Patient Dies After Hospital Hit By Ransomware Attack (securityweek.com) 167
wiredmikey writes: A patient died after a German hospital was hit by ransomware attack, when hackers thought they were targeting a university. German authorities said that what appears to have been a misdirected hacker attack impacted systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment. Duesseldorf police established contact and told the attacker that the hospital, and not the university, had been affected, endangering patients. The attacker then withdrew the extortion attempt and provided a digital key to decrypt the data.
Wow (Score:4, Insightful)
Re: (Score:3, Insightful)
Re:Wow (Score:4, Informative)
Re: (Score:3)
That is not how things work in Germany.
Re:Wow (Score:5, Informative)
The patient never even showed up at this hospital. They were referred to the other hospital before they ever left home because this hospital was not admitting patients.
Re: (Score:3)
Lots of American doctors do it because they care. They are caught up in a system that they can't control. If you want to practice medicine in the US, for whatever reason, you will most likely deal with insurance issues and other things like corporate and payrolls taxes. Instead of practicing medicine you spend your time being a business person, fighting with insurance, dealing with accountants, dealing with lawyers - and at the end you have a giant bill and you say 'fuck, I need to charge more if I'm goi
Re:Wow (Score:5, Insightful)
Re:Wow (Score:5, Insightful)
However did we manage to treat patients 40 years ago without computers...
I would imagine we have computer technology that allows us to keep someone alive that we didn't have in the past. In the past, that person would have simply died sooner.
Re: (Score:2)
Badly. Two of my family members were saved last year and two years ago from things that were lethal in the 80s. A failure of this kind is not a reason to abandon the technology, but to improve it.
And a major step would be to finally introduce product liability for software bugs that create this kind of situation, which will change the tradeoff between that shiny new half-assed feature and security towards a more sane proportion.
Re:Wow (Score:5, Informative)
Many of these patients died 40 years ago.
40 years ago without these advanced computers and communication many of these procedures would have been extremely risky to perform.
Also a lot of time was wasted in moving of paperwork and a lot of useful information wasn't available.
They didn't manage to treat these patents 40 years ago. They often died in the attempt, or were decided to be not get treated, and allowed to get worse without an attempt to fix the problem.
Re:Wow (Score:5, Insightful)
Compared to modern Electronic Records, the Paper Records were much less detailed. A doctor if requesting the medial records, will take the top few pages, While an Ill patient could have a large stack of pages of useful details. As well as Drug to Drug interactions, Allergies...
Now hospitals should have proper downtime procedures in place. This doesn't sound like they really didn't have that inplace.
Re: (Score:2)
However did we manage to treat patients 40 years ago without computers...
Inefficiently, and with a vastly higher rate of injury and death due to "medical accidents" (e.g. administering the wrong medicine)
Re: (Score:3)
Often we didn't. People died at a much higher rate at hospitals in the past than they do today.
Re: (Score:2)
Billing may have killed him. If the hospital couldn't admitted him as a patient and track treatment for the purpose of creating a bill, the hospital may have decided it was better to send him on his way rather than take the unacceptable risk of not being able to fully bill for his treatment.
Re: (Score:2)
In Germany?
Re: (Score:2)
However did we manage to treat patients 40 years ago without computers...
Yeah and a fuckton more died back then than do now.
Extortion Upgraded to Murder (Score:5, Insightful)
Re:Extortion Upgraded to Murder (Score:5, Insightful)
I'd be amazed if this was the first time this has happened, the other hospitals probably just covered it up to avoid any potential liability.
Re: (Score:2)
I'd be amazed if this was the first time this has happened, the other hospitals probably just covered it up to avoid any potential liability.
That's actually a good point. I don't think I've seen a study on how ransomware has affected patient outcomes. There were waves of hospitals being hit with ransomware not too long ago.
Re: (Score:2)
From what I have seen of the abysmal state of IT security in some really large hospitals, I completely agree.
Re: (Score:3)
At the very least its a manslaughter charge. Accidental death caused by a crime. Yeah, thats some hard prison time.
