
Woman dies during a ransomware attack on a German hospital - bmcn2020
https://www.theverge.com/2020/9/17/21443851/death-ransomware-attack-hospital-germany-cybersecurity
======
Someone1234
Two things can be true at the same time. In this case, that the malware
authors are responsible, and that the hospital/management were negligent.

Negligent circumstances seems controllable, whereas having no bad actors in
the world (particularly the international world, including rogue states) seems
nearly insurmountable.

Every time this happens, I'm going to keep saying the same thing: Management
let this happen. The dangers are known, the risk mitigation is known, and
their failure to act is tantamount to negligence. This didn't "have" to
happen, they allowed it to happen.

But as I said at the start: Two things can be true at the same time,
management's negligence let someone die and the malware authors are
responsible for the death.

~~~
mullingitover
I look at it like this: if the hospital were being extorted by arsonists, we
wouldn't be standing around blaming the architect of the hospital for using
wood in its construction as the hospital burned.

~~~
young_unixer
Arson is a physically violent act, hacking is not. For any reasonable moral
standpoint those things are very different.

~~~
cortesoft
It depends on what you hack, doesn't it? If your hack causes physical harm, it
is a physically violent act. You wouldn't say that someone firing a gun didn't
commit a physically violent act just because all they did was pull a trigger.

~~~
young_unixer
There must be a distinction between:

1\. Actions that are physically violent

2\. Actions that cause physical harm, but the action itself is not physically
violent

If 1 and 2 were the same, it would imply that voting for a politician that
decides to kill people is just as bad as killing people yourself. The
consequences of that wouldn't be good.

> You wouldn't say that someone firing a gun didn't commit a physically
> violent act just because all they did was pull a trigger.

If the gun is their property, it's their fault that their property is
attacking someone. It's not pulling the trigger that's wrong, its that their
property attacked someone else. Same idea applies to killer robots.

If the gun is not their property, then it's their fault that they used someone
else's property.

~~~
harimau777
If you reasonably know that the politician would murder someone then you
absolutely are equally bad if you vote for them

------
Zanni
Interesting that German authorities are considering treating the death as a
homicide. The US has the felony murder doctrine where a death that occurs
during the commission of a felony is automatically considered first degree
murder. [0] Germany doesn't have that, but does bump up the penalties for
certain specific "crimes with deadly outcome." [1]

[0]
[https://www.law.cornell.edu/wex/felony_murder_doctrine](https://www.law.cornell.edu/wex/felony_murder_doctrine)

[1]
[https://en.wikipedia.org/wiki/Murder_in_German_law#Crimes_wi...](https://en.wikipedia.org/wiki/Murder_in_German_law#Crimes_with_deadly_outcome)

~~~
lionkor
i see why though, as it wasnt the intent to kill, but happened, like with
negligence

------
rscho
In modern hospitals, inability to access the EHR will prevent you from doing
_anything_! CTs, MRIs, EKGs, automated drug distributing machines, you name
it... will simply refuse to work if the patient is not admitted. And no,
vendors don't provide you with a "special key" to bypass that. Any problem?
Call the company tech and he'll be here real soon... in 12 hours.

People call for more automation but they forget the downsides in resource
constrained places such as the public hospital system.

This thread is full of people who don't know what they're talking about.

~~~
hh2222
Modern hospitals have tested manual downtime processes in place.

~~~
joshgel
This. The EMR does go down from time to time. We still have paper order pads
around so that things can get done. Its annoying AF. You have to fax things to
radiology to get a scan. You have to walk to pharmacy to get meds. But, the
system worked before computers (which wasn't that long ago in many hospitals)
and it works without them today.

That said , the first time I had to use paper I felt like I had no idea what I
was doing, because a lot of the EMR defaults aren't there to prompt you. So
you have to specify a 'start time' for a medication, but in the EMR now is the
default, so I didn't think about it as anything mandatory.

~~~
rscho
And you can transition immediately? When things like that happen over here,
adjustments are far from immediate, and my center is not in the middle of
nowhere. Of course the papers are there, but radiology is pretty much out of
service for a few hours. And then you have advanced/special testing that
pretty much does not run at all.

------
Slartie
Important fact not stated in the article: the ransomware in question entered
the hospitals' system via the Citrix vulnerability from the beginning of 2020.
This has been confirmed by the German BSI (the country's institution
responsible for cyber security issues).

So: a gaping security hole known for eight months has been left open. This is
especially important to keep in mind because their lame excuse is that they
hadn't had enough time to fix the hole.

