Last week, a historic day came and went, and not in a good way. A ransomware attack on a hospital in Dusseldorf in Germany resulted in the death of a patient who had to be rerouted to another hospital 30km away and died as a result of the delay. The police have opened a negligent manslaughter investigation into this death. If they determine the patient would have survived without the delay caused by the attack, the hackers could be charged with homicide. If they can be found that is.
The ransomware attack on 9th September infected more than 30 servers, encrypted the hospital’s data, and took down computer systems. It closed the hospital to emergencies, rerouting all incoming patients to other hospitals in the region, and postponing other visits and appointments.
Many hospitals have been victims of a ransomware attack in the last few years. Hospitals are particularly vulnerable to a ransomware attack because they do not have any tolerance at all to being offline, making them likely to pay the requested ransom. More and more medical equipment is connected to the internet, and a cyberattack will close these pieces of equipment down, putting lives in danger.
A tragic comedy of errors
Back to Dusseldorf Hospital and another twist in the tale. The hospital was not the intended target for this ransomware attack. The ransom note was addressed to a different institution entirely. When the hackers realised their mistake, they gave the hospital the decryption key without asking for a ransom, and then disappeared. If this was a genuine mistake, it looks like it was a deadly one.
Why wasn’t the hospital the target of the ransomware attack? Is there such a thing as a code of ethics among hackers that believes that hospitals are out of bounds? Were they one of the hacker groups who announced they would not attack hospitals during the Covid-19 pandemic? Not that the ceasefire lasted long as others took advantage of the situation, with increasing numbers of attacks on hospitals as the pandemic continues.
A ransomware attack, like a physical raid on a hospital in the past, leaves the hospital unable to run their services, and many hackers don’t want to be held directly responsible for deaths. They may also be guided by more self-serving rules. After all, the hackers, their friends, or families may also need urgent healthcare at any time, possibly from that very hospital.
Sadly though, this viewpoint is changing as hackers are tempted by the easy target that many hospitals present (remember WannaCry?).
Ransomware attack warnings are there to be taken seriously
The hospital is also under investigation as to how they were hacked in the first place. The attackers gained access to the hospital’s systems through a vulnerability in a popular VPN software provided by a well-known company. Germany’s national cybersecurity agency had warned that this software was vulnerable to attack as long ago as January.
Ransomware attackers are known for their incredible patience. Once they have access to an organisation’s systems, they may lie quietly in wait until the best possible time to unleash their attack. It may take months or even years, and the victim may never even know they are there until it is too late.
Get ahead of the attackers
So what can an organisation do when it is notified that their systems are vulnerable to cyber attack?
One approach is to get on top of the situation as quickly as possible by implementing cyber security measures and best practices. Once there is a warning of a specific threat, an infrastructure security assessment of all their systems will enable them to understand their vulnerabilities to attack.
The infrastructure security assessment assesses their systems’ architecture, and reviews every layer of the organisation’s security from perimeter defenses down to workstations and how data is protected. The assessment will even evaluate software bought from another supplier – for example a well known VPN, discovering a piece of silent code waiting inside a system for the opportunity to attack.
As with medicine, it is cheaper to stop a virus as soon as possible before it becomes a full blown pandemic (pun intended). Protect your systems and stay safe.