Hospital ransomware attack leads to fatality after causing delay in care

A German woman died after Düsseldorf University Clinic's servers were encrypted, which necessitated that she be relocated to a hospital 20 miles away.
By Mike Miliard
03:21 PM

Prosecutors in Germany are eyeing negligent manslaughter charges as they seek the person or persons who launched a large-scale ransomware attack on Düsseldorf University Hospital – freezing up 30 of its clinic's servers. The data loss required patients to be moved to different facilities – including a critically-ill woman who died before she could be treated.

WHY IT MATTERS
According to an ABC News report, the patient had to be relocated to another hospital in Wuppertal, more than half an hour away, after Düsseldorf's IT system was encrypted in the cyberattack. The hour-long delay in care proved fatal.

The attack that locked clinicians out of critical data on September 10 – necessitating that operations be postponed and emergency patients be relocated to other sites – appeared to exploit a vulnerability in a piece of "widely used commercial add-on software," ABC reports.

Learn on-demand, earn credit, find products and solutions. Get Started >>

"External computer experts and the IT specialists at the University Clinic are hopeful of being able to fix the errors," said hospital officials in a translation of a September 14 statement. "However, it is not yet possible to predict how much time this will take, because there are serious errors in several parts of the IT structure.

"The IT teams can already show an initial success: There is no evidence that data has been permanently destroyed, so that it will be available again," officials added. "Although the extent of the system errors has now been analyzed, external specialist companies and the police are still working on investigating the cause."

A key complication in the apparent ransomware attempt, it appears, was a miscommunication on the hacker's part. Justice officials in the region said an extortion note had been left on one of the corrupted servers, instructing hospital officials to be in touch, but it did not specify a payment amount to acquire a decryption key.

Crucially, the note was "addressed to the Heinrich Heine University, to which the Düsseldorf hospital is affiliated, and not to the hospital itself," according to ABC. "Düsseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data. The perpetrators are no longer reachable, according to the justice minister's report."

THE LARGER TREND
Time and again, security professionals have emphasized cybersecurity is not just about data protection. Especially in the era of networked (and often extremely vulnerable) connected medical devices, it can be a matter of life and death.

Some infosec pros have begun thinking of their calling as indispensable to, even indistinguishable from, the imperative guidance of the Hippocratic Oath: "Do no harm."

Hospitals must protect patient safety by identifying the areas most vulnerable to cyberattacks and deploying effective strategies to secure their networks.

"When cyberattacks impact critical systems, there can be real world consequences. We’re not used to thinking of cyberattacks in terms of life and death, but that was the case here," said Tim Erlin, VP of product management and strategy at cybersecurity vendor Tripwire, in a statement sent to Healthcare IT News.

"Delays in treatment, regardless of the cause, can be life threatening," he added. "The best way to prevent ransomware infections is to address the infection vectors by patching vulnerabilities, ensuring systems are configured securely, and preventing phishing."

ON THE RECORD
"This is an exceptional situation for employees, medical staff, nursing staff, researchers and teachers at the UKD, but especially for the population in the greater Düsseldorf area," said Prof. Dr. Frank Schneider, medical director at Düsseldorf University Clinic, in a statement.

"We work here every day to help as many people as possible medically. Therefore, it pains us very much that we cannot do this again in full. However, we are confident that we will be able to overcome the failures step by step over the next few weeks and be there for our patients again."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.