~~~
swarnie_
Are we going to pretend that all our systems, software and service are 100% up
to date and there are no known issues? 8 months isn't uncommon for a lot of
companies I've consulted for.

In fact i've patched things with year with CVEs published in 2012/2013.

~~~
threentaway
In all seriousness, how does this happen? Security updates are typically just
installed with an apt-get upgrade and you're looking at a few minutes of
downtime if the services needs to be restarted. Containers are even easier.

~~~
Bombthecat
How?

It cost money and there is a... Hmm delayed impact (or none) that's why.

But : germany is bringing out a new law about important IT infrastructure
where you need a soc/ siem etc.

I think its called IT sig.

~~~
pjmlp
This is definitely the kind of thing we need, when there is law involved,
maybe that C library isn't appealing any more, or the CI/CD with all sorts of
static analysis finally get the green light for the necessary infrastructure.

------
mullingitover
Ransomware groups targeting hospitals should be pursued with the same zeal
that governments pursue terrorists, even if lives aren't lost.

~~~
mayniac
They didn't target the hospital:

"The cyberattack was not intended for the hospital, according to a report from
the German news outlet RTL. The ransom note was addressed to a nearby
university. The attackers stopped the attack after authorities told them it
had actually shut down a hospital."

Source: [https://www.theverge.com/2020/9/17/21443851/death-
ransomware...](https://www.theverge.com/2020/9/17/21443851/death-ransomware-
attack-hospital-germany-cybersecurity)

~~~
waihtis
Why are people making such a huge deal about who they were targeting and who
not? Ransomware is digital extortion. There’s zero honor to it in any case.

~~~
wongarsu
Because if only University computers had been affected nobody would have died.

If this was just some ransomware attack it would be barely newsworthy, and we
sure wouldn't be discussing it. The death is what makes it interesting. And in
this context it is important that the hospital wasn't even the intended target
but was caught in the crossfire.

That doesn't justify anything, but I think we can all agree that extortion is
a less severe crime than murder.

~~~
waihtis
I get your point, but the tone in some of these is borderline defensive of
ransomware. As if it would be legit otherwise, except they just misfired in
this case

~~~
civilian
He's not being defensive, you're being a zealot.

It is important to recognize that crimes have different levels. Society
understands that, and it's encoded in our laws in the way we define scaling
punishments, and have a difference between misdemeanors and felonies.

For thefts, there's a distinction between "burglary", "robbery", and "robbery
with a deadly weapon".

And in this case-- comparing ransomware of a university to terrorism is
disproportionate.

~~~
waihtis
FYI I’m not the original poster who commented on the terrorism aspect, but I
think ransomware is difficult to categorize because it is often a spray and
pray-type attack. And occasionally a vulnerability and other infection vectors
line up neatly enough to cause huge damage.

So in this case, the better analogy would be explosives - someone tried to
blow a safe to get the money inside but the explosion also killed an innocent
bystander.

------
waihtis
Everyone blaming the hospital for mismanaged IT is missing a couple things:

1) Hospitals are usually swiss cheese in terms of vulnerabilities because
patient safety overrules most security issues. It’s very difficult to patch in
time

2) Hospitals tend to have a tricky network and asset profile with security
staff potentially inheriting decades of unmapped custom IT

3) Theyre usually underresourced and overworked

~~~
unnouinceput
From January, when management became aware of this particular vulnerability,
until September I'd say is more then enough time make a patch. Management can
and should be liable just as the attackers. IMO there is no difference, in
this case, between them two parties.

~~~
wobblykiwi
So I get that the vulnerability should have been patched, but to say that
management and the attackers are no different is quite frankly disgusting and
a very dangerous thought to have. The attackers clearly had an intent to harm,
even if financially, and to lump managers in with them as if they were the
ones purposefully breaking the law is unconscionable. Negligent? Yes, perhaps,
we don't know the facts. But criminal? Absolutely not.

