A Death Due to Ransomware
The Wall Street Journal is reporting on a baby’s death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing.
Amid the hack, fewer eyes were on the heart monitors—normally tracked on a large screen at the nurses’ station, in addition to inside the delivery room. Attending obstetrician Katelyn Parnell texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout. “I need u to help me understand why I was not notified.” In another text, Dr. Parnell wrote: “This was preventable.”
[The mother] Ms. Kidd has sued Springhill [Medical Center], alleging information about the baby’s condition never made it to Dr. Parnell because the hack wiped away the extra layer of scrutiny the heart rate monitor would have received at the nurses’ station. If proven in court, the case will mark the first confirmed death from a ransomware attack.
What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.
Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.
They’re certainly never going to be held accountable.
Another article.
Subscribe to comments on this entry
Clive Robinson • October 1, 2021 12:57 PM
@ ALL,
It’s more easily arguable that the hospital was negligent.
Ask yourself what the hospital would be saying if the same lack of information was due to an easily preventable event that they would claim as an “accident” but was nothing of the sort.
One of the reasons for “central stations” and such displays is to minimize personnel to as close to the barest minimum possible even when things are going well.
I’ve been in hospital where such monitors are used, where a fault in a piece of equipment caused it to take out a fuse and down went the central monitoring system…
It was “headless chickens” all around untill they more than doubled the number of staff on the ward.
Thankfully I was “ambulatory” even though my life was at risk –bacterial sepsis–, and I could look after my basic needs. But of the five other patients in my bay, three were not just confined to bed, they were not capable of doing much more than press the call button. As far as I’m aware nobody in our bay had an event that needed medical attention during the time it took for the electrical problem to be fixed as non of the equipment “alarmed”. However during that night, the patients on either side of me died…
The point is since then every hospital I’ve been in, I’ve paid carefull attention to there set ups. Guess what they are all chronically understaffed, and overly reliant on IT equipment that is shall we say “antiquated” by even “home office” standards…
But lets be honest, who here would trust their life to “Windows 10” even a striped down version of it?
Let’s just say you won’t see my hand go up. As the not so old saying says,
“To err is human, but it takes a computer to realy §¥ck up”.
Not something bean counters worry about though. You can almost bet right now that they would by IoT from a NoName company, if the law did not require them to buy devices certified for use.
But then how many “product recalls” of “personal” medical electronics have there been, even with all the certification testing…