Ransomware claims first human death, an infant during birth

[justpoet]

Summary

First death directly attributable to ransomware is an infant during birth, alleges lawsuit.

 

Quotes

Quote

When Teiranni Kidd walked into Springhill Medical Center on July 16, 2019, to have her baby, she had no idea the Alabama hospital was deep in the midst of a ransomware attack.

For nearly eight days, computers had been disabled on every floor.

Quote

A lawsuit says computer outages from a cyberattack led staff to miss troubling signs, resulting in the baby’s death

Quote

The ransomware attack that targeted Mobile, Alabama-based Springhill Medical Center in July 2019 knocked the hospital's IT systems offline for more than three weeks, according to the report – necessitating a return to paper charting, disrupting staff communication and compromising visibility of fetal heartbeat monitors in the labor and delivery ward.

Quote

And at the nurses’ desk in the labor and delivery unit, medical staff were cut off from the equipment that monitors fetal heartbeats in the 12 delivery rooms.

Quote

As the ransomware epidemic has ramped up in volume and intensity, many experts have feared that adverse incidents like these would become more common. Just recently, a new report from the Ponemon Institute showed a link between ransomware and increased mortality rates.

 

My thoughts

We knew the incident was bad and unprecedented back when this happened, but now we have likely proof that ransomware and other infrastructure cybersecurity attacks can literally kill.  While unlikely to be a surprise, this is super sobering, and amazingly sad for an infant to be the first likely recorded death due to ransomware.

 

Security with immediate mitigation plans needs to be directive number one for everything and everybody connected to the internet, but ESPECIALLY critical infrastructure of any kind, such as a hospital.

 

Of note: The lawsuit appears to be against the hospital, but they did everything they could manually and appear to have still been attentive...just not as attentive as many more eyes on remote heart monitors and computers monitoring the baby too would've been.  As somebody who had a relative saved in the manner that couldn't happen here, I just have no words.    ... ... ...

 

Sources

https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges

https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116?mod=hp_lead_pos5

https://www.infosecurity-magazine.com/news/infant-first-ransomware-death/

 

The study mentioned in the last quote, if you wish to delve further than just the death lawsuit:

https://www.healthcareitnews.com/news/ponemon-study-finds-link-between-ransomware-increased-mortality-rate

https://www.censinet.com/ponemon-report-covid-impact-ransomware/

[Zodiark1593]

Given the life-saving nature of the equipment used, there would probably be a strong argument for having them air gapped from anything connected to the internet. This would greatly reduce the surface of attack. 

[CommanderAlex]

42 minutes ago, justpoet said:

ESPECIALLY critical infrastructure of any kind, such as a hospital.

I always believe critical infrastructure should not have any access from the outside world and should be isolated to their own networks so that hackers cannot gain access to the systems and shut them down or to insert ransomware on these vital structures. Already happened prior, with the one most recent one happening this year being the Colonial Pipeline cyber attack on the Eastern United States. 

 

I remember reading a story involving a water treatment plant where one gained access to the water chemical control systems where they tried to increase the amount of chemical(s) treating the water, only with a backup system preventing that from happening. 

[Donut417]

You ever noticed how many of these attacks are directed at the US? I think its about time we add another branch to the US military thats sole purpose is cyber security and cyber warfare. If they want to hack us, we just hack them back. 

 

On top of that I think more international cooperation is needed to fight cyber criminals. I also think stricter punishments could also work. The issue is some of these attacks are state sponsored. Its not like the US can lean on Russia or China, just to name a few that have been accused of such attacks. Im sure the US's hands are not clean in this regard however. 

[leadeater]

20 minutes ago, Zodiark1593 said:

Given the life-saving nature of the equipment used, there would probably be a strong argument for having them air gapped from anything connected to the internet. This would greatly reduce the surface of attack. 

Problem is a lot of these equipment can talk to backend computer systems and databases which can't be so easily isolated as they have to be maintained and updated as well as talk to other various systems for authentication and data systems integrations.

 

Medical equipment aren't nice isolated equipment like we typically think of anymore, they are now network and system infrastructure dependent. You can't get an MRI without a computer as MRI's are computer programed, calibrated and controlled.

 

Other equipment may be able to operate standalone but the monitoring and visualization of these may have been designed and implemented around a software system that centralizes many different equipment in to a more readable and accessible display system.

 

You can't really isolate systems when you have many different systems these need to talk to and those systems talk to other systems, complexities and dependencies.

[Vishera]

Just now, Donut417 said:

I think its about time we add another branch to the US military thats sole purpose is cyber security and cyber warfare.