At least a few US states will even upgade that to a full blown capital murder case, and thats a very very very unhappy life outcome for the bad dude
Re: (Score:3)
Re: (Score:3, Interesting)
Re:Extortion Upgraded to Murder (Score:5, Funny)
Re: (Score:2)
I'm pretty sure we don't have anything like that here in Germany. Wikipedia suggests that is is something more or less limited to Anglosaxon countries.
Re:Extortion Upgraded to Murder (Score:5, Interesting)
In the USA, we have the "felony murder rule", which says that if you kill someone during a felony, it's a murder ...
Not just if one of the perps does it, too. If anybody involved dies. For instance, if the police at a bank robbery shoot one of the perps and he dies, the other perps are up for a count of murder one.
Not just the US either. It comes from English common law and predates the US revolution by about half a century, and variations of it are curent in the UK, Austrailia, Canada, ...
In the US. because it's criminal law, it's a state matter and varies somewhat by state rather than being uniform.
In most jurisdictions, to qualify as an underlying offense for a felony murder charge, the underlying offense must present a foreseeable danger to life, and the link between the offense and the death must not be too remote. For example, if the recipient of a forged check has a fatal allergic reaction to the ink, most courts will not hold the forger guilty of murder, as the cause of death is too remote from the criminal act
In the US a ransomware ought to qualify just fine, even if the perp didn't realize his attack happened to include computers at a hospital. Some computers do life-critical stuff, so taking computers down and demanding a ransom to let them be recovered is right up there with firebombing a store in an extortion racket.
Re: (Score:2)
That is pretty much a complete perversion of the idea of right and wrong. Not that I am surprised.
Re: (Score:2)
How so? If someone dies because of a crime you committed then you should be responsible for it. Don't commit the crime if you aren't willing to do the time.
Re: (Score:3)
You really have no idea about fundamental legal principles. One is that you are only responsible for aspects you control. Another one is that punishment has to be in proportion to the crime.
Re: (Score:2)
Clearly I do since this is one that is commonly applied here. Perhaps we just have different legal codes that disagree on the matter. There is no ultimate truth in the universe. Therefore, each is equally valid. I suggest you act like an adult and realize that different societies do things differently and have different perspectives. What works for you does not work for me.
Re: (Score:2)
There is another aspect which says if you do X but also should have known Y could result from doing X, you are held accountable for Y as well as X. For example, if you set fire to a building with the intent of burning it down, but someone dies as a result that arson (a firefighter trying to put out the fire), even though you only intended to burn down the building, you are held liable for that death because you should have known there was a
Re:Extortion Upgraded to Murder (Score:5, Informative)
You really have no idea about fundamental legal principles.
No, YOU have no idea about fundamental legal principles, since this IS one. This goes back at least to the 18th century, around the time of William Blackstone, when legal philosophy was being developed and criticized and formalized. It has stood over 200 years of criticism and analysis. I'd wager that you just found out about this about an hour ago when you read that post, and instantly decided that two and a half centuries of philosophy that you have never heard of must be wrong.
Re: (Score:2)
Re: (Score:2)
You think the US "justice" system is aware of fundamental legal principles? Also, I suggest you realize that this crime took part in Germany.
Re: (Score:2)
Do't be absurd, of course the US Justice system has fundamental legal principles. Its based upon common law, tempered with the US constitution. This makes its legal system and underlying assumptions and principles very similar to every other nation that sprang from the British empire. Major differences arise where the US constitution breaks with older convention but that's a discussion for another day.
Just because You don't like it or agree with it does not make it any less valid.
Also, I suggest you realize that this crime took part in Germany.
Oh I realize that. But this
Re: (Score:2)
Nobody questions there should be responsibility for the killing, but if there was no intent to kill, it should not be charged as first-degree murder. There is a reason second-degree murder and manslaughter charges exist too and that's what the felony-charge rule circumvents.
Re: (Score:3)
Does this apply to white-collar financial felonies?
Re: (Score:2)
If I recall it doesn't even have to be you that snuffs someone. If your accomplice gets shot by whoever you're robbing or falls down a staircase and breaks his neck that's still a murder charge against you.
Re: (Score:2)
In the USA,
No, in some US states there is a "felony murder rule". As murder is generally a state crime, the details vary from state to state.
Disclaimer: I am not a lawyer.
