When cyberattacks cost lives, not just digital damage

Attacks on hospitals, schools, and critical infrastructure shows the threat goes deeper than just financial damage.
23 September 2020
  • Targeted cyberattacks are evolving, and posing an increasingly real threat to human life, especially in the healthcare industry
  • A patient died as a result of a hack on Düsseldorf University Hospital’s computer systems earlier in September; detectives are now  investigating the ‘negligent homicide’ by probing the as-of-yet unknown cybercriminals
  • Education, energy, engineering, and governments are also susceptible, and key industries at the crossroads of ‘cyber-physical security’

Cybersecurity is no longer a buzzword or an ethereal threat; it’s a continuously evolving beast, and one that is having heightened implications on human lives. When hackers disabled computer systems at Düsseldorf University Hospital on September 9, one patient died as doctors attempted to transfer her (out of systematic necessity) to another hospital. The result: Cologne prosecutors have officially launched a negligent homicide (against unknown persons), pointing at the hackers as potentially culpable.

The female patient – whose life-saving treatment would not have required a transfer were it not for the hack – is perhaps the first death to fall directly at the feet of a cybersecurity incident, though such breaches wreak havoc in a multitude of ways. In this case, detectives have brought in cybersecurity experts to ascertain whether there is a confirmed (or even confirmable) link between the hack and the patient’s death, and how that can be carried into judicial procedures.

President of Germany’s national cybersecurity authority, Arne Schönbohm, said hackers took advantage of a well-known vulnerability in a piece of Citrix’s VPN (virtual private network) software and warned other organizations to protect themselves from the flaw. In Düsseldorf, in addition to the fatality now being investigated, the ill-effects of the breach on IT operations lingered for well over a week, affecting ambulance patient admittance and other key record-keeping, treatment-providing processes.

The diligence and prospective prosecution linked to this cyberattack (and fatality) is another poignant turn in the ongoing narrative of healthcare cyber threats.

Ilia Kolochenko – Founder & CEO of web security company ImmuniWeb, and Master of Criminal Justice and Cybercrime Investigation – noted: “if homicide charges are combined with computer crime charges, it could be a sound idea to attempt imposing a lengthy prison sentence for the attackers, and, potentially, to get more international cooperation in the investigation.” The case may well prove a bedrock of cybersecurity investigations, and set a precedent in the confrontation of their increasingly harrowing impacts.

Inoperable healthcare systems and the threat to life

Ransomware and malware is notorious for its scrambling of data, which renders vital computer systems inoperable. Hackers often demand a digital “ransom” – usually in cryptocurrency – to return systems to operation. This is an ever-escalating trend, and the risk associated with such downtime – especially in the healthcare industry – is stark.

A third of all ransomware data breaches happen in hospitals, and the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from ​15 million to 40 million​. Malware attacks on hospitals are either deliberately channeled attacks or collateral damage amidst uncontrolled extortive campaigns across the internet. The latter occurred during the massive disruption of the NHS by the WannaCry ransomware in 2016.

Previous malware attacks have outed control systems, subverted predictive analytics, and breached failsafe to threaten human life. The troublesome truth is that healthcare systems tend to be overburdened, overrun, and (over) reliant on legacy IT systems. The industry has not just been historically wrought by cyberattacks but is now arguably more vulnerable than ever before.

The former chief executive of the UK’s National Cyber Security Centre Ciaran Martin said: “Although the purpose of ransomware is to make money, it stops systems working. So if you attack a hospital, then things like this [the death in Düsseldorf] are likely to happen. There were a few near misses across Europe earlier in the year and this looks, sadly, like the worst might have come to pass.”

Other industries that are cyber-physically vulnerable…

As smart buildings, smart cities, connected cars, automated manufacturing, remote learning and all the rest of it continue to evolve, incidents in the digital world will have a much greater effect in the physical world as risks. Alongside healthcare, there are other industries particularly susceptible to the increasingly connected, increasingly IT-reliant infrastructures that prop our society up…

Education

Cyberattacks continue to plague the education sector. With the increased use of technology for teaching, learning, and other academic operations in today’s remote or blended environment, schools have also become more vulnerable to cyberattacks.

Microsoft Security Intelligence found that, in May of this year, 61% of reported enterprise malware threats were in the education sector. These cyber attackers are nothing if not opportunistic; around the same time, children across every continent were turned out of schools and (somewhat) left to their own devices. The attack surface of schools and other academic institutions is only increased by the fact that all those devices make for a more diffuse and web active user base.

Though not the immediate threat to physical life that healthcare breaches are, attacks on education systems too are sincerely troublesome. Often, phishing attacks or social engineering can leave susceptible children in debt or suffering from mental health issues/guilt. Ransomware can result in the same negative outcomes. That’s not to mention the negative impact of lost learning on future prospects, confidence, etc, that will derive from a jarring system outage and its aftermath.

Data Protection is another pertinent issue. School databases contain private and personal information about minors. The risks associated with these being nefariously accessed are another reason that institutions should be bolstering their cybersecurity defenses.

Energy and engineering

Energy and utility firms, especially nuclear power companies, contain critical and powerful data that hackers may be interested in. Hackers also commonly target such organizations because they can cause widespread physical damage in a single blow, disrupting national grids and depriving people of energy. Wired Magazine wrote an article about how something as seemingly benign as a single water heater can be exploited to trigger a mass blackout across hundreds of homes. As it turns out, hackers can manipulate network imbalances, create overloads, and otherwise manipulate systems to damage particular areas and, by extension, their people.

In terms of engineering and communications, a significant threat could be posed by further ransomware or invasive breaches of the transport industry. Air traffic control and the aviation industries are among the industries that have fallen victim to ransomware in the past (the flight information screens and usual check-in processes at Bristol Airport went dark after the airport’s administration system was the subject of a cyberattack, though this didn’t impact flight control). The implications of increasing and more vicious attacks on human life are probably best not covered.

Government agencies

Government agencies may be the first choice for many cybercriminals, simply because of the amount of confidential data that they store, and the tangibility of the issues that a breach may provide on a geopolitical/diplomatic level. If cybersecurity protocols in government institutions aren’t up to date – and/or employees remain ill-equipped in spotting cyber threats like phishing scams and malicious emails as well as maintaining personal data hygiene – then government offices will remain susceptible to data leaks, diplomatic frictions, and, at worst, cyber warfare.

Advanced cyber-defense requirements are one thing – and are indeed one thing that can curtail these concerns across the board – but the threat to human life associated with cyberattacks is becoming both more genuine and more prevalent. This very fact lends a new, accelerating, and concerning biopolitical element to the cybersecurity battle, and one that every industry will have to front up to in the immediate future.