I heard a speaker at the SecureWorld Twin Cities conference give this chilling warning:
"We're entering a time where cybersecurity is no longer about data security... it is about life security."
A recent ransomware attack against a German hospital appears to have made this prediction a reality.
The ransomware attack hit the Düsseldorf University Hospital in early September 2020, shutting down its network. That includes the system used to admit emergency patients.
Reuters explains that part of the tragedy:
"The female patient, suffering from a life-threatening illness, had to be turned away on the night of Sept. 11 by the city's University Clinic and died after the ambulance carrying her was diverted to Wuppertal, 30 km (20 miles) away."
Now, prosecutors have launched a negligent homicide investigation in the case, which is believed to be the first fatality caused by a cyberattack.
While the criminal investigation is underway in this attack case, the cyber incident response work is already revealing important details for any organization. Here are three things you should know:
1. Germany's Federal Office for Information Security (BSI) says the attack occurred through a Citrix VPN vulnerability that has been known about since last year.
"The BSI would like to emphasize that a vulnerability (CVE-2019-19781) known since December 2019 in VPN products from Citrix for Cyber-Attacks is being exploited."
2. Following this fatal cyberattack, the BSI is sounding the alarm on the severity of this vulnerability, again.
"We warned of the vulnerability back in January and pointed out the consequences of its exploitation. Attackers gain access to the internal networks and systems and can paralyze them months later. I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately. The incident shows once again how seriously this danger must be taken," says BSI President Arne Schönbohm.
3. This Citrix vulnerability may still impact organizations that patched.
"Systems that were patched in January 2020 can also be affected by the exploitation. These may have been compromised before the Citrix security updates were installed and can therefore still allow attackers to access internal networks and other activities, such as the diversion or encryption of sensitive data or the manipulation or shutdown of systems, business processes and operating procedures.
Users of the products Citrix Gateway (formerly NetScalerGateway) and Citrix Application Delivery Controllers should check their network infrastructure and systems for possible anomalies and adapt their protective measures. If your own IT operations do not have the necessary skills to examine the systems for compromises, it is advisable to consult an external IT security service provider."
There's been a lot of talk on Twitter about who to blame for this cyberattack. Was it only the fault of the hacker involved? Or is the hospital itself to blame, as well?
Some are openly asking if this really is the first fatal cyberattack at a hospital.
While others are hopeful this will finally get more organizations to take cybersecurity seriously.
Mark Kedgley, CTO at New Net Technologies (NNT), worries this is a sign of what's ahead:
"It's a tragic story and won't be the last time that cybersecurity has such a direct impact on human lives. As the indiscriminate distribution of ransomware hits more IT systems and operational technology underpinning critical infrastructure, like hospitals, energy, and rail and traffic management, we will all be affected more by hacker-instigated disruption."
Here's a twist to consider.
According to German media outlet RTL.de, the hackers might have been trying to attack the university only, but accidentally attacked the university hospital instead.
Check out what happened that makes this seem like a possibility:
"Their target could have been the University of Düsseldorf, but instead they paralyzed the university clinic. When the police contacted the perpetrators, they released the code to unlock the computer systems. The PCs could slowly start up again, but by then it was already too late for the woman."
The fact that the attackers gave decryption keys for free is either a sign they knew about the consequences of the attack or perhaps they did simply miss their target.
Rick Holland, Chief Information Security Officer and Vice President at Digital Shadows, reminds us of recent promises from a number of ransomware operators:
"In the early days of COVID-19, we saw actors stating that they wouldn't target healthcare, so at least some criminal element is publicly against these sorts of attacks. Opportunistic ransomware actors who cast a wide net may not realize that many university systems have significant healthcare components that conduct research and treat patients.
Law enforcement agencies are already highly focused on ransomware operators. Still, any attacks that result in the loss of life will only increase the criminals' risk of indictments and arrests."
And according to cybersecurity thought leader Bruce Schneier, things like this will also lead to increasing government intervention.
I interviewed Schneier last year at SecureWorld Boston:
"We are now living in the world that the market gives us in terms of security. This is it. This is what the market will reward. If we don't like it, we need to do what government always does, which is perturb the market, right, to change the playing field.
And we'll do things like that all the time. We have child labor laws. We have minimum wage laws. These are all perturbings of the market, and we need to do that here in cybersecurity, just like we do in airline safety and everything else, and say 'here are some minimal standards, here are some regulations, here are some mechanisms for liability.'
We know how this works in every other aspect of society. We need to do it here. And as long as we don't, we're going to be stuck where we are now, which is with all this insecurity."
Insecurity that can be fatal.
Sometimes cybersecurity is about life security.
[Related podcast: Bruce Schneier on the State of Cybersecurity]