Article

Ransomware Causes Patient Death

Drex DeFord

Executive Healthcare Strategist
Back to the News Desk

 

For the first time, the death of a patient is directly linked to a ransomware incident. Here’s what we know:

Last week, a woman in need of emergency medical care died because the hospital where she sought treatment was under cyber-attack. Düsseldorf University Clinic (DUC) was unable to admit the woman, so she was transferred to another facility 20 miles away. 

Prosecutors have launched a negligent homicide case and are now investigating whether hackers could be to blame for the woman’s death. 

But prosecutors also intend to launch an investigation into the hospital’s role in the tragedy.

 

Ransomware Security Actions to Take Now

Healthcare organizations worldwide will take note this week. Here are five urgent security actions to take to avoid this type of tragedy:

1) Communicate Widely: As the story unfolds in Germany, new facts will come up. It is likely that boards, executives, practitioners, and patients will ask about it. Make sure your team knows what happened and how to answer questions about the security posture of your organization.

2) Update and Patch Vulnerabilities:  We are in the middle of a pandemic and a move to remote work. If you haven’t assessed your vulnerabilities since March, it’s time for a checkup. You can start that process this week. 

3) Review your Monitoring: It would be a good time to evaluate the efficacy of your monitoring process. Remember, when the malware lands it hasn’t done anything yet. It’s going to begin the process of escalating privileges and scanning for encryption targets. If it doesn’t act immediately, you might have between 48 hours and a few days to detect and purge the initial infection prior to the actual extortion event. Focus resources here, as your organization needs to “see” the login failures, scanning activity, and other aberrational behavior.

4) Review your Incident Response Plan:  Review your incident response process. “Good enough” is usually not “good enough.” And, if you haven’t updated your IR process since the pandemic began, it may need to be rewritten. That policy should be both an IT Security policy and how to save patient lives if the ER gets shut down by malware.

 

Prepare to Answer Questions about Ransomware Security

The hospital in Germany is facing a lot of questions about their IT Security. To guide you in your internal discussions, we are listing some of those questions: 

  • Does the hospital have an Incident Response (IR) process? Is it written? Did they follow their own process?
  • Does the hospital have a written “diversion” policy? Did they follow their procedures?
  • Who made the decision to divert patients, and what was the process to notify partner provider organizations?
  • Do you have downtime procedures that are regularly practiced by all hospital staff? Or were other patients at risk during this computer outage?

 

I also think they’ll dive in deep on the cybersecurity and IT program:

  • Did the organization have a cybersecurity program in place?
  • Are network and applications monitored 24/7/365 by qualified Security Operation Center specialists?
  • Since this attack appears to be associated with patching commercial software, can you demonstrate written patch management procedures and historical documentation that patches have been applied?
  • What technical and human resources are dedicated to the cybersecurity program?
  • Has there been an under-investment in cybersecurity or technical infrastructure that contributed to the situation?
  • What’s the process to determine the investments in IT and cybersecurity?
  • Is there a sound governance/investment process for IT and cybersecurity?

 

Use these last few questions to help drive your own future work:

  • Is the Board, CEO, COO, CFO, CIO, Compliance & Risk Management, and CISO all fully aware of capabilities and limitations in effectively and quickly detecting and responding to security incidents?
  • Do they understand the risk to patients and families because of these program gaps?
  • Whose responsibility is it to determine/accept cybersecurity and IT-related risk, whether program or investment shortfalls, for your hospital?
  • How often are the responsible individuals, Board, and Executive Team updated on cybersecurity/IT challenges and shortfalls?

 

Ransomware Preparedness and Incident Response for Healthcare

This case opens a new challenging reality for healthcare organizations.

To assist you in thinking about how you should be able to answer these questions and why they are important, CI Security's professional consulting team can help. For more information, contact us here.