Re: Extortion Upgraded to Murder (Score:2)
Re: (Score:2)
Germany has a sane legal system that requires intent for murder. Quite unlike the revenge- and hate-based system the US has.
Re: Extortion Upgraded to Murder (Score:2)
"Intent" in German law doesn't mean what you think it means.
Affirmatively accepting death is enough to qualify as intent (i.e. knowing that someone might very well die as a result, and knowingly take that chance).
Re: (Score:2)
And who did do the "billigende Inkaufnahme" here? Right. Nobody.
Re: (Score:2)
Not accidental at all. This should be prosecuted as one count of murder, and as many counts of attempted murder as there are patients in the hospital the perp attacked.
-jcr
Murder implies an intent to cause physical harm leading to death. If he had intentionally target a hospital then yes, murder is correct. But this squarely falls into manslaughter, and maybe aggravated assault for any other patients that may have been impacted.
Re: (Score:3)
Murder implies an intent to cause physical harm leading to death. If he had intentionally target a hospital then yes, murder is correct. But this squarely falls into manslaughter, and maybe aggravated assault for any other patients that may have been impacted.
Nope, not even then. "Murder" in any sane legal system, requires specific intent to kill. This falls under "accidental unintended killing". Incidentally, the police is not even investigating for that, because it is unclear whether the attacker would even be the guilty party. They are investigating because of the IT attack.
Re: (Score:2)
I'd see it as involuntary manslaughter too. Plus maybe a hundred assault charges for everyone else whose medical care was compromised during the event.
It's a ten year sentence for the manslaughter charge, that will keep him/her/it out of trouble for awhile. Assuming the police can catch the perpetrator.
Re:Extortion Upgraded to Murder (Score:5, Interesting)
That is not how the legal system works in Germany. There was no intent to kill, hence this cannot be murder. This is a legal system still aimed at reforming criminals, so it tries to be fair. The US system just tries to destroy those heretics that dared to violate the state-given quasi-divine order, hence it heaps any and all conceivable charges on the accused.
Re: (Score:3)
Re: (Score:2)
Indeed. And that is why there currently is _not_ an investigation because of the death. That is just somebodies imagination running wild. The original report just got corrected 20 minutes ago.
Re: (Score:2)
Mod parent up to FP. Short, but very much to the point. Two additional points could have been included.
(1) Murder in the commission of another crime is often regarded as a more serious crime.
(2) Many nations depend on computers. A lot. As in vulnerable to cyber-warfare. As in America really is #1 in being vulnerable. (Don't worry. The Chinese hordes can't attack us as long as they are still hoping to collect their money.)
Why'd they have to take the patient elsewhere? (Score:5, Insightful)
Ok, so the patient needed to be admitted urgently, what about this would need them to take the patient to another hospital if they were in that much distress.
It takes a computer to treat patients?
Re: (Score:2)
This is what you get when you let bean counters run an organisation - no usable backups , they cost money.
Re: (Score:2)
Could be that they couldn't access the medical records of the patient, and needed to move her to a location where they could. If someone comes in with an emergency problem that is related to a disease, you really need to know what that disease is if you wish to provide the correct response. When you have less than 20 minutes to fix the problem or lose the patient you can't start running tests.
Re: (Score:2)
When you have less than 20 minutes to fix the problem or lose the patient you can't start running tests.
From the article:
Doctors weren’t able to start treating her for an hour and she died.
However, it looks like she was transported directly from home. She was not actually waiting at the hospital to be admitted. She was sent directly to the other facility.
Re: (Score:2)
Re: (Score:2)
Could be that they couldn't access the medical records of the patient, and needed to move her to a location where they could.
Nope. Emergency care does not rely on the availability of records.
Re:Why'd they have to take the patient elsewhere? (Score:5, Interesting)
Strongly disagree. Consider e.g. treating a stroke patient.* There are two main kinds of strokes, with similar presentations, yet more or less opposite causes. Hemorrhaegic strokes, which result from bleeding inside the brain, and ischemic strokes, which result from blood vessels that are obstructed, typically due to plaques or clots. Both kinds are common; the treatment for either type of stroke will badly worsen the other, and you may not have time to do scans to determine which type you're dealing with. Compounding the matter is that the patient may already be on clotting factors, blood thinners, or other drugs that may interact with the ones you need to push immediately, or else the outcome is likely to be bad. You have to know all this and you have to know it now. Either electronic or paper records would contain this information. But you need those records NOW. If you can't get them instantly, you may worsen the patient's condition, or kill the patient outright.