~~~
unnouinceput
Yes, it is criminal, defined by law. It's called manslaughter.

------
waiseristy
Just imagine what a state-level actor is cable of doing to a countries health
care / power / transportation infrastructures when damage is the goal instead
of money.

~~~
Dunedan
A book painting such a picture is "Black Out" by Marc Elsberg ([1], [2]). I
can wholeheartedly recommend it, as it points a pretty scary, yet plausible
scenario and is a proper thriller as well.

Its plot takes mainly place in Germany, so it's written with a Europe-centric
view and I'm not sure how well that translates to the US. However when looking
at the brittle electric grid in parts of the US, I believe such attacks could
be even worse there.

[1]:
[https://en.wikipedia.org/wiki/Blackout_(Elsberg_novel)](https://en.wikipedia.org/wiki/Blackout_\(Elsberg_novel\))
[2]: [https://www.amazon.com/Blackout-heart-stopping-techno-
thrill...](https://www.amazon.com/Blackout-heart-stopping-techno-thriller-
Marc-Elsberg-ebook/dp/B01MYDPTLR))

------
jdmoreira
How much of a lowlife do you have to be to ransomware a Hospital? If these
people put 1/5 of the work towards a productive software product they would
probably make 10x the money.

~~~
markdown
It was an accident. The intended target was a University next door. The ransom
note was addressed to the University. The ransomers gave them the decryption
keys the moment they realised what had happened.

~~~
eggy
It's not an accident. It is a supposed unintended consequence of a criminal
act.

~~~
markdown
> unintended consequence

Yeah, we call that an accident. Just like hitting someone with your car can be
an unintended consequence of driving.

~~~
eggy
You can argue the semantics or meaning of the word accident in this incident,
but I think it is important to make the distinction that it was no accident in
bringing down the system that both the university and the hospital depend
upon. They consciously decided to do this. Their ignorance of the full network
does not take away from the intent of the original crime. An IT staff making
an update that has an unexpected and unfortunate effect of bringing down the
system is an accident. It is why when someone dies during the commission of
another felony crime the charge is murder for all of the original perpetrators
involved. The rule of transferred intent. The others don't get off, and nobody
argues it is an accident [1]. Actions and consequences.

[1]
[https://en.wikipedia.org/wiki/Felony_murder_rule](https://en.wikipedia.org/wiki/Felony_murder_rule)

~~~
markdown
> The rule of transferred intent.

Applying that to this incident seems barbaric. The "transferred intent" is
stealing. Sure they're jerks, but don't make them out to be murderers. The
fact that a woman died was an accident through and through.

The very worst case scenario they saw when they initiated their crime was that
some data would be lost. The transferred intent is that the data of another
organisation was going to be lost.

That a woman died was an accident.

~~~
eggy
I guess in today's times barbaric is used a lot more freely than when I grew
up. It used to mean savagely cruel, and brutal.

Transferred intent is when a perpetrator intends to harm one victim but then
"unintentionally" (quotes mine to point out it is in the defined legalese
rather than "accident"). Yes, you can say they meant to steal, and not
intentionally kill anyone. IANAL.

If you want to put it in legal scope though, it is involuntary manslaughter.
You haven't convinced me to call it an "accident" by any means.

~~~
markdown
Seems like I won't convince you because your bias is too strong.

Look up any dictionary and I assure you that you'll find the definition fits
this case perfectly.

Eg from the Oxford dictionary:

"An unfortunate incident that happens unexpectedly and unintentionally,
typically resulting in damage or injury."

