Who Is Responsible When Cyberattacks Result In Deaths?
At the height of the COVID-19 pandemic, the world saw a significant increase in cybercriminal activity, with healthcare an obvious target given both the intense pressure placed on the sector and the rapid shift to virtual models of care. Still, it was nonetheless shocking when German police recorded the first death of a patient as the result of the ransomware attack conducted on the Dusseldorf University Hospital.
“According to NTT’s Global Threat Intelligence Report, the healthcare industry rated cybersecurity maturity as low, which reflects a gap between where they want to be and where they are,” Sushila Nair, VP at NTT Data Services told me. “With a variety of challenges stemming from the pandemic, many in the healthcare industry found it difficult to make cybersecurity a top priority, making healthcare providers the perfect target or collateral damage for a cyberattack.”
“For example, the National Health Service (NHS) was a victim of the WannaCry attack in 2017, which was a North Korean attack that impacted over 200,000 computers in over 150 countries. Although the NHS was not specifically targeted, the attack resulted in the cancellation of thousands of appointments and operations, which together also forced the relocation of emergency patients from hospitals.”
Such cases are becoming increasingly common, with the Wall Street Journal chronicling the case of Teiranni Kidd whose birth of her daughter Nicko was disrupted after a ransomware attack led to the collapse of the hospital’s computer network. Nicko was born with severe brain damage after the umbilical cord was wrapped around her neck, and she sadly died nine months later.
America being the litigious country it is, Kidd is suing the Springhill Medical Center that delivered her child, but who is actually responsible for such an attack? The Journal revealed that signs of Nicko’s distress were actually picked up by the heart rate monitor attacher to her, but because the network was down, staff were not able to monitor the readout from their station. The obstetrician even admitted that had they known this information earlier, they would have performed a c-section.
While these situations are undoubtedly tragic, the apportioning of blame is far from straightforward. After all, do you place the blame on the hospital for not effectively securing their digital systems, the clinicians for not having effective backup processes or the hackers for the attack?
Kidd’s particular action revolves around firstly the lack of information given to her as to the cyberattack that was currently crippling the hospital’s system and also that the staff themselves had missed the warning sign that was visible on the heart rate monitor itself. It seems highly unlikely that organizations, much fewer hospitals, should ever have a duty to inform customers and patients that their systems are under attack, especially as it’s far from obvious to most people precisely what that would mean for their care.
There would, however, be somewhat more sympathy for the lack of effective processes to ensure that service levels are maintained in the event of a cyberattack. After all, in Microsoft’s recent Digital Defense Report, healthcare accounted for 9% of all ransomware attacks.
"Despite continued promises from ransomware actors not to attack hospitals or healthcare companies during a pandemic, healthcare remains in the top-five sectors victimized by human-operated ransomware," the report says.
When, not if
As such, it’s likely to be a case of when hospitals are attacked by cybercriminals rather than if, so there has to be a level of preparedness among hospital IT staff to be able to maintain operations in the event of systems being compromised by hackers. This is especially so in the Kidd case as by the time she was admitted to the hospital, the ransomware attack was already a week old and so emergency procedures should have kicked into action.
There is a strong sense that hospitals have been caught on the hop by the increase in cyber activity in the past few years. Indeed, so disrupted were the systems in the Dusseldorf attack that patients were diverted to other hospitals, with the unfortunate patient in question dying as a result of the delays caused by the 20 mile trip to the secondary facility.
Of course, another option for healthcare providers is to take out dedicated cybersecurity insurance. This burgeoning market is predicted to be worth over $22 billion by 2030 and exists precisely to ensure that ransom claims are settled as quickly as possible to ensure systems are operational again.
Indeed, government agencies provide dedicated support to help healthcare providers respond in the event of things such as a power outage. Given that it is quite probably more likely that a cyberattack will hit a hospital than a power outage, it seems reasonable to expect hospitals to have similar contingency measures in the event of a cyberattack.
“It’s crucial for providers in the healthcare industry to check for vulnerable points within their security systems, as this is where many attacks can begin,” Nair explains. “Taking the necessary steps to enhance your organization’s security measures will help to prevent cyberattacks and keep your company from becoming collateral damage in a greater attack that may not even strike your company directly.”
With the National Cyber Security Centre’s chief executive Lindy Cameron recently branding ransomware as the biggest threat to national security today, it’s no longer good enough for organizations to plead ignorance when cyberattacks have drastic consequences. Instead, it’s time for them to up their game and ensure that their systems have sufficient processes in place to maintain operations in the likely event of an attack.