A recent cyber-attack on a hospital in Düsseldorf contributed to the death of a patient. Even though the hospital was well prepared, the incident underscores that much more needs to be done to increase civil resilience in the cyber realm.
What Happened?
On 10 September, the University Hospital Düsseldorf (UHD) experienced a cyber-attack that led to gradually failing systems and data access, forcing the hospital to de-register from providing emergency care and incoming patients being diverted to other hospitals. The incident made the headlines globally, as a woman who needed urgent admission had to be sent to another facility roughly 30km away. This resulted in her treatment being delayed by around an hour, contributing to her death. It would take the hospital almost two weeks to restore essential services and allow emergency care to re-open, and yet longer to become fully operational again.
Unfortunately, cyber-attacks on hospitals are not new, whether intentional or as collateral. However, this is the first time that a virtual attack has been publicly connected to the very real loss of life. What exactly happened in the case of UHD and what does this mean for the future?
According to the UHD press releases, the initial attack on 10 September disrupted email and telephone services, degrading other IT services over time. By the next day, the hospital had to de-register from providing emergency care, alongside of having to reschedule planned surgeries. Specialists began hunting for the root cause and tried to restore services as swiftly as possible, while the UHD contacted the police, kicking off an investigation that is still ongoing.
About 30 servers were found encrypted with a message addressed to the Heinrich Heine University – not the hospital – to contact the attackers and discuss terms of ransom. The police did so, informing the attackers they had hit the ‘wrong’ target and that lives were in danger. In return, the ransom demand was withdrawn and decryption keys were provided. First evidence suggests that so-called “DoppelPaymer” ransomware was used, which by that point had already wreaked havoc on numerous companies, institutions, and organisations worldwide. The malware builds heavily on another called “BitPaymer” which has been attributed to the criminal “Indrik Spider” group, with apparent ties to Russia.
Attacking Health Care Systems
The past years have seen a number of cyber-attacks on hospitals, some intentional, some not. In autumn 2019, ten hospitals, three in the US and seven in Australia, were hit by ransomware, also resulting in having to turn away any new patients. In 2017, the indiscriminate “WannaCry” attack severely affected the UK National Health Service (NHS): about 20,000 appointments had to be cancelled, staff had to revert to manual processes, and some emergency services had to be diverted.
Ransomware often exploits a system’s known vulnerability, or it relies on users to fall for phishing emails. On the face of it, many solutions appear simple such as patching systems, improving awareness, and having good back-ups. Yet, patching systems in large organisations such as the NHS is not as simple as updating a smartphone, laptop, or home PC. It is also not simply a question of having enough personnel, nor merely a matter of licencing and related costs. There are questions of organisational size, system downtime, and interoperability to name a few. Furthermore, the UHD reported they were up-to-date on patching and security measures, including external penetration tests undertaken this summer.
Specific Preventive Measures
The other thing to consider is that hospitals’ priority is to save lives. This means that cyber-security must be shaped by hospitals’ needs and processes, and not simply copied from other industries, or added on as an afterthought. ENISA, the EU Agency for Cyber Security, has been working on this issue and has published a procurement guideline building on the idea of prevention being the best defence.
Germany has implemented the KRITIS IT security law that covers critical infrastructures, including hospitals that reach a threshold of 30,000 in-patients a year, enforcing a sector-specific security standard. There are also projects that look into the future, for example with ideas on managing the influx of Internet-of-Things devices, or e-health systems seeking to support the elderly.
The COVID19 pandemic is already putting the health sector under a lot of strain, in places, pushing it to and beyond its limits. Attacks like these add yet another challenge. The UHD incident showed that best efforts are sometimes not enough. However, this does not mean that cyber-security is not vital. On the contrary, this case should be a reason to do yet more across the board. While it is vital to improve overall resiliency and include mitigation strategies, the human element should not be forgotten. The growing cyber-skills gap in the workforce poses an additional threat. Here, education and training initiatives are crucial, not only to support the current generation but also future ones.