First ransomware-related death reported in Germany

From the ER to the Executive Suite, Hospitals Tighten Up

September 21, 2020

The Duesseldorf University Clinic in Germany was hit by a ransomware attack last week that forced staffers to direct emergency patients elsewhere. The cyberattack “crippled the entire IT network of the hospital." As a result, a woman seeking emergency treatment for a life-threatening condition died after she had to be taken to another city for treatment, according to several outlets.

Though the attack occurred earlier during the week and the phone systems was brought back online, other systems remained down.The hospital, however, said that that “there was no concrete ransom demand,” and no clear indications that data is irretrievably lost and that its IT systems are being gradually restarted, according to AP News.

According to report from North Rhine-Westphalia state’s justice minister, 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers, news agency dpa reported, says AP News. The note called on the addressees to get in touch, but didn’t name any sum and was addressed to the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, and not to the hospital itself.

Duesseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data, AP News reports.

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, a San Francisco, Calif.-based provider of cutting-edge Data Store and Object Security (DSOS), notes that hospitals have a particularly challenging setting as they have to prioritize fighting healthcare-related fires all the time and have to work with software (and hardware) that takes years to certify for safety.

"This means the compute infrastructure lags behind due to both business (lower priority expense) and technical (expensive and risky to upgrade) reasons," Tiwari explains. "Perhaps the shift in mindset that hospital executives have to get to is that compute infrastructure in hospitals is key to healthcare, and computing failures are healthcare failures. Further, computing flaws are highly correlated and can spread quickly -- ransomware or breach of large data stores or compromise of medical equipment on a network. These systemic failures look a lot different than safety faults in a machine that would be triggered in specific conditions, and computing failures will soon get a lot harder to get insurance for. With the right investments, there is recent technology that can lift and shift certified workloads into safer virtual machines and put defenses around it, and better identity and authorization methods that prevent small errors from scaling out organization wide.”

Terence Jackson, Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, notes, “The outcome of this event is tragic. I offer condolences to the family of the patient. Yet, this highlights that the consequences of a ransomware attack can be deadly. As details are still emerging, it is thought that the ransomware exploited a vulnerability that a patch had been released to remediate."

According to a recent Check Point report, 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier – and more than 20 percent of the attacks used vulnerabilities that are at least seven years old. Jackson adds, "Patch management is a critical component to network security.”

Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says that, "In the early days of COVID-19, we saw actors stating that they wouldn't target healthcare, so at least some criminal element is publicly against these sorts of attacks. Opportunistic ransomware actors who cast a wide net may not realize that many university systems have significant healthcare components that conduct research and treat patients. Law enforcement agencies are already highly focused on ransomware operators. Still, any attacks that result in the loss of life will only increase the criminals' risk of indictments and arrests. It will be interesting to see how targeting evolves in the future due to this tragic event, but I wouldn't place bets on all criminals avoiding healthcare institutions. There is no honor among thieves.”

Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software, warns this incident won’t be the last time that cybersecurity has such a direct impact on human lives. "As the indiscriminate distribution of ransomware hits more IT systems and operational technology underpinning critical infrastructure, like hospitals, energy, and rail and traffic management, we will all be affected more by hacker-instigated disruption," Kedgley says. "As with WannaCry, it seems likely that the vulnerability exploited here was months old, so in theory there was time to mitigate the threat in theory, but it illustrates the importance of running vulnerability scans and acting on findings at least every 30 days if not more frequently. This becomes more difficult in a 24/7 operation like a hospital or power station, where resolving the conflict between the demand for continuous uptime, and maintaining cybersecurity, gets really tough.”

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.