German woman dies in first known death from a cyber attack on a hospital

Hospitals have been a frequent target of cybercrime, particularly ransomware attacks. PHOTO: ST FILE

BERLIN (NEW YORK TIMES) - The first known death from a cyberattack was reported on Thursday (Sept 17) after cybercriminals hit a hospital in Dusseldorf, Germany, with so-called ransomware, in which hackers encrypt data and hold it hostage until the victim pays a ransom.

The ransomware invaded 30 servers at University Hospital Dusseldorf last week, crashing systems and forcing the hospital to turn away emergency patients.

As a result, German authorities said, a woman in life-threatening condition was sent to a hospital 32km away in Wuppertal and died from treatment delays.

Hospitals have been a frequent target of cybercrime, particularly ransomware attacks, because the need to access health records and computer systems creates urgency that increases the likelihood that victims will pay their extortionists.

"Hospitals can't afford downtime, which means they may be more likely to pay - and quickly with minimal negotiation - to restore their services," Brett Callow, a threat analyst at Emsisoft, a New Zealand security firm, said on Friday. "That makes them a prime target."

The most aggressive reported attacks on health care facilities to date were North Korea's 2017 "WannaCry" ransomware attack, which froze British hospitals and forced doctors to cancel surgeries and turn patients away. Another was the Russian "NotPetya" attack one month later, which forced hospitals in rural Virginia and across Pennsylvania to turn away patients whose records they could no longer access.

The WannaCry attacks were eventually mitigated by a hacker who found a way to neutralise them, but much of the data seized in NotPetya was never recovered.

No deaths were reported from either attack, but security experts said it was only a matter of time.

"This was absolutely inevitable," said Mr Callow. "We are fortunate it hasn't happened sooner."

Ransomware has become a scourge in the United States, and hospitals are among the softest targets.

In 2019, 764 American health care providers - a record - were hit by ransomware.

Emergency patients were turned away from hospitals, medical records were inaccessible and in some cases permanently lost, surgical procedures were canceled, tests were postponed and 911 services were interrupted.

But little has been done to deter the attacks, and the responses of targeted institutions are often shrouded in secrecy.

Despite FBI advisories warning victims not to pay their extortionists, cyber insurers have advised victims to pay ransoms, calculating that the payments are still cheaper than the cost to clean up and recover data.

The attacks cost organisations more than US$7.5 billion (S$10.2 billion) in 2019, according to IBM's X-Force security division.

An increasing number of victims are choosing to pay, as many as 3 of 4, according to one recent survey of 500 senior executives conducted by Infrascale, a security company.

The payouts have emboldened cybercriminals, who have increased their ransom demands to as much as US$14 million worth of bitcoins in an attack that affected 110 nursing homes across the United States.

While there was a slight dip in attacks in the first six months of 2020, amid the pandemic, the onslaught has resumed pace.

Just last week, University Hospital in New Jersey was hit with ransomware and subsequently saw patient medical records published on the internet.

Other major American health centres hit with ransomware this year were Boston's Children's Hospital, which saw more than 500 affiliate pediatric offices hit last February, and, in June, Arkansas Children's Hospital in Little Rock, among the largest children's hospitals in the US.

It is not clear whether cybercriminals intended to take University Hospital Dusseldorf's systems hostage, or if the hospital was collateral damage in an attack on a university.

The ransom note was addressed to Heinrich Heine University, which is affiliated with the hospital, not to the hospital itself.

Police in Dusseldorf contacted attackers via the ransom note to explain that the hospital, not the university, had been impacted, putting patients' health at risk.

Attackers stopped the attack and turned over the encryption key to unlock the data - a development that also appears to be the first of its kind - before dropping correspondence.

German prosecutors are now investigating possible manslaughter charges against the cybercriminals.

Join ST's Telegram channel and get the latest breaking news delivered to you.