Someone has died from ransomware: Time for emergency safety care in hospitals

The theory has now come true. As connected devices appeared in hospitals in recent years, experts worried that a cyberattack on a hospital network could harm patients. It has now happened. German patient died after being rerouted from a hospital in Düsseldorf that was unable to provide services following a ransomware attack on its network on September 10. The patient, who needed urgent medical attention, was sent to a hospital nearly 20 miles away in another city. , where she died.

It is believed to be the first death linked to a cyberattack, and it is just one of the many ransomware attacks that target hospitals every day. In fact, earlier this week Universal health services have been affected with what appears to be one of the biggest cyberattacks ever on a healthcare provider in the United States. As a result, hospitals have had to switch to pen and paper to record patient information and label medications. And one medical center in ohio were hit by a ransomware attack on Monday that caused them to postpone surgeries.

Ransomware attacks on hospitals have escalated in recent years, including attacks that affected more than 700 healthcare providers in 2019 alone, according to a report. Hospitals are attractive targets because they cannot afford downtime and therefore are more likely to pay. The most notorious ransomware attack was WannaCry, which hit tens of thousands of hospitals around the world in 2017, crippling hospitals and causing them to refuse patients.

The death in Germany is particularly tragic as it appears that the ransomware attack may have been intended for a different target; the note of the ransomware was addressed to a university affiliated with the hospital. After learning that a hospital had been hit instead, the attackers would have stopped the attack and sent the key to decrypt data held hostage – an unprecedented move. German authorities are investigating the case as a negligent homicide.

Even though the ransomware attack was a failure, someone died.

This event should serve as a wake-up call for the healthcare industry and the US government to take immediate action to address this serious issue. Here are some actions that I recommend.

Punishments

The US government should consider imposing sanctions on governments that fail to enforce international computer crime laws. While many ransomware gangs operate with impunity in their own countries – and some even operate on behalf of their government – others are left alone for convenience and lack of resources.

Many governments have no incentive to prosecute criminals if their own businesses are not the victims. But now that it is clear that ransomware attacks can lead to the deaths of patients, US authorities should pressure foreign governments to enforce the laws as they do in other circumstances when American lives are lost. lost.

Funding

Calls have been made for the federal government to provide more support to industries that experience constant cyberattacks. If ever there had been a need, this is it. Federal law enforcement officials must prioritize ransomware as a serious threat to critical infrastructure that puts public health at risk.

The federal government provided funds to state election agencies to help them improve the security of their systems before the election. Today, cash-strapped hospitals that are also attacked by cybercriminals should receive similar help from the government. Research published last year suggests that cyberattacks have already claimed lives. A US Department of Health and Human Services analysis involving 3,000 hospitals between 2012 and 2016 found an increase in hospital deaths from ransomware attacks and data breaches.

Funding could be designated specifically to help hospitals avoid being compromised and ensure they have adequate back-up systems.

Supply Chain

One of the biggest issues for the tech industry as a whole, and particularly with connected devices in hospitals, is a lack of supply chain integrity. An overwhelming number of devices come by default with little or no security. Many devices cannot be easily updated when vulnerabilities are detected. Underfunded hospitals lack the ability to properly control devices for configuration errors, weak security settings, and updates. We cannot have vulnerable devices in hospitals where the lives of patients depend on it.

Solving these challenges will require not only regulatory requirements for minimum device security features and capabilities, but also reconsidering the collaborative design of patching and recertification requirements standardized by governing bodies. In many cases, healthcare service providers refrain from updating devices not only because of the technical effort involved, but also the time and effort required for each updated device to be recertified.

A real solution to this challenge requires all parties to come to the table of modern technical and procedural requirements and the corresponding regulations necessary to enforce those requirements.

None of this will change the fact that someone appears to be dead because attackers disabled a hospital’s network with malware for payment. If we don’t take this as a serious warning, it won’t be the last unnecessary death we will see.

Curtis Simpson is the Chief Information Security Officer at Weapons Security, an IoT security company. He already served as vice president and global director of information security at Sysco, a Fortune 54 company.