You mean like the Israeli Unit 8200?:

Quote

According to The New York Times, the Unit 8200's hack of Kaspersky Lab allowed them to watch in real time as Russian government hackers searched computers around the world for American intelligence programs.^[19] Israelis who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion of US systems.^[19]

 

 

Stuxnet

Many media reports alleged that Unit 8200 was responsible for the creation of the Stuxnet computer worm that in 2010 infected industrial computers, including Iranian nuclear facilities.^{[20][failed verification]}

 

[williamcll]

1 hour ago, Donut417 said:

You ever noticed how many of these attacks are directed at the US? I think its about time we add another branch to the US military thats sole purpose is cyber security and cyber warfare. If they want to hack us, we just hack them back. 

 

On top of that I think more international cooperation is needed to fight cyber criminals. I also think stricter punishments could also work. The issue is some of these attacks are state sponsored. Its not like the US can lean on Russia or China, just to name a few that have been accused of such attacks. Im sure the US's hands are not clean in this regard however. 

Increased internet security regulations is often protested against because it tends to violate privacy concerns.

[CarlBar]

15 hours ago, leadeater said:

Problem is a lot of these equipment can talk to backend computer systems and databases which can't be so easily isolated as they have to be maintained and updated as well as talk to other various systems for authentication and data systems integrations.

 

Medical equipment aren't nice isolated equipment like we typically think of anymore, they are now network and system infrastructure dependent. You can't get an MRI without a computer as MRI's are computer programed, calibrated and controlled.

 

Other equipment may be able to operate standalone but the monitoring and visualization of these may have been designed and implemented around a software system that centralizes many different equipment in to a more readable and accessible display system.

 

You can't really isolate systems when you have many different systems these need to talk to and those systems talk to other systems, complexities and dependencies.

 

Whilst i hear you on the state of current equipment this is getting to the point where i think we're hitting "safety critical" stuff that we where discussing in a thread a little while back. There needs to be a concentrated push towards regulations on all the various details of how important stuff is handled so that this kind of thing cannot happen, (as much as that is possibble ofc, there's allways edge cases you missed or can't account for).

[Shreyas1]

16 hours ago, leadeater said:

Problem is a lot of these equipment can talk to backend computer systems and databases which can't be so easily isolated as they have to be maintained and updated as well as talk to other various systems for authentication and data systems integrations.

 

Medical equipment aren't nice isolated equipment like we typically think of anymore, they are now network and system infrastructure dependent. You can't get an MRI without a computer as MRI's are computer programed, calibrated and controlled.

 

Other equipment may be able to operate standalone but the monitoring and visualization of these may have been designed and implemented around a software system that centralizes many different equipment in to a more readable and accessible display system.

 

You can't really isolate systems when you have many different systems these need to talk to and those systems talk to other systems, complexities and dependencies.

But do all these instruments and computers need to be connected to the outside internet? Can't they just be connected to each other and nothing else?

[Donut417]

14 hours ago, williamcll said:

Increased internet security regulations is often protested against because it tends to violate privacy concerns.

You dont need increase regulation. Instead of buying new fucking aircraft carriers you spend money on cyber security. Also I know for a fact that Intelligence agencies here in the US are tapped in to all of our telecommunications systems and networks. The NSA was found to have boxes in AT&T's data center a few years back. Also Edward Snowden did show the world the capabilities the NSA had for tracking users and how they were collecting info. All of this being done in the dark without any regulation. Also technically speaking any phone call or data that leaves or comes in to the US can legally be intercepted and they can go through it. Considering most of these attacks originate outside the US..... 

[BuckGup]

17 hours ago, Zodiark1593 said:

Given the life-saving nature of the equipment used, there would probably be a strong argument for having them air gapped from anything connected to the internet. This would greatly reduce the surface of attack. 

After working for a very large corporate company the idea of basic logic seriously does not always happen or exist. 

[Zodiark1593]

1 hour ago, BuckGup said:

After working for a very large corporate company the idea of basic logic seriously does not always happen or exist. 

It’s likely that medical workers and the companies building their equipment prioritized convenience and accessibility. After all, moving data back and forth and controlling air gapped equipment is hardly an appealing prospect for doctors and nurses. I doubt many of them are technically knowledgeable enough to do this either. 
 

There’s a substantial technical debt that needs to be paid to do this, both on the hardware side, and training. Without a head-on approach, this won’t happen. 

[leadeater]

3 hours ago, CarlBar said:

 

Whilst i hear you on the state of current equipment this is getting to the point where i think we're hitting "safety critical" stuff that we where discussing in a thread a little while back. There needs to be a concentrated push towards regulations on all the various details of how important stuff is handled so that this kind of thing cannot happen, (as much as that is possibble ofc, there's allways edge cases you missed or can't account for).