Death is unexpected when you hack a University server. Death was certainly
unintentional in this case.

~~~
eggy
Your argument is worthy of discussion, which is why I am continuing the
discussion, but I don't think it is bias on my part or yours as far as I can
tell. Yes, the general definition of "accident" seems to fit it in the manner
you mean, but let me illustrate why I initially made the assertion that it was
not an accident. You stated:

> Yeah, we call that an accident. Just like hitting someone with your car can
> be an unintended consequence of driving.

I would add to your statement above to make it fit the comparison to the
actual incident a bit better:

> Yeah, we call that an accident. Just like hitting someone with your car can
> be an unintended consequence of driving a getaway car during a bank robbery.

I wouldn't use the word "accident" here. I would say someone "tragically" died
when a criminal was driving away from the scene of a robbery. Of the 38,000
people who die in car "accidents" in the U.S. each year, if 30,000 of those
were getaway cars or tied to criminal activity, and not just "accidents" I
think there would be a different response to the scenario I just presented.

Accidental death benefits from the insurance industry exclude death caused by
illegal activities, but I think this means by the person committing the
illegal acts, so maybe not such a good example. I don't know.

If someone chokes someone, so that they can render them unconscious to rob
them or arrest them, and the choked out person dies during the process, would
you use the word "accident" in reporting the incident?

If this university/hospital hack was committed by completely naive hackers,
they were still committing intentional harm to a business that affects the
employees and others doing business with them. It doesn't take much
imagination to figure that by using ransomware in this incident, you may
affect people's lives negatively without the actual death that occurred. They
might have to lay off a worker or two to cover the loss, not buy essential
equipment for the university or hospital that year or more, etc.

I'll leave off here, and say you had a "convincing" argument from a concise
dictionary definition, but I wouldn't sling that word so nonchalantly in
applying it to this woman's death. Perhaps I misread the tone of your "Yeah,
we call that and accident.", but who's we?

------
aschatten
Given the proliferation of IT in everyday life, we need to change the language
and remove "cyber" from cybersecurity and cyberattack. So subconsciously
accepts that this is what a modern meaning is.

~~~
oars
I wholeheartedly agree with this.

Similar to how we don't refer to our phones as smartphones anymore. Back in
the 1990s, if you had asked me to check the weather on my phone, I would've
thought you meant calling up the weather channel/hotline, but now we all know
exactly what you mean.

------
harha
I'd be really interested to learn what specific systems didn't work. I
recently commented on the PG&E and fires issue and I think this is
significantly different regarding who is responsible - how can a hospital not
operate? It's humans performing an operation, they might need data - ok that's
something that should be accessible through other systems. They might need
devices, is there any specific reason why they shouldn't work offline?

------
afrcnc
Maybe one of the nice-guy mods can replace the link to the actual source, the
AP report, which has all the details:
[https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94](https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94)

Verge coverage is... shallow

------
moviuro
I'm not surprised. I'm a security consultant in France, and hospitals are
amongst the most insecure organizations we work with (along with big
industrials that don't need much IT). Low/no budget, insane requirements (very
high availability, low/no barrier to access records, while abiding by GDPR),
obsolete machines that just work(TM).

However, that "can't accept emergency patients" is surprising. I don't care if
the lights are out or if I can't digitally sign their papers: hospitals should
be able to run even with no machines at all. Ideas for next time:

\- Paper docs available (already printed) in case everything goes under (banks
do that for example, for generic papers, like opening an account, etc.)

\- Air-gapped backup machines that can be used on the
MRI/scanner/ultrasound/whatever machine (that hardware hardly ever changes, so
it's not like those air-gapped machines would be a pain to manage)

\- Backup 4G-enabled laptop that can read the vitim's Carte Vitale (or
equivalent [0]) (and which doesn't connect to the hospitals network
whatsoever)

\- Backup hardware (Scanner, Ultrasound machine) in case someone actually
fries the regular ones thanks to their horrible security (we've had plenty of
such articles on HN)

\- Read-only machines. Once it works, unless it's for a patch, the OS and
applications shoudln't be changed, at all.

