For the record, a security “loophole” is a glitch. Why? Because a design or coding flaw allows a hacker to get in and steal data, manipulate records or, as in the case of the hospital hacked in Germany, lock down systems and demand payment (ransomware), preventing the delivery of critical health care.
In what is the world’s first criminal investigation into a cybersecurity flaw that allegedly led to a person’s death, prosecutors in Germany have opened a homicide case.
Turned away from emergency services
A woman requiring immediate medical attention for an aneurism was turned away from the hospital emergency in Düsseldorf, Germany, and sent to another hospital, delaying her care by one hour.
En route, she died.
A flaw in a Citrix VPN system allowed hackers to install ransomware, shutting down the systems required to provide the woman the medical care she needed to save her life.
Holding a hospital hostage
Interpol issued an alert in April 2020 highlighting that cybercriminals were now exploiting the coronavirus chaos at hospitals, “using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.”
The hackers in Germany used a Citrix security vulnerability known of in December 2019. A “patch” was made available by Citrix in January 2020.
Although some reports claimed that perhaps the hospital had been lax in updating their systems, investigations are underway to try to determine further facts. The hospital could very well have applied all required security patches but as noted:
Hackers could have subverted IT systems vulnerable to the Citrix security hole prior to the updated software’s release in January. That means hackers could still have access to supposedly patched networks.
Cybersecurity Homicide: Historical First?
While the German investigation is certainly an “historical first” in terms of pursuing criminal homicide charges relating to cybersecurity, it is not a certainty that this is the first death due to a cybersecurity breach.
There has been quite a lot of hand-wringing but very little action in the realm of medical devices and faulty software, especially flawed software that allows hackers to directly interfere with medical care.
In 2007, then VP Dick Cheney had the internet connectivity to his pacemaker disabled due to assassination fears. Officials were rightly worried that someone could remotely interfere with the safe functioning of the device, secretly killing the Vice President.
Ten years later, the FDA recalled hundreds of thousands of pacemakers for the same reason.
Almost half a million pacemakers have been recalled by the US Food and Drug Administration (FDA) due to fears that their lax cybersecurity could be hacked to run the batteries down or even alter the patient’s heartbeat.
Of the hundreds of thousands of pacemakers and other medical devices that have been left vulnerable for years, are we absolutely certain that not one of them was secretly hacked?
As Interpol’s alert noted, the hospital networks can be secure and professionally managed, but hackers can still get into them through vulnerable medical devices and other means, including remote medical monitoring during the coronavirus crisis.
In the many, many years following the protective measures that Dick Cheney’s doctor instituted to protect him from a potential cyber-assassination, very little has been done to protect the average person from the threat of medical manipulation via the internet.
It’s really well past the time to establish regulations that protect people from cyber criminals who can now literally threaten our lives. It’s also time to develop proper medical cyber forensics.
Postscript: The fact of the matter is that holding hospitals hostage using their weak security systems has been going on for years. There are important steps and protocols that can and must be taken.