a cyberattack can strain [hospitals] enough to contribute to excess deaths,” Corman said.

    Under attack, an Alabama hospital struggled to monitor patients
    On July 8, 2019, Springhill Medical Center was hit by a ransomware attack—likely orchestrated by the hacking group Ryuk, the Journal reports. According to a hospital spokesperson, the hospital refused to pay the ransom, instead shutting down its network for at least three weeks before systems returned to normal.

    During the network outage, nursing staff and doctors struggled to perform routine tasks, like accessing medical records and monitoring patients’ vital signs. In the labor and delivery unit, staff were unable use a central monitoring system at the nurses’ station, which showed real-time vital signs of patients in 12 delivery rooms.

    Nurses were instructed to stay in or near their patients’ rooms, and they routinely checked a paper readout from the fetal heart monitors.

    Teiranni Kidd was one of the patients in the hospital’s labor and delivery unit during the outag

    According to nurses specializing in obstetrics and newborns, an abnormal increase in heart rate can mean that an entangled umbilical cord has cut off blood and oxygen to the fetus. Doctors commonly choose to deliver a baby by C-section in these cases due to the potential for brain injuries.

    However, only one person was monitoring Kidd’s vital signs at the time, the Journal reports, and it’s unclear whether the attending nurse noticed the rising heart rate or how it was interpreted.

    “If that nurse didn’t recognize it, it would have gone unnoticed,”

    Later that day, Kidd’s baby, Nicko, was born unresponsive with her umbilical cord wrapped around her neck. Nicko was soon transferred to the neonatal ICU at a nearby hospital and later diagnosed with significant brain damage.

    A day after Kidd’s delivery, the nurse manager examined Kidd’s heart monitor printout for “what [they] missed or if [they] could have called [the attending doctor] sooner.” After reviewing the printout on her own, Katelyn Parnell, the attending obstetrician, said she would have performed a C-section if she had been notified of the change in heart rate sooner, the Journal reports.

    “I need [you] to help me understand why I was not notified,” Parnell wrote in a text to the nurse manager. In another text she wrote, “[T]his was preventable.”

    The first alleged ransomware death
    According to Kidd, she was not aware of the ransomware attack when she was admitted to the hospital. In January 2020, she filed a medical malpractice lawsuit against Springhill in the Circuit Court of Mobile County, later amending it when her daughter died in April 2020.

    In her lawsuit, Kidd alleges information about her baby’s condition never reached Parnell because the attack removed the extra scrutiny the heart rate monitor would have received at the nurses’ station, the Journal reports. If Kidd’s allegations are proven in court, the case will be the first confirmed death from a ransomware attack.

    In response to the lawsuit, Springhill has denied any wrongdoing. Jeffrey St. Clair, Springhill’s CEO, said the hospital handled the ransomware attack appropriately.

    Advisory Board’s take
    3 steps to protect against (and prepare for) health care cybersecurity attacks

    So how should health care organizations prepare for this new reality of a technology driven health care world? I’ve detailed three crucial steps to consider.

    1. Regularly revisit back-up processes to ensure staff are prepared
    One of the first steps any provider organization is going to take after an attack is to shut off all systems to prevent further infection or data breaches. This often means physicians and staff will have to turn to manual processes

    2. Move cybersecurity up your organizational priority list and provide funding to match
    Every health care organization provides some standard defense measures and employee training. But too many organizations stop here and allow security awareness to become a temporary or annual campaign with limited funding. Instead, organizations need to embed security into their organizational culture.

    3. As you expand your digital ecosystem, be prepared for the new entry points it creates
    As adoption of telehealth, connected health devices, and the internet of things continues to expand, so too does the risk for hacking with new devices and applications. Increasingly, this risk lives outside the four walls of provider organizations and instead resides with patients and third parties with network access. When it comes to third-party technology vendors and service providers, it is important to both establish risk management standards at the contracting stage and regularly assess how those standards are being met. As telehealth usage has increased, we have also seen an increase in attacks directed at telehealth systems. Furthermore, patient connected health devices can place patient data and safety at risk while leaving providers with less control over the management of these devices.

    As health care providers continue to invest in new technologies to further care delivery and connect with patients, they must also proactively consider how to prevent these investments from weakening their overall security.

    Reply
  11. Tomi Engdahl says:

    “Killware”: Is it just as bad as it sounds?
    https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad-as-it-sounds/
    On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching
    headline: “The next big cyberthreat isn’t ransomware. It’s killware.
    And it’s just as bad as it sounds.”

    Reply
  12. Tomi Engdahl says:

    What is killware?
    https://www.pandasecurity.com/en/mediacenter/security/what-is-killware/
    Killware is a type of malware that is being deployed with the sole intention of causing physical harm, even death. Cyber psychopaths deploying such malicious code have one goal to case pure real-life destruction.

    “Killware”: Is it just as bad as it sounds?
    https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad-as-it-sounds/
    On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching
    headline: “The next big cyberthreat isn’t ransomware. It’s killware.
    And it’s just as bad as it sounds.”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*