\- User awareness training. Ransomware rarely happens by accident: someone
clicked a bad document in a phishing mail. (Unless, you know, Wannacry, but
that's not the norm)

[0]
[https://en.wikipedia.org/wiki/Carte_Vitale](https://en.wikipedia.org/wiki/Carte_Vitale)

~~~
gommm
I also don't understand this, my father died last month because of the same
reason. He had an aortic dissection and in those cases time is critical
(especially given that he was under anti coagulant). But they took 12 hours
before they finally started treating him and claim a computer failure is the
reason for that. By the time they started treating him, it was too late.

I don't understand the sheer incompetence involved. He had his prescriptions
with him, he was lucid enough in the first 10 hours (my mother couldn't be in
the emergency with him due to covid regulation but he communicated with her by
phone) to explain his medical history. They had all the elements to actually
do something but they didn't because "our computer systems were not working"

Hospitals should be able to run without computer systems and the budget for
maintaining those same systems should be high enough to ensure things work. I
can't fathom that it's not the case and I would never have expected something
like this to happen. It's hard dealing both with the death of a close family
member and the anger at the incompetence displayed by the French hospital
system.

~~~
zimpenfish
> Hospitals should be able to run without computer systems

I suspect that they can -but- they're probably concerned about legal issues -
if everything isn't logged in or authorised by the system and something goes
wrong, someone (and I by no means mean to imply you here!) at some point will
launch a legal claim over that mistake.

[Edit: Which is also not mean to defend the hospitals for taking this position
- I think it's daft but I can understand there may be reasons for it.]

~~~
srtjstjsj
OK but killing a patient by refusing treatment is also a legal risk.

~~~
zimpenfish
> OK but killing a patient by refusing treatment is also a legal risk.

Sure but I think a lot of people would not see "we're not sure it's safe to do
the surgery, let's wait" as "killing a patient" especially when you're
probably going to find it hard to find anyone who'll say it was safe to do at
the time.

------
liability
Sounds like murder, at least in some jurisdictions (with felony murder laws.)

~~~
loopback_device
German newspapers report that it's currently classed as manslaughter
(fahrlässige Tötung)

~~~
Jipazgqmnm
I would attribute this to both,

\- (unquestionable) the attackers but as well as

\- the IT-department that did not fix serious vulnerabilities (of an
apparently mission critical system)

We have that in all kinds of places: If you neglect your duties on maintenance
or diligence in areas where humans could be harmed (electrical installations,
fire safety, construction, whatsoever), you are liable for whatever happens. I
don't see why IT should be somewhat special. The Citrix patch came out half a
year(?) in advance.

------
radu_floricica
Like the article said, this is the first death that's caused by ransomware
attack. However, there are plenty of deaths that can be prevented by using an
RMN machine. Making RMN machines all over the world 1% more efficient by
linking them up to the cloud saved many hundreds of lives so far - not having
hospitals impervious to ransomware attacks cost 1 live so far, and it seemed
to be by mistake. The attack ceased when they found out it was a hospital.

I'd really like to hear an argument saying that we need to make all hospitals
robust to ransomware attacks AND THE EQUIVALENT RISK-EVENTS, because you don't
get to chose before the fact which event you need to guard against. It's very
cheap to say post-fact, in the comment thread of this particular news, that
management should have taken care of this and screw the cost (I'd expect HN
people to be aware that competent IT services aren't dirt cheap). But do we
also need to guard better against falling planes? Or storms? Or homicidal
family members? Or rabid dog attacks? I'm almost tempted to put shark attacks
on the list as well, because at 1 victim globally, there must have been some
circumstance where a floating hospital got a patient killed by a shark.

------
aaron695
This claim will be retracted by the hospital. We need a betting market, I'd
say they will back down next week.

The hospital refuses to state the software, so they can't care to much.

People have died from ransonware many many times before in hospitals. ie [1]

But orders of magnitude more people have died from hospital's shitty IT
systems.

[1] [https://krebsonsecurity.com/2019/11/study-ransomware-data-
br...](https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-
hospitals-tied-to-uptick-in-fatal-heart-attacks/)

------
jkepler
I'm not sure this is really the "first ever case of a fatality being linked to
a cyberattack" as the subtitle claims. Didn't NotPetya take down a bunch of US
hospital networks, as documented in the book Sandworm? I can't research the
exact citation, but there were fatalities. Perhaps the difference here is
there was a legal ruling.

------
codedokode
Isn't main problem that hospital relied on computers too much? Why cannot they
treat patients without them?

