Administration and pedestrian entrance of the university hospital in Düsseldorf-Bilk, Germany. Servers at the facility were apparently involved in a ransomware attack that resulted in the death of a patient. (Wiegels via GNU Free Documentation License)

The death of a woman at least in part because of a ransomware attack has placed security teams on high alert: put in place adequate training for the workforce and ensure network redundancy, or else risk similar tragedy and even potential liability.

According to various reports, a Sept. 10 ransomware attack that crippled systems and encrypted 30 servers at Duesseldorf University Clinic (UKD) in Germany, caused the unidentified 78-year-old woman in need of critical care to be diverted to another facility more than 20 miles further away. The woman, whom doctors could not treat for over an hour, later died.

Diverting patients in and of itself is not terribly unusual. Multiple medical providers confirmed that the practice allows certain facilities overwhelmed or temporarily unable to help certain patients to shift ambulance traffic to other facilities. However, in this case, diverting the patient also meant lack of easy access to medical records, which becomes a critical problem when a condition suddenly deteriorates.

“Patient history, allergies, medications, etc. are the most important factors when triaging a patient,” said Caleb Barlow, CEO of CynergisTek. “If you can’t access a patient’s medical records, it increases the likelihood of exacerbating an underlying medical condition – one that you are most likely unaware of at the time.”

Most emergency medical services have a concept called the ‘Golden Hour’ – that is, the amount of time a trauma patient has from injury to get to definitive care. Of course, “everything is jeopardized if an entire hospital or emergency room goes offline as the remaining systems become quickly overloaded,” Barlow said. “What happened here is the unfortunate, tragic incident in which a cyberattack had a kinetic impact.”

Still, there are steps a medical facility can take to potentially minimize the collateral damage that a ransomware attack might cause. Hospitals need to be better prepared in anticipation of such incidents, be trained in proper response and consider having segmented or redundant data/systems on the ready.

Todd Fitzgerald, executive in residence for the Cybersecurity Collaborative, discusses the state of play for health care security leaders during RiskSec 2020 with Erik Decker, chief information security officer for the University of Chicago Medicine, and Errol Weiss, CSO for the Health Information Sharing and Analysis Center.

Emergency training

Table-top exercises are among the techniques that can help hospitals prepare and plan for how to act and react to a ransomware scenario, said Dr. Christian Dameff, medical director of cybersecurity at the University of California San Diego, and Dr. Jeff Tully, security researcher and also assistant professor of anesthesiology at UC Davis Medical Center. The two doctors have worked with I Am the Cavalry – a grassroots public safety organization specializing in computer and device security – to develop medical device hacking simulations for the health care industry. They have also demonstrated such simulations at previous RSA conferences.

That said, mandating intensive technical cybersecurity disaster training for every emergency physician is not feasible, nor a tremendously beneficial use of limited physician resources, noted Dameff and three other doctors in a paper published last January in the Annals of Emergency Medicine. But department leadership and disaster-oriented physicians can lead cyber disaster preparedness efforts.

The paper recommends regular emergency department and hospital-wide cyber disaster drills that simulate the technical failure of all digital systems – perhaps leveraging scheduled electronic health record downtimes as a convenient time to run these exercises.

Dameff and his co-authors note that medical residents in particular may be in need of this cyber disaster training, because they are potentially more likely to be disrupted by a digital attack. As typically younger employees, they are often “better versed in technology than their attending physicians,” the paper explains. Consequently, they are predisposed to “a potential dependence on computerized systems because they likely never have had to function in a hospital that solely relies on paper, let alone during a disaster.”

“Crisis decision-making and rehearsals can help hospitals better plan for such situations,” said Barlow, who prior to joining CynergisTek led the IBM X-Force Threat Intelligence organization, where in 2016 he built what he describes as the “world’s first immersive cyber range.” Two years later, he created what he says is a first-of-its-kind Cyber Tactical Operations Center that serves as a mobile training, simulation and security operations center on wheels.

