By now, I assume that everybody has heard of the cybersecurity incident at the University Clinic in Düsseldorf, Germany, where a ransomware attack crippled the IT system, requiring the diversion of an emergency patient to another hospital, resulting in delay of medical services and, tragically, the death of the patient.
I am calling this blog post “close to home” for two reasons. First, the University of Düsseldorf is actually and coincidentally my alma mater (the school of engineering, that is). Secondly, many, including myself, had previously warned that a cyberincident that would result in patient harm would more likely be caused by a coincidental event impacting care availability or resulting in care delay, rather than a targeted attack with the goal to do harm. Unfortunately, with no intent to brag, I was right.
According to press reports, the initial attack started around Sept. 10 and led to gradual deterioration of communications systems including telephone, email, and general IT infrastructure. Ultimately, data on 30 servers was encrypted and the clinic started to cancel scheduled procedures and began diverting ambulances.
Based on the ransom demand found on one of the servers, local authorities concluded that the attackers were under the assumption that they had attacked the university itself rather than the affiliated hospital. And indeed, once hackers were contacted by police over the provided contact channel, they disclosed the decryption key and restoration could begin. However, it was too late for a critically ill patient that had to be transported to another hospital. It is assumed that the combination of the one-hour delay and lack of access to the patient’s history were contributors that led to her death.
Previously, studies had demonstrated a link between delay in care and patient health outcomes. For example, a 2017 analysis showed that even an average of 4.4 minutes delay in patient transport due to road closures for local sporting events resulted in measurably higher 30-day mortality rate for cardiac emergencies. But not until now have we seen a report that directly linked a patient’s death to a cyber event.
I briefly want to look under the (technical) hood of this series of tragic events. Officials have stated that the attack exploited a commonly used remote access software. At the time of this writing, there has been suspicion, but no official confirmation, that the exploited vulnerability was CVE-2019-19781, rated at 9.8 (a ‘critical’ rating per CVSS v3). It was reported by Citrix on December 17, 2019 and had a fix available since late January. The vulnerability, nicknamed “Shitrix,” allowed an attacker to compromise VPN access via several commonly used Citrix software components.
The clinic has stated that the vulnerability had been addressed back in January, and that both internal and external security reviews had been performed. This would leave a couple of possibilities why the network still could be penetrated. Either the mitigation was incomplete and left an opening for the attacker, or the attacker penetrated the network as early as January and planted a backdoor that later was exploited.
It appears that the actual ransomware that performed the encryption was delivered via the Emotet trojan, meaning there are at least two pieces of malware used in the attack which, most likely, was patiently planned and executed over several months.
Emotet itself has an interesting history. It appeared first in 2014 and was used by a specific adversary group for attacks on financial institutions in Europe and executing a few but nevertheless successful campaigns. The group’s operating mode changed in 2017 when they started to expand Emotet’s features and its supporting botnet infrastructure, marketing it to other cybercriminals as a delivery tool for other malware. As a result, the number of Emotet detections rose from a few hundred in mid-2017 to almost 15,000 by the end of that year—and has continued to grow since. Even though things had quieted down during the earlier part of this year, Emotet made a rapid comeback and is considered one of the most notorious and prevalent malwares of today.
Simply put, the group behind it changed their business model from (virtual) bank robbery to being a service provider to other criminals, as it seems in the Düsseldorf University case where Emotet was used to penetrate the organization’s IT infrastructure and implant the DopplerPaymer ransomware. The same malware had previously been used for several high-stake attacks, including the Chilean Ministry of Agriculture, Newcastle University, Mexico’s Pemex Oil, as well as critical supply chain companies serving the automotive and aerospace industries. With that, German authorities seem to link the attack to a criminal organization in Russia.
Many industries, and certainly healthcare, are challenged with closing the “window of vulnerability”, i.e., the time between disclosure of a vulnerability and deployment of the patch (or other mitigation). For example, when in 2017 the WannaCry malware closed down 81 of 236 U.K. National Health Service hospitals, about 90% of infected computers had newer versions of the Windows operating system for which a patch had been available. These examples would lead to the conclusion that, considering the complexities and interdependencies in the healthcare ecosystem, purely relying on a vulnerability disclosure and patch deployment process approach may not provide the level of security required. In other words, will we ever be able to patch quick enough and complete enough to become secure enough, or will we need to look at other, complementary approaches? These could include network segmentation, redundancies, and additional layers of security.
There are, at the time of this writing, still several open legal and technical questions, and I am sure more information will be forthcoming. In fact, some of the reporting in the press has provided conflicting information, so I would suggest that for final conclusions we need to wait for the official report. Even though it appears that the actual target of the attack was the university and not the clinic, that does not change the tragic outcome. German prosecutors have stated that if they determine that the ransomware attack and hospital shutdown directly caused the patient’s death, they would upgrade the charges from negligent manslaughter to negligent homicide.
Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, is the chief security strategist at MedCrypt in San Diego, CA, and a member of the BI&T Editorial Board. Email: email@example.com