What if tomorrow, say a buggy Windows 10 update disables their systems, will
someone else die?

~~~
srtjstjsj
Comouters increase efficiency. The problem is under investment in healthcate
and over investment in insurance company paper pushers and $800Million fraud
by people like US Senator and anti-voting-rights activist former CEO Rick
Scott.

------
z8rHZM8Svhu8hE2
On the other hand, if you apply the same standards to everyone, you would have
to put many politicians and hospital managers in jail for having closed many
remote hospitals.

------
aidenn0
While there are obvious direct causes of the death here mentioned by others, I
believe that everyone who has paid out a ransomware ransom has a tiny bit of
blood on their hands for this one. The attackers were targeting a nearby
University, the hospital was collateral damage, and they wouldn't have
bothered with the attack if they didn't expect that the University would pay-
out.

~~~
srtjstjsj
"not negotiating with terrorists" only works if you have the support of your
national security apparatus, which is otherwise engaged in starting wars for
private commercial benefit.

~~~
aidenn0
Care to explain? I don't see how that follows.

To me, it is clear that paying a ransom encourages the crime that the ransom
repairs, regardless of anything else going on.

------
realityking
While tangential to the main story, I'd be interested in learning why they
took the patient to a hospital in a different city.

There are multiple hospitals with emergency rooms in Düsseldorf (I grew up
there). Wouldn't it have been better for the patient to be taken to one of
these, even if they lack the quality of care (in terms of number of different
specialists on call) compared to the university hospital?

------
ineedasername
Attacking systems that result in people getting killed is a great way to
attract entirely more attention than I think these sorts of criminals want.

At best, they might trigger the creation of laws that prohibit paying ransom
to take away the incentives. At worst, they might get themselves tagged as
terrorists and end up on the pointy side of a fairly urestricted use of attack
drones by the US.

~~~
shadowgovt
The US doesn't drone Russia; too much Cold War history there.

~~~
wtracy
More to the point: Getting people killed could make the Russian government
stop turning a blind eye to cybercrime.

------
FpUser
Reading more into the story - the hospital became a hostage to its own IT
system. Basically they can not provide emergency services. Somehow I think it
is a problem on its own. I do not have enough info but we are becoming more
and more dependent on IT systems and up to what point? Are there any limits?
Those systems are fragile...

~~~
jmole
Thats the scary part to me. You're having a heart attack, but the computer's
not working. So now we can't treat you.

This is not IT anymore, this is in medical device territory. When you rely on
a computer to send a medicine order to a hospital pharmacy, and you can't get
drugs without it – that's a critical life support device at that point.

If you can't administer medicine to a PT without scanning the barcode first,
that's a critical life support device.

------
mensetmanusman
The US healthcare system is still more fatal due to institutional problems:
[https://www.vox.com/2020/1/30/21113782/pregnancy-deaths-
us-m...](https://www.vox.com/2020/1/30/21113782/pregnancy-deaths-us-maternal-
mortality-rate)

------
xupybd
That's horrible, is suspect this will only get worse as more companies pay
out, more people will launch these attacks

------
shadowgovt
I hope they find the accountable party and bring them to justice, but also:
sysadmins, consider air-gapping your critical care and patient accounting
machines (at least some of them). External ransomware threats shouldn't be
able to reach the machines that schedule patient care.

~~~
74ls00
The problem is that a lot of the specialist machines weren't designed with
security in mind — it’s not so easy to do as you describe

~~~
shadowgovt
Neither is learning to do open-heart surgery, but both can save lives.

------
itoocode
IT system failure should never affect hospitals. This is strange (worked in IT
hospital systems in Europe) most of the hospitals have IT disaster / recovery
plan to operate during failures like this. And hospital admissions switch to
classic paper based.

~~~
srtjstjsj
This is wishful thinking. A paper backup process doesn't mean that nothing
will go wrong. If that were possible they wouldn't bother with computers in
the first place.

------
bzb5
> The hospital couldn’t accept emergency patients because of the attack

Yes they could.

~~~
INTPenis
Yeah I'm a bit skeptical to this.

What exactly about a computer system prevents them from admitting a person?

Just pick up a piece of paper and write down whatever you'd write down later
in the computer once it's back up. It's not that hard.

