Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT Technology

Patient Dies After Hospital Hit By Ransomware Attack (securityweek.com) 167

wiredmikey writes: A patient died after a German hospital was hit by ransomware attack, when hackers thought they were targeting a university. German authorities said that what appears to have been a misdirected hacker attack impacted systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment. Duesseldorf police established contact and told the attacker that the hospital, and not the university, had been affected, endangering patients. The attacker then withdrew the extortion attempt and provided a digital key to decrypt the data.
This discussion has been archived. No new comments can be posted.

Patient Dies After Hospital Hit By Ransomware Attack

Comments Filter:
  • Wow (Score:4, Insightful)

    by Anonymous Coward on Thursday September 17, 2020 @09:06AM (#60515262)
    However did we manage to treat patients 40 years ago without computers...
    • Re: (Score:3, Insightful)

      by photonrider ( 571060 )
      The number one takeaway from this event should be that hospitals are too dependent on technology. They should have been able to admit and begin treatment.
    • Re:Wow (Score:5, Insightful)

      by shadowrat ( 1069614 ) on Thursday September 17, 2020 @09:58AM (#60515488)

      However did we manage to treat patients 40 years ago without computers...

      I would imagine we have computer technology that allows us to keep someone alive that we didn't have in the past. In the past, that person would have simply died sooner.

    • Badly. Two of my family members were saved last year and two years ago from things that were lethal in the 80s. A failure of this kind is not a reason to abandon the technology, but to improve it.

      And a major step would be to finally introduce product liability for software bugs that create this kind of situation, which will change the tradeoff between that shiny new half-assed feature and security towards a more sane proportion.

    • Re:Wow (Score:5, Informative)

      by jellomizer ( 103300 ) on Thursday September 17, 2020 @10:03AM (#60515516)

      Many of these patients died 40 years ago.

      40 years ago without these advanced computers and communication many of these procedures would have been extremely risky to perform.
      Also a lot of time was wasted in moving of paperwork and a lot of useful information wasn't available.

      They didn't manage to treat these patents 40 years ago. They often died in the attempt, or were decided to be not get treated, and allowed to get worse without an attempt to fix the problem.
       

    • by ljw1004 ( 764174 )

      However did we manage to treat patients 40 years ago without computers...

      Inefficiently, and with a vastly higher rate of injury and death due to "medical accidents" (e.g. administering the wrong medicine)

    • Often we didn't. People died at a much higher rate at hospitals in the past than they do today.

    • by ebonum ( 830686 )

      Billing may have killed him. If the hospital couldn't admitted him as a patient and track treatment for the purpose of creating a bill, the hospital may have decided it was better to send him on his way rather than take the unacceptable risk of not being able to fully bill for his treatment.

    • However did we manage to treat patients 40 years ago without computers...

      Yeah and a fuckton more died back then than do now.

  • by Koreantoast ( 527520 ) on Thursday September 17, 2020 @09:09AM (#60515274)
    If the hacker is within the Western world, they've got to be feeling some heat since they've just gone from "simple" extortion to murder.
    • by AmiMoJo ( 196126 ) on Thursday September 17, 2020 @09:16AM (#60515308) Homepage Journal

      I'd be amazed if this was the first time this has happened, the other hospitals probably just covered it up to avoid any potential liability.

      • I'd be amazed if this was the first time this has happened, the other hospitals probably just covered it up to avoid any potential liability.

        That's actually a good point. I don't think I've seen a study on how ransomware has affected patient outcomes. There were waves of hospitals being hit with ransomware not too long ago.

      • by gweihir ( 88907 )

        From what I have seen of the abysmal state of IT security in some really large hospitals, I completely agree.

    • At the very least its a manslaughter charge. Accidental death caused by a crime. Yeah, thats some hard prison time.