IBM demonstrates the capabilities of the industry’s first Security Operation Center on wheels in 2018. The IBM X-Force Command Cyber Tactical Operations Center (C-TOC) can travel onsite for cybersecurity training, education and response, including immersive cyberattack simulations to help organizations improve their incident response efforts. (Jon Simon/Feature Photo Service for IBM)

“Rather than the system being offline for days, the downtime can be reduced to a few hours,” Barlow continued. “Simulations can help pinpoint a system’s vulnerabilities, which can be corrected and prevented from manifesting again. The old adage applies here: An ounce of prevention is worth a pound of cure.”

Creating a failsafe

Of course, training for systems downtime is not a panacea. Tully and Dameff noted that U.S. hospitals “regularly practice downtime procedures in the event their medical records systems are offline temporarily,” but the longer an attack continues, the harder it becomes to adapt. “During extended downtime new patients and case updates can make this information outdated,” they explained.

Hospitals could also take measures to make an attack less systemically damaging by introducing network segmentation and redundancies. This strategy could literally be a life-saver, as it might ensure operational continuity, even if a portion of computers and devices are affected.

“Electronic healthcare records should be stored on the same segment as the backups,” said Barlow. “Most hospitals, unfortunately, have flat networks – and this is particularly common in academic medical centers where the university’s surgical suite and classrooms share the same logical network. Redundancy, resiliency and segmentation are integral to preventing attacks like these from being successful.”

But there are drawbacks to this: “Running a parallel hospital network would be expensive,” said Dameff and Tully, “and syncing across the two would introduce a vector for ransomware to spread to the redundant network. This would also be prohibitive for some hospital medical devices such as MRI and CT scanners that can cost millions of dollars to install and operate.”

That’s why, in the end, it’s critical that health care providers follow best practices for preventing attacks in the first place. In many cases that comes down to very fundamental principle: patching.

The attackers, reportedly identified as members of the DopplePaymer human-powered ransomware gang, infected the hospital’s network by exploiting a vulnerability in what Duesseldorf University Clinic referred to as a “commercially available and widespread additional commercial software,” later identified as the Citrix VPN system.

According to the hospital, this was not a case of neglectful patch management on its part: Immediately after the security problem became known in December 2019, the UKD followed recommendations from the hardware and software vendors and installed the patch the day of release.

Nevertheless, until the software company finally closed this gap, there enough time for the attackers to penetrate the systems.

“As a result of the act of sabotage that was made possible, systems gradually failed, and stored data could no longer be accessed,” the hospital stated.

The hospital also said it commissioned two specialist companies to review the system and found that at the time of attack “there was no indication of a hazard,” nor did a pen test that took place in early summer 2020 turn up any signs of trouble.

Ironically, it was reportedly not the DoppelPaymer gang’s intention to attack the medical facility, as indicated by an extortion letter that was actually addressed to Heinrich Heine University. After being contacted by the authorities about the mistake, the attackers sent a decryptor to undo the damage, but the malware had alreadythe hospital to deregister itself from emergency care, which ultimately contributed to a patient’s death.

Mark Kedgley, CTO at New Net Technologies, said the incident “illustrates the importance of running vulnerability scans and acting on findings at least every 30 days, if not more frequently.” Admittedly, however, “this becomes more difficult in a 24/7 operation like a hospital or power station, where resolving the conflict between the demand for continuous uptime and maintaining cybersecurity, gets really tough.”

“It’s a tragic story and won’t be the last time that cyber security has such a direct impact on human lives,” Kedgley added.

The deterrence puzzle

German authorities are reportedly considering negligent homicide charges against the ransomware actors, but whether that serves as a deterrent for future attacks remains to be seen.

Back in a 2019 report, Emsisoft CTO Fabian Wosar presciently wrote: “The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020.”

Now in a new company blog post, the Emsisoft Malware Lab team has asserted that the only true way to nullify the growing ransomware threat is to outlaw extortion payments.

“This will not be the last fatality. Unless governments make legislative changes, it is inevitable that more lives will be lost,” Emsisoft stated. “In the case of ransomware, the right thing is not paying cybercriminals, and it’s time for governments to force organizations not to. Making ransomware attacks unprofitable is the only way to stop them.”

“If it was illegal to pay ransom demands, ransomware would cease to be and our public and private sector organizations would no longer be under constant attack,” the blog post continues. “Hospitals would be safe, and lives would not be at risk.”