Ransomware may have been the possible cause of death of a patient in Dusseldorf. A ransomware attack on thirty servers at the Dusseldorf University hospital on September 9, 2020 prevented immediate emergency treatment and resulted in the patient having to be transported to a facility 20 miles away where she died from a delay of treatment.
As a result, prosecutors in Germany are initiated a negligent homicide investigation. If the cyber attack is found to be the direct cause of death the investigation will be changed to a murder case.
Breach May Have been Avoidable
Initial findings indicate that this cyber event may have been avoidable. The hackers gained access through a security flaw in Citrix’s VPN software that dated back to January of 2020. Apparently the Dusseldorf University was not the intended target of the hackers. It was reported that they provided a ransomware decryption key for free to the institution.
The Costs of Cyber Crime
Much has been reported on the enormous costs of cyber crime. The FBI Internet Crime Complaint Center reported in 2019 that email compromises alone cost businesses in the United States over 20 billion dollars.
The real costs, however, cannot be assigned monetary amounts. The real value of private and proprietary data is an unknown quantity. The resources necessary to respond to a cyber incident and the requisite anguish and anxiety generated are likewise difficult parameters to assign costs to.
The Larger Picture of Cyber Vulnerability
Institutions of all sizes are vulnerable to cyber attacks. Medical facilities have been major targets internationally. Especially since the Covid pandemic. These attacks have not only targeted hospitals but pharmaceutical and medical research organizations.
In this incident ransomware was a possible cause of death for a single unfortunate person. However, when these organizations’ activities are disrupted all of our lives are threatened.
Medical institutions not only face threats to their computers networks but also must be concerned with the security of medical devices that are networked in a facility, many of which are critical to keeping patients alive.
Infrastructure is also a target of cyber attacks. Industrial sites are reliant on technology other than computer systems. Unfortunately, much of the technology in place is composed of legacy systems with little or no IT support.
Additionally these facilities require security for devices spread around large facilities where access to unauthorized persons is difficult to control. Again lives are threatened when providers of essential goods and services are disrupted.
The United States and its allies are under constant attack from cyber criminals and hostile nation states including China, Russia, North Korea, and Iran. These attacks threaten governmental agencies, the military, and defense industry.
Numerous responses have been taken including the formation of the Cybersecurity and Infrastructure Security Agency (CISA) and the implementation of Cybersecurity Maturity Model Certification (CMMC). This has left many second and third tier suppliers to the Department of Defense (DoD) in a race to meet cybersecurity protocols to maintain their competitiveness.
Cybersecurity Approached Responsibly
Institutions, organizations, businesses, and governments must all be responsible players in cyber security. Effective cybersecurity practice for these entities requires appropriately developed Information Security Management Systems (ISMS) to identify risks, develop requisite processes and procedures, and maintain effective incident responses to deal with cyber crime.
The protection of digital information cannot be adequately addressed through IT solutions. Comprehensive information security requires dedicated and educated actions by all stakeholders in an organization. This entails a commitment to engaging in an evolving process.