      At least a few US states will even upgade that to a full blown capital murder case, and thats a very very very unhappy life outcome for the bad dude

    • by Dunbal ( 464142 ) *
      Those who designed the hospital computer system are complicit, however. When your backup solution (or lack of one) puts lives in danger, that's no solution. I don't need an electronic patient file to treat patients and save lives. That's an admin thing.
      • by gweihir ( 88907 )

        Indeed. And that is why there currently is _not_ an investigation because of the death. That is just somebodies imagination running wild. The original report just got corrected 20 minutes ago.

    • by shanen ( 462549 )

      Mod parent up to FP. Short, but very much to the point. Two additional points could have been included.

      (1) Murder in the commission of another crime is often regarded as a more serious crime.

      (2) Many nations depend on computers. A lot. As in vulnerable to cyber-warfare. As in America really is #1 in being vulnerable. (Don't worry. The Chinese hordes can't attack us as long as they are still hoping to collect their money.)

  • by BradyB ( 52090 ) on Thursday September 17, 2020 @09:19AM (#60515334) Homepage

    Ok, so the patient needed to be admitted urgently, what about this would need them to take the patient to another hospital if they were in that much distress.

    It takes a computer to treat patients?

    • by Viol8 ( 599362 )

      This is what you get when you let bean counters run an organisation - no usable backups , they cost money.

    • Could be that they couldn't access the medical records of the patient, and needed to move her to a location where they could. If someone comes in with an emergency problem that is related to a disease, you really need to know what that disease is if you wish to provide the correct response. When you have less than 20 minutes to fix the problem or lose the patient you can't start running tests.

      • When you have less than 20 minutes to fix the problem or lose the patient you can't start running tests.

        From the article:

        Doctors weren’t able to start treating her for an hour and she died.

        However, it looks like she was transported directly from home. She was not actually waiting at the hospital to be admitted. She was sent directly to the other facility.

      • They can't call a nearby hospital with access to the record? No Fax machine? That is much faster than shipping someone over.
      • by gweihir ( 88907 )

        Could be that they couldn't access the medical records of the patient, and needed to move her to a location where they could.

        Nope. Emergency care does not rely on the availability of records.

        • by Joey Vegetables ( 686525 ) on Thursday September 17, 2020 @01:02PM (#60516312) Journal

          Strongly disagree. Consider e.g. treating a stroke patient.* There are two main kinds of strokes, with similar presentations, yet more or less opposite causes. Hemorrhaegic strokes, which result from bleeding inside the brain, and ischemic strokes, which result from blood vessels that are obstructed, typically due to plaques or clots. Both kinds are common; the treatment for either type of stroke will badly worsen the other, and you may not have time to do scans to determine which type you're dealing with. Compounding the matter is that the patient may already be on clotting factors, blood thinners, or other drugs that may interact with the ones you need to push immediately, or else the outcome is likely to be bad. You have to know all this and you have to know it now. Either electronic or paper records would contain this information. But you need those records NOW. If you can't get them instantly, you may worsen the patient's condition, or kill the patient outright.

          The 2 takeaways I see:

              1. Interfering with hospital networks and systems can be deadly, not just for emergency care but especially for emergency care. It should be deterred, prevented, mitigated, and if all else fails, punished severely enough to motivate others not to do so.

              2. Since it might happen in spite of your best efforts, hospitals and similar institutions should have emergency plans in place for this sort of event. One thought might be to print paper records summarizing what one might need to know if treating the patient in question for any sort of common medical emergency. Not as good as a complete chart, but still way better than nothing, as well as more practical than printing every page of every chart every time something in it changes.

          * Yeah, I'm oversimplifying. Blockages, dissections, traumas, and other things can cause a person to have both at the same time. It still makes my point.

          ** No, I'm not a doctor or other medical professional, nor do I play one on TV; this isn't medical advice, even if I were a doctor I'm not *your* doctor, yadda yadda etc.

