A ransomware attack on a German University and affiliated hospital has indirectly resulted in death for a patient. Last week, a woman seeking urgent care died as ransomware attack took down a major hospital in Düsseldorf, Germany, forcing paramedics to rush her to another city for treatment. The patient had a life-threatening condition and was sent instead to a hospital in Wuppertal, a roughly 32-kilometer drive. Doctors weren’t able to start treating her for an hour and she died.
According to Gizmodo, the attack was meant for the Heinrich Heine University, an affiliate of the Düsseldorf University Clinic. The ransomware note tells the university to get in touch, but it didn’t list any demands. Local police were able to get in touch with the hackers and let them know that not only did they miss their target (the university) but had in fact also endangered lives at the hospital. The attackers reportedly dropped the extortion attempt immediately and provided a decryption key to unlock all hacked servers. Police have since been unable to contact the hackers, which is a shame as prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter. If you think ransomware is a victimless crime, think again.
AP News spoke with Brett Callow of Emsisoft, who says that the woman’s death “was pretty much inevitable.” In the U.S. alone, “764 healthcare providers were victimized last year by ransomware,” according to data compiled by Emsisoft. This was not the first time a patient had to be re-routed due to ransomware, and if healthcare organizations don’t step-up their cyber security procedures, it won’t be the last death.
The Düsseldorf University Clinic has since said that their investigators have traced the problem to a hacker exploiting a vulnerability in “widely used commercial add-on software.” Sources such as Wired have suggested that it is the Citrix application delivery controller, a tool from the software company Citrix Systems that’s used to optimize traffic without sacrificing data security. Both the German cybersecurity agency BSI and the Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security have recently issued warnings about a critical Citrix vulnerability known as CVE-2019-19781.
Vulnerability management and remediation activities are key in trying to prevent attackers from gaining access to your systems. If you are in the healthcare sector, it is no longer just about protecting your business from loss of income, but also protecting the health and safety of your patients. If you need help managing vulnerabilities, download Uzado’s free e-book.