The 2 takeaways I see:
1. Interfering with hospital networks and systems can be deadly, not just for emergency care but especially for emergency care. It should be deterred, prevented, mitigated, and if all else fails, punished severely enough to motivate others not to do so.
2. Since it might happen in spite of your best efforts, hospitals and similar institutions should have emergency plans in place for this sort of event. One thought might be to print paper records summarizing what one might need to know if treating the patient in question for any sort of common medical emergency. Not as good as a complete chart, but still way better than nothing, as well as more practical than printing every page of every chart every time something in it changes.
* Yeah, I'm oversimplifying. Blockages, dissections, traumas, and other things can cause a person to have both at the same time. It still makes my point.
** No, I'm not a doctor or other medical professional, nor do I play one on TV; this isn't medical advice, even if I were a doctor I'm not *your* doctor, yadda yadda etc.
Re:Why'd they have to take the patient elsewhere? (Score:5, Interesting)
Almost everything in today's hospitals is a computer. Our ultrasound machines run on anything from DOS to Windows 7, so do MRI's, CT's, many x-ray machines and other diagnostic devices. Even those that run other embedded systems are commonly operated from a Windows computer. And ever more of those devices are plugged into the hospital network. Images, lab results etc. feed into digital databases, often without any paper backup. Our cath lab is inoperable without computers, so are several vital pieces of gear in our OR's.
The news reports released so far are light on details, but if the patient had suffered from anything that needed imaging or a lab to diagnose and subsequently treat, then yes, it may well have taken a computer to treat her. This could have been a condition as ordinary as a heart attack or stroke.
Many hospitals – and far too many companies in general – still treat IT as "the people who fix printers" instead of the mission-critical backbone of their whole enterprise. Sometimes this comes at the cost of human life.
Re: (Score:2)
Re: (Score:2)
Ok, so the patient needed to be admitted urgently, what about this would need them to take the patient to another hospital if they were in that much distress.
It takes a computer to treat patients?
It is pretty clear something else went badly wrong here. Apparently, this person had to make an additional 1h journey in the ambulance. That is not how the German medical system is supposed to work.
Patients die all the time (Score:2, Insightful)
In fact, ransomwares caused the least patients to die in the history of modern medicine. Think of Tesla and road accidents. It's only news because it's Tesla.
Re: (Score:2)
It's only news because it's Tesla.
No it's news when a computer is at the wheel. No one cares if you crash your Tesla due to your own stupidity.
Just because patients die all the time doesn't mean it's not worthy to note that they were killed by a common (previously considered harmless to health) scam.
Re: (Score:3)
"If we are not extremely careful, we come to believe that the unusual is usual: that this is what the world looks like." -Hans Rosling [ucf.edu]
I highly recommend his book.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Murder anyone? (Score:2)
The attacker should be prosecuted for murder. After all, he deliberately went out of his way to perform a crime. Someone died of that crime, he should be prosecuted and put in prison for a looooong time.
On the other hand: this is also gross negligence by the hospital. They should have had their security in order, apparently they had not. The hospital should be ordered to pay the relatives of the victim a substantial amount of money for their negligence.
Re: (Score:2)
The attacker should be prosecuted for murder. After all, he deliberately went out of his way to perform a crime. Someone died of that crime, he should be prosecuted and put in prison for a looooong time.
Manslaughter, not murder. The intended target was a university, not a hospital. By targeting a university there is no reasonable expectation that bodily harm could be done to someone. If he intentionally targeted the hospital then there is a reasonable expectation that someone could be injured worse or killed and a murder charge would be warranted. But still yes, lock him up.
Re: (Score:2)
Re: (Score:2)
Not currently applicable in Germany, nor generally outside of common-law jurisdictions, as noted by others above. But maybe it should be. It evolved in our legal system many centuries ago, as an added layer of deterrent against participating in a dangerous felony. And this is a pretty good example of why it is necessary.
Here is a brief overview [justia.com]. This Wikipedia article [wikipedia.org] goes into a little more detail.