    • by silanea ( 1241518 ) on Thursday September 17, 2020 @09:55AM (#60515478)

      Almost everything in today's hospitals is a computer. Our ultrasound machines run on anything from DOS to Windows 7, so do MRI's, CT's, many x-ray machines and other diagnostic devices. Even those that run other embedded systems are commonly operated from a Windows computer. And ever more of those devices are plugged into the hospital network. Images, lab results etc. feed into digital databases, often without any paper backup. Our cath lab is inoperable without computers, so are several vital pieces of gear in our OR's.

      The news reports released so far are light on details, but if the patient had suffered from anything that needed imaging or a lab to diagnose and subsequently treat, then yes, it may well have taken a computer to treat her. This could have been a condition as ordinary as a heart attack or stroke.

      Many hospitals – and far too many companies in general – still treat IT as "the people who fix printers" instead of the mission-critical backbone of their whole enterprise. Sometimes this comes at the cost of human life.

    • It takes a computer to tell if a room / surgeon / ... is available and the way to contact them.
    • by gweihir ( 88907 )

      Ok, so the patient needed to be admitted urgently, what about this would need them to take the patient to another hospital if they were in that much distress.

      It takes a computer to treat patients?

      It is pretty clear something else went badly wrong here. Apparently, this person had to make an additional 1h journey in the ambulance. That is not how the German medical system is supposed to work.

  • In fact, ransomwares caused the least patients to die in the history of modern medicine. Think of Tesla and road accidents. It's only news because it's Tesla.

    • It's only news because it's Tesla.

      No it's news when a computer is at the wheel. No one cares if you crash your Tesla due to your own stupidity.

      Just because patients die all the time doesn't mean it's not worthy to note that they were killed by a common (previously considered harmless to health) scam.

    • Things you hear about in the news are rare. If they were common, they wouldn't be interesting.

      "If we are not extremely careful, we come to believe that the unusual is usual: that this is what the world looks like." -Hans Rosling [ucf.edu]

      I highly recommend his book.
  • Comment removed based on user account deletion
    • This is a murder. But when a whole company has to shutdown due to a ransomware attack, leaving many employees out in the cold, that's not much better.
  • The attacker should be prosecuted for murder. After all, he deliberately went out of his way to perform a crime. Someone died of that crime, he should be prosecuted and put in prison for a looooong time.

    On the other hand: this is also gross negligence by the hospital. They should have had their security in order, apparently they had not. The hospital should be ordered to pay the relatives of the victim a substantial amount of money for their negligence.

    • by Nidi62 ( 1525137 )

      The attacker should be prosecuted for murder. After all, he deliberately went out of his way to perform a crime. Someone died of that crime, he should be prosecuted and put in prison for a looooong time.

      Manslaughter, not murder. The intended target was a university, not a hospital. By targeting a university there is no reasonable expectation that bodily harm could be done to someone. If he intentionally targeted the hospital then there is a reasonable expectation that someone could be injured worse or killed and a murder charge would be warranted. But still yes, lock him up.

      • Felony murder doctrine.
        • Not currently applicable in Germany, nor generally outside of common-law jurisdictions, as noted by others above. But maybe it should be. It evolved in our legal system many centuries ago, as an added layer of deterrent against participating in a dangerous felony. And this is a pretty good example of why it is necessary.

          Here is a brief overview [justia.com]. This Wikipedia article [wikipedia.org] goes into a little more detail.

      • My local university has both a teaching hospital and nuke reactor on campus.

    • Re:Murder anyone? (Score:5, Insightful)

      by amorsen ( 7485 ) <benny+slashdot@amorsen.dk> on Thursday September 17, 2020 @10:55AM (#60515792)

      So American. Always trying to fix things by putting people in jail forever and draining resources from the places most in need.

      The perpetrator did not intend to kill someone. It was an accident. That is involuntary manslaughter, not murder. The attacker can almost certainly be rehabilitated. Punish appropriately.
      The hospital did not intend to get hit by ransomware. The hospital should be forced to undergo security compliance audits. It should not be made to pay huge fines. That just drives up cost for society while not actually encouraging improved behaviour.