I could understand if a particular machine that goes ping couldn't be used
because of the computer system being down. But that's a very specific issue.

~~~
lordnacho
The world has moved on a bit since everything was done on paper. The new
process is not necessarily backwards compatible. Everyone is trained on using
a computer interface for their work, there's a reliance on the computers to
move the data to wherever it needs to be.

I reckon even a restaurant with a modern POS system would be problematic to
switch to paper, ad-hoc.

~~~
INTPenis
Sure I can accept that we have a very hard dependence on computer systems. In
that case there is work to do because imho a hosptial should keep working
during a war or a blackout.

This is essential for society readiness.

~~~
unishark
I'm sure they have generators for handling blackouts. Even my local grocery
can keep operating in a blackout. Some people can't survive without machines
after all.

They occasionally get caught by rarer situations like a blackout combined with
a flood which takes out the generators.

~~~
sideshowb
I've more than once been turned away from a supermarket because the POS system
is down.

My _local_ shop on the other hand would have no issues. Strictly cash only, or
a verbal credit agreement if you don't have enough on you. The proprietor
refuses to get a card machine, says the risk is too great for a business with
such low margins.

------
nix23
>The hospital couldn’t accept emergency patients because of the attack

Why? Was the ER robot down or what exactly are the dependencies for a doctor
to rely on a Computer-system?

------
iovrthoughtthis
Have any other health services been under attack recently?

------
nokya
After reading most of the comments, I am actually quite surprised at the
overall "leniency" shown to the hosital's management. In particular,
considering there is absolutely no information on how the attack was actually
carried out.

One comment mentions that the German cybersecurity agency "confirmed" that
initial access occurred through public-facing Citrix servers that were missing
security patches, without any source to support the claim. Another commenter
linked an article[1] indicating that the attack was "likely" carried out
through Citrix servers, which seems more speculative than anything.

I think that two elements are worth mentioning here. First, protecting an IT
infrastructure from ransomware is not a "simple" IT task (e.g. patching a
server or just doing regular backups) but requires the successful
implementation and combination of a large set of technical and organizational
measures/controls. Without additional details, in particular regarding how
initial access[2] then lateral movement[3] were carried out by the attackers,
I don't see any validity in debating whose fault this is. But that's just my
opinion...

Second, press coverage[4] seems quite adamant that the hospital was not
targeted and that the attack was a collateral damage that resulted from the
university and the hospital having their information system mutually trusting
each other. If we had to consider collateral damage as a valid ground to
sentence someone to life in prison (as suggested in several comments here),
many governments that offer the highest level of freedom to their citizens
should definitely start expanding their prisons.

In many countries and regions, Europe in particular, collateral damage is not
necessarily attributed to recklessness or negligence. In order to support the
accusation made by many commenters here, we would need to demonstrate either
of two of the following: 1\. That the attackers knew in advance that
compromising the university would also result in compromising the hospital.
2.That hospital/health critical information systems being directly linked to
universities without adequate security is common practice AND common knowledge
among cybercriminals.

Except for the "five eyes" countries, the justice system in most civilized
countries still recognizes the notion that an accused should not necessarily
carry the total burden of the damage caused by her/his actions. In other
words: although Germany may charge the author(s) for homicide by negligence,
they will very likely also have a good look at whether or not the hospital's
management did not commit recklessness, either by refusing care to a dying
patient, or by failing to protect its critical information system or by
failing to implement fallback procedures as any other critical infrastructure
supposedly does today.

Until then, I probably repeat myself, I don't see any validity in debating
responsibilities in this specific incident, or expressing wishful thinking,
until we have more information about what happened.

1: [https://www.heise.de/news/Cyber-Angriff-auf-Uniklinik-
Duesse...](https://www.heise.de/news/Cyber-Angriff-auf-Uniklinik-Duesseldorf-
Shitrix-schlug-zu-4904979.html) 2:
[https://attack.mitre.org/tactics/TA0001/](https://attack.mitre.org/tactics/TA0001/)
3:
[https://attack.mitre.org/tactics/TA0008/](https://attack.mitre.org/tactics/TA0008/)
4:
[https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94](https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94)