Re: (Score:2)
My local university has both a teaching hospital and nuke reactor on campus.
Re:Murder anyone? (Score:5, Insightful)
So American. Always trying to fix things by putting people in jail forever and draining resources from the places most in need.
The perpetrator did not intend to kill someone. It was an accident. That is involuntary manslaughter, not murder. The attacker can almost certainly be rehabilitated. Punish appropriately.
The hospital did not intend to get hit by ransomware. The hospital should be forced to undergo security compliance audits. It should not be made to pay huge fines. That just drives up cost for society while not actually encouraging improved behaviour.
Re: (Score:2)
When rule of law doesn't work, e.g., when it fails to adequately punish the perpetrators of serious crimes, you end up with endless cycles of revenge and retribution instead. Ultimately, it's in everyone's interest to make sure that the law is sufficient to adequately punish any serious crime, and thereby deter others from committing a similar one.
As to the tendency of U.S. states to imprison people at far higher rates than any other developed nation, I'm very much opposed to that, but, generally, it is no
Comment removed (Score:3)
Re: (Score:2)
If the attacker did not give the decryption key after being told this was a hospital then any other patient who would die due to the attack would most likely be considered murder. Now he'll probably get manslaughter, extortion and whatever hacking is called in the law. If he's in a Western country, he's probably washing his pants and deleting all possible evidence from his equipment.
Re: (Score:2)
broken hospital system (Score:2)
If patients are dying because the computer is down then the system is broken. Fix the system, have backup processes, save people. No one needed to die.
Re: (Score:2)
Re:broken hospital system (Score:5, Insightful)
> If patients are dying because the computer is down then the system is broken. Fix the system, have backup processes, save people. No one needed to die.
Can confirm. Was involved in hospital disaster recovery in a former life. The bastard in charge would, once a year, go into the data center and cut power. That's why he was the bastard in charge - no bullshit survived, no feelings kept the computer systems running.
Despite all the speculation on IT, this seems like it was a triage problem. She was misdiagnosed before being sent elsewhere, I'm sure. Either that or somebody is criminally negligent in this.
Modern people hate that things like triage have an error rate. Even Starfleet Sick Bay had a death rate because not everybody can be saved. And our science is orangs-going-spearfishing compared to a medical tricorder.
"Dialysis? My god, what is this, the Dark Ages?"
It's true, tho.
In other news: IT department still unharmed (Score:2)
First of all, any kind of ransomware attack is a sign that the IT department must have messed up badly. Backups and network segmentation is cheap and IT security has lots of parallels to hygiene, something that healthcare professionals understand well.
The current technical rumours were that it was the Citrix bug from half a year ago. Apparently the IT department still hasn't managed to update their servers.
Re: (Score:3)
The problem with many system designers (Score:2)
tltl (Score:2)
Sorry, but that's not good enough.
The hackers are just trying to save face at the moment. Their gesture would have meant something but it's too late now, they already have blood on their hands.
Before, it was extortion.
Now, it's murder.
Some possible ways to prevent this (Score:2)
Re: (Score:2)
Re:the government should be (Score:5, Funny)
Re: (Score:3)
After that they should be hanged publicly.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Spoken like a true cave-man.
Re: (Score:2)
Put the guns away -- these aren't armed criminals in a hostage situation. Arrest them calmly, then hold a trial to make sure you actually arrested the right suspects (because mistakes happen all the time). Remember: Innocent until proven guilty.
Re: (Score:2)
If however it's a criminal gang then they might well be armed and dangerous.
Re: (Score:2)
Might be. There's still ways to arrest them from street corners, etc, without going in guns blazing.
Re: (Score:2)
Re: (Score:2)
Germany is not a country of vicious barbarians, so no. At the very max, involuntary manslaughter, but even that charge is currently not on the table.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Or the Jews.
Re: (Score:2)
Re: (Score:3)
You are wrong. They did exactly what they should have done: prioritised the patients that they had and redirect incoming cases to other hospitals that were operating at full efficiency. They may still have been investigating the full extent of the hack, so if there was a possibility that other systems would start going down, it would be unethical to put more patients in danger. We don't have enough information yet to start judging.
Besides, it is not the only hospital in Düsseldorf that has an emergency