      • When rule of law doesn't work, e.g., when it fails to adequately punish the perpetrators of serious crimes, you end up with endless cycles of revenge and retribution instead. Ultimately, it's in everyone's interest to make sure that the law is sufficient to adequately punish any serious crime, and thereby deter others from committing a similar one.

        As to the tendency of U.S. states to imprison people at far higher rates than any other developed nation, I'm very much opposed to that, but, generally, it is no

  • by account_deleted ( 4530225 ) on Thursday September 17, 2020 @09:56AM (#60515480)
    Comment removed based on user account deletion
    • If the attacker did not give the decryption key after being told this was a hospital then any other patient who would die due to the attack would most likely be considered murder. Now he'll probably get manslaughter, extortion and whatever hacking is called in the law. If he's in a Western country, he's probably washing his pants and deleting all possible evidence from his equipment.

  • If patients are dying because the computer is down then the system is broken. Fix the system, have backup processes, save people. No one needed to die.

    • In the ER everything has to go quick and fast. Even with a successful backup, reinstalling safely the whole chain, OSes, workstations, network and file systems takes time.
    • by bill_mcgonigle ( 4333 ) * on Thursday September 17, 2020 @10:40AM (#60515712) Homepage Journal

      > If patients are dying because the computer is down then the system is broken. Fix the system, have backup processes, save people. No one needed to die.

      Can confirm. Was involved in hospital disaster recovery in a former life. The bastard in charge would, once a year, go into the data center and cut power. That's why he was the bastard in charge - no bullshit survived, no feelings kept the computer systems running.

      Despite all the speculation on IT, this seems like it was a triage problem. She was misdiagnosed before being sent elsewhere, I'm sure. Either that or somebody is criminally negligent in this.

      Modern people hate that things like triage have an error rate. Even Starfleet Sick Bay had a death rate because not everybody can be saved. And our science is orangs-going-spearfishing compared to a medical tricorder.
        "Dialysis? My god, what is this, the Dark Ages?"

      It's true, tho.

  • First of all, any kind of ransomware attack is a sign that the IT department must have messed up badly. Backups and network segmentation is cheap and IT security has lots of parallels to hygiene, something that healthcare professionals understand well.

    The current technical rumours were that it was the Citrix bug from half a year ago. Apparently the IT department still hasn't managed to update their servers.

    • by djp2204 ( 713741 )
      The local authority may have some obtuse change control process that the IT department has to go through to patch those systems, where the software has to be tested and certified to a certain degree. In the pharma industry, the process control systems run off Windows Server 2008, because that is the product that the automation suppliers have certified for their products for as meeting data integrity standards, and they have not received certification for the latest Windows version.
  • Is that they don't take into account how the system performs when things break. To often the focus is to deliver a working system and the attention is on routine operations. At a minimum, when designing a high impact system (say a large social media system) or high consequence (say hospital operations) you should have an independent adversarial team and an independent review team. The definition of independent is a team that is entirely outside the reporting structure and has an independent budget.
  • Sorry, but that's not good enough.

    The hackers are just trying to save face at the moment. Their gesture would have meant something but it's too late now, they already have blood on their hands.

    Before, it was extortion.

    Now, it's murder.

  • My firm did a detailed risk analysis of malware attacks, and implemented the following to mitigate ransomware - 1. Block all email attachments. Use file exchange drop boxes instead 2. Air gap networks for mission critical equipment/systems 3. Block USB drives/ports on computers. 4. Web filtering on company computers. This doesn't create as much inconvenience as people think and it mitigates much (not all) of the risk.
  • Comment removed based on user account deletion

It is clear that the individual who persecutes a man, his brother, because he is not of the same opinion, is a monster. - Voltaire

Working...