Comes back most to implementation and training, most equipment can ran standalone (even with a control PC) but since they are connected to other systems the training and every day usage is around that so when that breaks down you are having to use things in ways you aren't are well trained and used to and that's how mistakes happen. 

[leadeater]

3 hours ago, Shreyas1 said:

But do all these instruments and computers need to be connected to the outside internet? Can't they just be connected to each other and nothing else?

Yes and no, an MRI machine won't have internet access but the control PC will have to be on the network so logins can be authenticated and images loaded in to PACS imaging systems etc. It's all about points in the chain, something somewhere cannot be as isolated as others and when other systems and processes need that and it's taken down you impact everything around it that has to interact with it.

 

Also connected to the outside internet isn't even the issue, first a computer having internet access doesn't immediately mean it can be attacked, far from it in fact. Systems may also only have internet access to specific URLs and endpoints.

 

Entry points in to networks are almost always, many decimal points after 99%, from standard workstations and then those workstations compromise other computers and systems on the network either by directly infecting them to or encrypting files on any network shares it has access to that are connected or it could find. Then if the malware has remote access capability and the attackers are actually targeting this network and it's not a fly by or by chance infection they will access this workstation and use well known methods to find and gain access to higher privileged account(s) (this may happen first) and then direct access more sensitive servers and services.

 

When you have been compromised like this generally speaking you don't leave things online in the hopes they haven't been compromised and try and figure out what has been, you take everything offline, isolate foundation systems and inspect them and work to bringing those online and work your way out from there. A weeks worth of delayed non essentially services is much better than continuing operation while patient data is leaving the network or systems are compromised to the point you can't trust the information or it is now incorrect.

[leadeater]

47 minutes ago, Zodiark1593 said:

It’s likely that medical workers and the companies building their equipment prioritized convenience and accessibility. After all, moving data back and forth and controlling air gapped equipment is hardly an appealing prospect for doctors and nurses. I doubt many of them are technically knowledgeable enough to do this either. 
 

There’s a substantial technical debt that needs to be paid to do this, both on the hardware side, and training. Without a head-on approach, this won’t happen. 

You also limit the speed of care that can be provided doing this and diagnosis. Good old physical X-rays may be extremely resilient against computer system attacks but you cannot quickly and easily load these in to a computer imaging system, analyze it with computer aid or send it to another specialist for them to look at.

 

It's not just about people and lack of computer training and technical knowledge, we legitimately have improved the methods of clinical care by having things computer systems integrated. If you start limiting the information shareability and flow you limit the benefit of doing this in the first place and may as well go back to physical X-rays etc.

[thechinchinsong]

2 hours ago, Zodiark1593 said:

It’s likely that medical workers and the companies building their equipment prioritized convenience and accessibility. After all, moving data back and forth and controlling air gapped equipment is hardly an appealing prospect for doctors and nurses. I doubt many of them are technically knowledgeable enough to do this either. 
 

There’s a substantial technical debt that needs to be paid to do this, both on the hardware side, and training. Without a head-on approach, this won’t happen. 

Companies would rather go bankrupt than provide training and other services to employees. That or just contract away. Why invest in employees, when you can just outsource? Of course technical debt is gonna be ignored since good old dollars are the only that that matters to the bottom line.

[Zodiark1593]

2 minutes ago, thechinchinsong said:

Companies would rather go bankrupt than provide training and other services to employees. That or just contract away. Why invest in employees, when you can just outsource? Of course technical debt is gonna be ignored since good old dollars are the only that that matters to the bottom line.

“Why bother setting up the company for any success beyond my tenure? I’ll be gone by the time things go downhill anyway.”

[BuckGup]

3 hours ago, Zodiark1593 said:

It’s likely that medical workers and the companies building their equipment prioritized convenience and accessibility. After all, moving data back and forth and controlling air gapped equipment is hardly an appealing prospect for doctors and nurses. I doubt many of them are technically knowledgeable enough to do this either. 
 

There’s a substantial technical debt that needs to be paid to do this, both on the hardware side, and training. Without a head-on approach, this won’t happen. 

The medical workers shouldnt be in charge of cyber security. There should be a dedicated group for that

[Donut417]

11 minutes ago, BuckGup said:

The medical workers shouldnt be in charge of cyber security. There should be a dedicated group for that

The problem is hospitals dont have the budget to do so. Because if a billon dollar corporation cant secure its networks what makes you think a hospital can? Shit the US government cant secure its network, how many times has the Pentagon been hacked? 

