A patient at Dusseldorf University Hospital died during a ransomware infection in what is reportedly the first death directly linked to a cyber attack.
The hospital was unable to accept emergency patients because of the attack, so the woman – who needed urgent treatment for a life-threatening illness – was sent to another hospital 20 miles away, the Associated Press reported.
German prosecutors have since opened a homicide investigation into the incident, while the country’s cyber security agency, the Federal Office for Information Security, was recruited to get the hospital fully operational again.
Bad luck or a ticking timebomb?
An already tragic story was made more so with a report from the German news outlet RTL, which claimed that the cyber attack wasn’t intended for the hospital.
The ransom note was addressed to a nearby university, which suggests that the attackers weren’t aware that they had infected one of the largest hospitals in western Germany.
The criminals stopped their attack when they learned that it had shut down the hospital, but by then the damage had been done.
Although it might be easy to chalk this up as unfortunate, you could just as easily say that it was only a matter of time until something like this happened.
Arne Schönbohm, president of the Federal Office for Information Security, confirmed that the attack exploited a vulnerability in a Citrix VPN system, which the hospital had been aware of since December 2019.
“I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,” said Schönbohm. “This incident shows once again how seriously this danger must be taken.”
Same old story
The healthcare sector has been a lucrative target for cyber criminals for years, due to its apparent unwillingness to commit to better defences and, in particular, its widespread use of legacy systems.
The UK saw the damage that can occur when relying on legacy systems with the WannaCry attack in 2017.
Most NHS facilities were still using Windows XP, which Microsoft had stopped supporting in 2014 – and it was a vulnerability with that system that exposed 80 NHS trusts and led to £92 million in damages.
Plenty of think pieces were written at the time about how hospitals needed to do a better job of preventing attacks, because future attacks might result in deaths.
Yet, as of last year, more than 2,300 NHS PCs were still running on Windows XP, despite the government signing a £150 million deal with Microsoft to update its devices to Windows 10.
Given the spate of attacks on hospitals during the coronavirus pandemic – both in the UK and the rest of the world – you would have thought it was only a matter of time before we were no longer talking about just the financial and logistical issues caused by cyber attacks, but the human cost.
Hopefully this incident will be a wake-up call for hospitals, which desperately need to prioritise security strategies and realise that cyber attacks can be just as damaging as physical assaults.