History, Security

Ransomware “Officially” Kills a Person

Leave a comment

There undoubtedly have been deaths in the past caused by computer attacks. I once made a list of physical impact from network and system attacks going back to 1992.

What has just changed is someone is willing to go on the record saying a death happened and was directly related to computer security.

We know, for example, that hospital outages and patient deaths have been in warnings posted to American mainstream news since at least 1983:

Time Magazine in 1983 with stern warning that network attacks on computers will kill someone.

By comparison, the latest news coming from Europe is that a delay in care due to ransomware has caused a particular patient’s death and that it should be treated as negligent homicide.

…ransomware attack crippled a nearby hospital in Düsseldorf, Germany, and forced her to obtain services from a more distant facility…

That’s is less news to me and more a chilling reminder of the talk I gave in 2017 in London about preventing ransomware attacks in healthcare.

Slide from my presentation at MongoDB Europe 2017

As someone who parachuted into the front-lines of solving this burning problem at massive scale (personally leading significant security enhancements for the database company most affected by ransomware attacks — infamously insecure MongoDB) I have many thoughts.

Many, many thoughts.

Suffice it to say here, however, when I was building and running hospital infrastructure in the 1990s my mindset about this risk wasn’t much different than it is today.

If anything, it seems to me we’re seeing healthcare industry becoming more honest with the public about its hidden operational risks.

Reading news that an arsonist burned a hospital down — forcing a fatal diversion of patients — should prompt people to ask if failing to install sprinklers is negligence.

And then people should ask if a hospital construction company was building them with sprinklers that were optional or even non-operational, and whether THAT was negligent.

Those are the deeper questions here.

While there are cases of people driving around in circles intentionally to kill the person they’re supposed to be taking to the hospital (e.g. assassination, even more than negligence), they seem a targeted exception risk rather than the pattern.

It is a hospital’s burden of high availability (let alone a region or network of hospitals like the NHS) to plan for intentional low capacity (and their vendors’ responsibility) that should remain the focus.

Update Sep 28: A reader has emailed me an important reference to the case United States v. Carroll Towing Co., 159 F.2d 169 (2d. Cir. 1947), which formed a test to determine negligence (Burden greater than Loss multiplied by Probability).

It appears from the foregoing review that there is no general rule to determine when the absence of a bargee or other attendant will make the owner of the barge liable for injuries to other vessels if she breaks away from her moorings. However, in any cases where he would be so liable for injuries to others, obviously he must reduce his damages proportionately, if the injury is to his own barge. It becomes apparent why there can be no such general rule, when we consider the grounds for such a liability. Since there are occasions when every vessel will break from her moorings, and since, if she does, she becomes a menace to those about her; the owner’s duty, as in other similar situations, to provide against resulting injuries is a function of three variables: (1) The probability that she will break away; (2) the gravity of the resulting injury, if she does; (3) the burden of adequate precautions. Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i. e., whether B > PL.

Update November 12, 2020: German police say their exhaustive investigation found no connection between attack on the hospital information systems and human death.

After a detailed investigation involving consultations with medical professionals, an autopsy, and a minute-by-minute breakdown of events, Hartmann believes that the severity of the victim’s medical diagnosis at the time she was picked up was such that she would have died regardless of which hospital she had been admitted to. “The delay was of no relevance to the final outcome,” Hartmann says. “The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack.” He likens it to hitting a dead body while driving: while you might be breaking the speed limit, you’re not responsible for the death.

Hitting a dead body with a car is not the analogy I was expecting, but I suppose it makes the point.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.