[Kisai]

On 10/1/2021 at 6:02 PM, justpoet said:

 

 

Of note: The lawsuit appears to be against the hospital, but they did everything they could manually and appear to have still been attentive...just not as attentive as many more eyes on remote heart monitors and computers monitoring the baby too would've been.  As somebody who had a relative saved in the manner that couldn't happen here, I just have no words.    ... ... ...

 

Nope. This means the Hospital was understaffed. Which is also a problem worldwide, especially now due the covid panedemic.

 

I'm not sure the last time you visited a hospital, but it still haunts me listening to alarms go off, people screaming for help and being ignored, people having to share hospital rooms, patients in those rooms basically monitoring their neighbor when the staff don't check on them fast enough.

 

It's quite literately not possible to have enough staff in every department to cover every contingency. If you direct staff somewhere else, that means some other unit becomes understaffed, or maybe that isn't what they are trained for.

 

The monitors used for adults to keep them hydrated, are 802.11B units that are transmit-only (in 2019.) When the fluids are blocked or the timers run out, they send alarms to the staff that are less than 20ft away if you're lucky. Even if they aren't monitoring the computer, the units are still audible.

 

Hospitals are always going to be somewhat understaffed because of the high turnover as people quit from burnout, but in the case of the malware, in 2019, the local hospitals here were still using Windows XP on various portable, battery-operated, networked, pieces of equipment. You simply can't force medical systems to be thrown away every 2-3 years like you would a business pc.

 

 

So malware causing deaths in a hospital? Truth in fiction.

https://www.scmagazine.com/news/security-news/ransomware/reality-or-just-entertaining-tv-cyber-experts-dig-into-the-good-doctors-ransomware-episode

https://www.cinemablend.com/television/2573938/after-season-premieres-9-1-1-the-resident-fans-shows-connected-ransomware

https://www.cyberscoop.com/greys-anatomy-attempts-bring-ransomware-attacks-public-audience/

 

It's literately a thing TV shows have been bringing attention to, even if clumsy and dramatized. If you look up "malware" and "hospital" you'll see that it's been going on for a pretty long time.

 

What's worse, is that malware takes on a life of it's own and spreads without any clue as to what it might impair if held for ransom. Is that a PC in the intake department, or is that a ICU computer? Malware just sees a weak PC and infects it.

 

[StDragon]

This is what APIs are for. You limit the scope of the network and isolate the data needing to be transmitted by port/s only. Yes, that means all devices behind a firewall each in isolation from each other.

[leadeater]

4 hours ago, StDragon said:

This is what APIs are for. You limit the scope of the network and isolate the data needing to be transmitted by port/s only. Yes, that means all devices behind a firewall each in isolation from each other.

That works well for cross firewall and network segments but not for devices in the same zone. You'd have to go down to PVLANs or micro-segmentation VXLAN to eliminate all possible device to device network accessibility and that's a hell of a lot of work. Still wouldn't stop infected devices encrypting and infecting files on network shares it does have access to either and other devices becoming infected through that share by accessing those files.

 

There's already defined messaging and API standards for clinical data as well btw, one of them is called HL7. Much of the information passed between systems is done using HL7 messaging.

https://en.wikipedia.org/wiki/Health_Level_7

[Heliian]

It boils down to cost.  It's cheaper to pay ransom and lawsuits than to implement proper security.  

 

Article from Canada recently that about 70% of ransomes are paid.

 

 

[Bombastinator]

On 10/2/2021 at 4:46 PM, leadeater said:

You also limit the speed of care that can be provided doing this and diagnosis. Good old physical X-rays may be extremely resilient against computer system attacks but you cannot quickly and easily load these in to a computer imaging system, analyze it with computer aid or send it to another specialist for them to look at.

 

It's not just about people and lack of computer training and technical knowledge, we legitimately have improved the methods of clinical care by having things computer systems integrated. If you start limiting the information shareability and flow you limit the benefit of doing this in the first place and may as well go back to physical X-rays etc.

The backtrack is already happening perhaps.  I deal with a bank that won’t even do anything electronically.  Everything is on paper through the mail. 

[leadeater]

5 minutes ago, Bombastinator said:

The backtrack is already happening perhaps.  I deal with a bank that won’t even do anything electronically.  Everything is on paper through the mail. 

Not here, NZ banks don't offer cheques anymore and for almost everything you'll be directed to an instore kiosk to do anything with your account aka just stay home and use internet banking. Only reason to go in to a bank branch here is to discuss things like home loans and even that can be done over the phone and email now other than dropping off documents and signing paperwork.

 

You'd be lucky to get anything in paper form from a bank here now lol