A Death Due to Ransomware

The Wall Street Journal is reporting on a baby’s death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing.

Amid the hack, fewer eyes were on the heart monitors — normally tracked on a large screen at the nurses’ station, in addition to inside the delivery room. Attending obstetrician Katelyn Parnell texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout. “I need u to help me understand why I was not notified.” In another text, Dr. Parnell wrote: “This was preventable.”

[The mother] Ms. Kidd has sued Springhill [Medical Center], alleging information about the baby’s condition never made it to Dr. Parnell because the hack wiped away the extra layer of scrutiny the heart rate monitor would have received at the nurses’ station. If proven in court, the case will mark the first confirmed death from a ransomware attack.

What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.

Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.

They’re certainly never going to be held accountable.

Another article.

Posted on October 1, 2021 at 9:56 AM6 Comments

Comments

Clive Robinson October 1, 2021 12:57 PM

@ ALL,

It’s more easily arguable that the hospital was negligent.

Ask yourself what the hospital would be saying if the same lack of information was due to an easily preventable event that they would claim as an “accident” but was nothing of the sort.

One of the reasons for “central stations” and such displays is to minimize personnel to as close to the barest minimum possible even when things are going well.

I’ve been in hospital where such monitors are used, where a fault in a piece of equipment caused it to take out a fuse and down went the central monitoring system…

It was “headless chickens” all around untill they more than doubled the number of staff on the ward.

Thankfully I was “ambulatory” even though my life was at risk –bacterial sepsis–, and I could look after my basic needs. But of the five other patients in my bay, three were not just confined to bed, they were not capable of doing much more than press the call button. As far as I’m aware nobody in our bay had an event that needed medical attention during the time it took for the electrical problem to be fixed as non of the equipment “alarmed”. However during that night, the patients on either side of me died…

The point is since then every hospital I’ve been in, I’ve paid carefull attention to there set ups. Guess what they are all chronically understaffed, and overly reliant on IT equipment that is shall we say “antiquated” by even “home office” standards…

But lets be honest, who here would trust their life to “Windows 10” even a striped down version of it?

Let’s just say you won’t see my hand go up. As the not so old saying says,

“To err is human, but it takes a computer to realy §¥ck up”.

Not something bean counters worry about though. You can almost bet right now that they would by IoT from a NoName company, if the law did not require them to buy devices certified for use.

But then how many “product recalls” of “personal” medical electronics have there been, even with all the certification testing…

lurker October 1, 2021 3:05 PM

The culprit turned out to be the Ryuk ransomware,

This claim is just part of the offensive mendacity which gets compounded by expending large effort on cyber-car-chases after the baddies, when the fundamental cause is creating targets for attack by the use of software that is not fit for purpose and the failure to understand and apply cyber defence.

any moose October 1, 2021 3:34 PM

Almost all malware arrives via phishing. So mandate that all email for financial firms, health-related companies, and all businesses that handle personal information must be handled on separate servers, with them physically isolated from the rest of the network. Inconvenient? Yes, but the current situation is intolerable.

While we’re at it, prohibit remote monitoring of important infrastructure. And make the CTO and all other corporate officers personally liable for breaches, no hiding behind the corporate veil.

We’ll no doubt hear from liberals who blame Republicans for the problem, but they need to explain why the Senate vote for the Communications Decency Act, the home of the infamous Section 230, which granted a get-out-of-jail-free card to Internet firms, was 91-5. with three not voting.

P.S. The five votes against the Communications Decency Act are most interesting: Feingold, Leahy, McCain, Simon, and Wellstone.

Sdedaluz October 3, 2021 10:16 AM

It’s the second decade of the 21st century. Blaming endemic attacks for the harm caused by your poor security posture is like blaming the rain when your roof leaks. Both situations can compromise critical infrastructure due to negligence in design or maintenance, but only one is glibly externalized. Monster settlements in a couple of cases like this are apparently necessary to provide the fear to hospitals and those that insure them. Hospital IT groups are crews uniformly underwhelming and unimaginative rule-followers (typically cribbing from a set of rules that’s 5-7 years out of date). As long as everyone changes their passwords every 90 days, and whatever freshly EOL system is migrated out, nobody gets yelled at…

lurker October 3, 2021 9:50 PM

@Erdem Memisyazici

Not so long ago patient databases and medical widgets ran on an Intranet of Things, and you could get half-decent firewalls. Then a rampant brain virus took over, and C-suites who couldn’t spell Internet took control…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.