Death by ransomware
On 10 September 2020, ransomware infected 30 servers at University Hospital Düsseldorf, crashing systems and forcing the hospital to turn away emergency patients. As a result, German authorities stated, a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays. On 28 September, another alarming news article stated that ‘a major hospital chain’ was targeted with ransomware in ‘more than 400 locations’ across the United States. In this blog post, I examine the incident and reflect on it from a Dutch legal perspective. I also consider the question whether IT systems in health care are a ‘vital infrastructure’, which may receive special protection of the Dutch National Cyber Security Centre.
Ransomware is for years the no. 1 popular malware among cybercriminals (see Europol). Ransomware is malicious software (malware) that blocks access to someone’s computer system or files on the system and subsequently demands a ransom to be paid for unlocking the computer or files.
Serious ransomware attacks
Ransomware targeting hospitals is also unfortunately not new. In 2016, news reports mentioned ransomware targeting a hospital in Los Angeles (USA). The Dutch government stated that between 2014 and 2017, four incidents occurred with ransomware in Dutch hospitals. The EU cyber security agency ENISA warned in 2018 ransomware increasingly targeted medical devices and hospitals in order to demand a higher amount in ransom, as opposed to infecting computers of individuals.
Earlier this year (2020), a ransomware attack also occurred at a hospital in Leeuwarden, the Netherlands. These attacks may seek to infect computers with ransomware to earn money, but may also lead to different types of extortion when perpetrators demand payment under threat of releasing medical records.
Murder by ransomware?
In Germany, the ransomware infections led to an unfortunate chain of events, in which the unavailability of computers made it impossible to take care of certain patients in their hospital. News articles mention how authorities contacted the cybercriminals to shut down their ransomware, because they infected computers at a hospital and threatened the lives of patients. The cybercriminals, supposedly unaware their malware infected computers in a hospital complied, but it was unfortunately too late for a patient.
The German public prosecution service seeks whether the perpetrators can be charged with murder. The high sentence for this most serious crime, makes it an attractive option for prosecution authorities, reflecting the seriousness of the consequences of this particular attack. In the Netherlands, many articles in our Penal Code can also be taken in consideration in a situation like this, such as article 161sexies(3) of the Dutch Penal Code, which states that infecting a computer with malware which endangers the life of person and leads to his death, leads up to a imprisonment with a maximum of 15 years.
Difficulties in prosecuting for ransomware
Gathering the necessary evidence to prosecute the suspect can be extremely difficult, especially when the suspect resides outside the investigating State’s territory (in my PhD thesis ‘Investigating Cybercrime’ I researched these problems extensively). Usually, ransomware is deployed to earn money in cryptocurrency (such as Bitcoin). In our open access article ‘Laundering the profits of Ransomware’ that has been published last summer, we examine the relationship between money laundering and ransomware. Possibly, this research may provide insight for law enforcement authorities to collect evidence based on the money trail in ransomware incidents. But maybe it works more like cyber security guru ‘The Grugq’ said on Twitter:
“Prediction: The ransomware kid — who’s hacking lead to a woman’s death in Germany — has done more for advancing cyber norms than any paper, book, article, talk, conference, round table, etc etc. have ever managed to accomplish.”
Cyber security and hospitals in the Netherlands
The incident made me wonder what the state of security is at hospitals in the Netherlands. It seems to me that when computer systems are adequately secured, network traffic is monitored and the IT infrastructure is separated, catastrophic security incidents like above can be avoided in some cases, or the seriousness of consequences can be reduced.
A quick look in parliamentary history reveals quite some attention for cyber security in hospitals, usually after an incident occurred. Over the years, parliamentary members questioned the minister of Justice and Security several times about the state of cyber security of hospitals (see, these answers to parliamentary questions in 2016, 2017, 2018, and recently these answers in 2020 regarding a cyber security incident at hospitals in Leeuwarden).
In the Netherlands, the Dutch government emphasized repeatedly that IT security at hospitals is their own responsibility and not a ‘vital process’ relating to national security that requires extra (national) protection. In august 2020, this position changed somewhat with new legislation that grants the National Cyber Security Centre the task to aid in security incidents for organisations in the health care sector. Over the years, the National Cyber Security Centre also set up an ‘Information Sharing and Analysis Centre’ (ISAC) for the health care sector to facilitate the sharing of threat information. Also, a ‘Computer Emergency Response Team’ (CERT) was set up for the healthcare sector (“Z-CERT”).
Hopefully, these serious cyber security incidents inside and outside the Netherlands lead to some real changes in order to properly secure vital IT infrastructures, such as the infrastructure of hospitals. There appears to be a tension in finding a correct balance in relying on the private protection of IT-systems and providing enough security with aid of the National Cyber Security Centre. It is interesting to see how this may change in the near-future.