German investigators treating ransomware attack as negligent homicide, reports say

Written by

German prosecutors last week opened a homicide investigation into a deadly ransomware incident on a university hospital, according to multiple German media reports.

If confirmed, it would be the first documented case of a death stemming, directly or indirectly, from a cyberattack, analysts say.

Christoph Hebbecker, a cybercrime prosecutor in the German city of Cologne, said Friday that his office had opened an investigation into the ransomware attack as a “negligent homicide,” the Germany news agency DPA reported.

The investigation centers around a ransomware infection that hobbled the IT systems of the University of Duesseldorf’s main hospital earlier this month. The disruption forced a critically ill patient to be redirected to a hospital 20 miles away. The patient later died, according to German media reports.

Hebbecker’s spokesperson did not return a request for comment on Monday.

The incident highlights the starkly different risks facing organizations with vulnerable software. For some, the outdated code may cost them data. For medical organizations, patient safety could be on the line. During the coronavirus pandemic, cybersecurity professionals around the world have been so concerned by the hacking of health care organizations that they have volunteered their time to protect them.

German security officials suggested that the attackers exploited a flaw in popular virtual private networking software made by Citrix. Various hackers have exploited that vulnerability before and after a patch for it was released in January.

The hackers who deployed the ransomware had addressed their note to Heinrich Heine University, an affiliated university, and not the hospital, the Associated Press reported. When police informed the attackers that a hospital was affected, they withdrew their ransom demand and provided a decryption key to unlock the systems, the news service reported.

The risk to patient harm is why security organizations have pleaded with ransomware gangs to refrain from targeting health care organizations during the coronavirus pandemic. Those pleas have mostly fallen on deaf ears as hospitals and pharmaceutical firms continue to suffer breaches.

“It is not universally clear if policymakers realize that cybersecurity in the healthcare sector may basically be a life and death issue,” said Lukasz Olejnik, an independent cybersecurity researcher and consultant.

The tragedy in Germany this month could be a wakeup call.

“I’m supportive of prosecutors getting away from the cybercrime statutes and using the other tools at their disposal, especially negligent homicide” to hold ransomware attackers who threaten safety to account, said Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs.

Healey called for a closer study of other cybersecurity incidents to determine whether there have been other cases of patient harm. The WannaCry ransomware outbreak in 2017 disrupted numerous IT networks at hospitals, he pointed out. A better understanding of previous incidents will help policymakers “impose more costs” on the perpetrators, Healey added.