On September 10, 2020, a large university hospital in Dusseldorf, Germany, experienced a major cyberattack, apparently caused by a security vulnerability of an off-the-shelf software that allowed hackers to infiltrate the hospital's systems. The hospital treats approximately 350,000 patients per year; over 1000 patients each day. In the days during and after the cyberattack, this number was cut in half, with operations falling from the usual 70-120 per day down to 15. This is also the first reported cyber incident where an attack may have directly led to the death of a patient.

This incident is a stark reminder of the real-world impact of digital threats, as described in our previous newsletter article, and the physical harms that cybercrime can inflict. The details surrounding the attack are currently under investigation by the local cybercrime unit in Cologne and appears to point to previously unknown attackers, whose target was likely a university and not the hospital.

What Happened

The incident was caused by a ransomware attack that exploited an existing vulnerability in a very common software application, Citrix virtual private network (VPN). In the words of the hospital's director, this security gap will affect "many organizations globally."

The attack may have even been inadvertent. The threat actors reportedly did not demand ransom and in fact provided the encryption keys to the hospital after noticing their mistake. There was no evidence of data exfiltration or destruction, according to the clinic's most recent press release (in German).

As of September 20, 2020, the hospital was still in the throes of remediation, with a return to normal patient care not yet possible. For instance, while equipment such as X-ray machines were functioning, no data could be fed into, retrieved from or processed within hospital IT systems. Email communication also was not functioning. This inability to process data resulted in an inability to return to normal operations and patient care.

The incident is also being linked directly to the death of a female patient who had to be rerouted to another hospital due to the shut-down of operations at the clinic in Dusseldorf and who did not survive the detour. The local prosecutor has opened a homicide investigation, which would be the first of its kind relating to a cyberattack. The charges that are being considered are negligence causing death (German: "fahrlässige Tötung").

Regarding what could have been done to prevent or mitigate the attack, the matter is being considered and debated by the state parliament (in German) ("Landtag"). Debate has focussed on the vector of attack and why recommendations from the German Centre for Cybersecurity ("Bundesamt für Sicherheit in der Informationstechnik" (BSI)) were not acted on or budgeted for by the state Ministry of Health earlier in 2020.

What Can Hospitals and Other Organizations do to protect themselves?

This list is not exhaustive but the below describes some preventative steps organizations can take.

  • Ensure cybersecurity recommendations are monitored, assessed and implemented without delay, where appropriate.
  • Review and fix vulnerabilities related to Citrix VPN.
  • Review existing software used in operations and assess whether other vulnerabilities exist in purchased solutions or other software.
  • Establish routines for vendor management and monitoring, supported by contractual obligations.
  • Implement a data breach/cyber incident response policy - identify a breach coach/legal counsel. Where privacy of personal information is impacted, align with privacy breach management policies.
  • Maintain current anti-virus software.
  • Ensure regular back-ups for critical systems and infrastructure.
  • Limiting network access - implement preapproval for all software installations, including privacy impact assessments or threat risk assessments.
  • Train all staff regularly - even perfect technical controls can be bypassed if human error is exploited.
  • Implement and regularly review your disaster recovery plan.
  • Consider cybersecurity of medical devices, as discussed in our recent blog post, and other smart equipment.

We will be monitoring the developments as it relates to the above -mentioned attack and other incidents for any learnings that we may glean as a result.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.