Ransomware Kills
Privacy Plus+
Privacy, Technology and Perspective
Ransomware Kills. This week, the news is reporting on a lawsuit in Mobile, Alabama, which alleges that in July 2019, a hospital’s misreporting and clumsy handling of a ransomware attack caused inadequate care of a pregnant mother and profound brain injury, and eventual death, of the baby.
The suit faults the hospital for assuring the public that the “network security event” wouldn’t affect patient safety, when plaintiff claims the attack had actually crippled major critical-care systems which would stay crippled for over a week.
The Wall Street Journal describes this as the “First Alleged Ransomware Death.”
You can read more about this story by clicking on either of the following links:
https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges
https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116
You can find a copy of the Amended Complaint in the lawsuit by clicking here:
https://www.documentcloud.org/documents/21072978-kidd-amended-complaint
The Larger Point: The suit grimly focuses on the hospital’s alleged failures to warn patients about the full impact of the ransomware attack, and the hospital’s steps and missteps in attack’s aftermath. The story is riveting and sad. According to regulatory requirements, hospitals are expected to study, learn the lessons of, and improve from their own and one another’s mistakes and misfortunes, so we hopefully expect that over the two-plus years since this tragedy occurred, procedures for patient care and institutional response in the face of ransomware attacks have improved.
The larger issue, however, remains how to harden and vitalize cyber-defenses in all critical infrastructures -- and in all life/safety-critical devices and networks -- in order to prevent cyber-criminals from exploiting the internet to cause harm, and even to murder.
The Alabama lawsuit focuses on the hospital’s statements and procedures in the wake of the attack, taking the attack itself as something of a given, like a third-party criminal event that couldn’t be anticipated or prevented (but in the plaintiff’s view, should have been disclosed and handled better). In ever-increasingly connected networks, however, the next event may do more than test a medical provider’s communications, training, and procedural flexibility. It may bypass the hospital or providers themselves and penetrate directly to the devices themselves -- by, say, changing records to show the wrong prescriptions or doses; reworking electrical settings in defibrillators or pacemakers; changing screen readouts on patient monitors; or altering the functionality of MRIs, medical lasers or other electro-surgical devices.
Yes, that an attack on critical infrastructures, devices or networks resulting in death is Murder: and it wouldn’t matter if it were done for money, revenge, credit, mayhem, or nation-state attack.
We suggest, therefore, that while having a warm thought for victims on both sides of the docket in the Alabama suit, we take renewed determination to require more than merely “reasonable” cybersecurity for all life/safety-critical devices and networks.
And while we’re at it, proposing a uniform state act which expands the definition of Murder would be entirely in order—bad actors, over the internet or otherwise, should be held accountable.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