Cyber homicide: Death by ransomware

• Author:
• Author name

  Quantumrun Foresight
• December 2, 2022

Insight summary

Ransomware attacks on healthcare facilities are escalating, risking patient lives by delaying critical treatments and forcing hospitals to revert to inefficient manual processes. These cyber assaults, increasingly targeting healthcare organizations, disrupt vital services like chemotherapy and emergency care, while also raising mortality rates. This surge in cyber attacks could drive hospitals to enhance their digital security, change governmental laws, and adapt insurance policies.

Cyber homicide context

Some ransomware hackers have shifted their focus to attacking essential healthcare services. These incidents have led to patients not receiving timely treatments, sometimes resulting in death. These attacks encrypt computer networks and demand payment to make them functional again, which can be devastating in an industry where even minutes of downtime can have deadly consequences.

According to a study from the cybersecurity firm Sophos, 41 percent of ransomware attacks globally occurred against US-based firms in 2021, with healthcare being a principal target. Ransomware assaults on healthcare organizations increased 94 percent from 2021 to 2022. And more than two-thirds of US healthcare companies reported a ransomware attack in 2021, up from 34 percent in 2020.

Ransomware attacks have caused significant problems, including delayed chemotherapy treatments and ambulance diversions from a San Diego emergency department after hackers locked computer systems in 2021. According to a study by research center Ponemon Institute, 43 percent of the 600 health IT and security leaders surveyed said their organizations had experienced a ransomware attack. Within that figure, 45 percent reported the incident led to disruption of patient care operations. About 70 percent said there were procedural delays, 36 percent saw more procedure complications resulting from the attack, and 22 percent attested higher mortality rates.

Disruptive impact

In 2021, a woman filed a lawsuit against Alabama-based Springhill Medical Center. The complaint detailed a 2019 incident when a ransomware attack disabled the hospital’s IT systems for more than three weeks. This interruption led to hospital staff shifting to less efficient manual charting as well as to disruptions of staff communication and other services, including fetal heartbeat monitors. In the lawsuit, the plaintiff alleged that the hospital did not inform her of the ongoing cyberattack. Had she known, she would not have gone to labor induction at the hospital.

During delivery, her daughter was unresponsive due to an umbilical cord wrapped around her neck. While resuscitation was successful, the baby died nine months later from brain damage. The lawsuit alleges that the attending obstetrician could not access critical data about the baby’s elevated heart rate because Springhill’s IT systems were unresponsive. This information could have enabled a faster, safer delivery by cesarean section.

Another ransomware-related death occurred in September 2020 in Germany. A hospital in Dusseldorf was forced to turn away an ambulance bearing a 78-year-old woman suffering from an aortic aneurysm (a burst heart vein) due to an ongoing ransomware attack. Hundreds of operations and other procedures were canceled when the hospital’s digital infrastructure was attacked, compromising its ability to coordinate doctors, beds, and treatment.

The woman had to be transferred to another hospital 32 kilometers away. This disruption delayed her treatment for an hour, after which she died. Assuming the hackers could be identified, prosecutors in Cologne planned to pursue them for negligent homicide, defined as killing another person through carelessness or without ill intent. Prosecutors would need to find enough evidence to show that the attack and lack of treatment soon afterward led sufficiently to the death.

Implications of cyber homicide

Wider implications of cyber homicide may include: 

• Hospitals heavily investing in cybersecurity systems and cloud-based backup infrastructures to prevent potential future disruptions.
• Governments modifying their respective laws to be able to prosecute ransomware criminals for homicide.
• Increased lawsuits against hospitals that don’t have resilient cybersecurity systems and strategies.
• Healthcare providers establishing an emergency protocol with other hospitals for seamless inter-facility operations during ransomware attacks.
• The increased use of artificial intelligence to predict potential digital attacks in real-time and automatically activate emergency protocols.
• Insurance companies adjusting policies to cover cyber attacks, resulting in new pricing models and coverage options for healthcare facilities.
• Consumers demanding greater transparency from healthcare providers about their data security measures, leading to widespread adoption of clear communication protocols.
• Healthcare regulatory bodies intensifying audits and compliance checks for cybersecurity, leading to more stringent industry standards.

Questions to consider

• If you work in healthcare, how is your institution protecting itself from ransomware attacks?
• What considerations should hospitals and healthcare centers consider when dealing with a ransomware attack?