Under the headline, “Investigation into a Death: Düsseldorf University Clinic Blackmailed by Hackers - Woman Dies After Too-Late Treatment,” a Sep. 17 report in Düsseldorf’s Rheinische Post online stated that, according to experts, “A hacker attack that exploited a vulnerability in an application, as the university clinic [the Düsseldorf University Clinic, or “Uniklinik”] announced on Thursday. However, a death is now also being investigated. According to the report of the [North Rhine-Westphalia Region] Minister of Justice, a patient died who had to be taken to a more distant hospital in Wuppertal because of the attack on the clinic's servers.” The report added that “The public prosecutor's office is conducting a death investigation (there has not been a prosecution for negligent homicide, as initially reported). At the moment it is still being examined whether it will be extended to the charge of negligent homicide.” That incident would mark one of the first known cases in Germany and in Europe in which a patient death could be linked to the consequences of a hacker attack on a patient care organization.
The Rheinische Post report continued, “On Thursday, September 10th, the IT of the largest Düsseldorf hospital had largely failed. Hundreds of operations and treatments have already been canceled due to the failure. In addition, the hospital is still deregistered from emergency care, so it is not approached by the emergency services. Science Minister Isabel Pfeiffer-Poensgen said in the state parliament that the perpetrators had withdrawn the extortion after contacting the police. The university clinic announced that the security flaw that the hackers exploited was located in a standard, worldwide commercial additional software. In the time window that the software company needed to close the gap, the perpetrators penetrated the systems. As a result, systems gradually failed and stored data could no longer be accessed,” according to Uniklinik officials.
The Sep. 17 Rheinische Post report continued, “According to a report by the Justice Minister, 30 servers in the clinic were encrypted last week. A blackmail letter was left on a server, but it was addressed to Heinrich Heine University in Düsseldorf. In the letter, the blackmailers asked to be contacted - according to the report, they did not name a specific amount. The Düsseldorf police then actually made contact and informed the perpetrators that their hacker attack affected a hospital - and not the university. This puts patients at considerable risk. The perpetrators then withdrew the extortion and handed over a digital key with which the data can be decrypted again. According to the report, the investigators therefore suspect that the university clinic was affected by chance. In the meantime, the perpetrators are no longer available.”
The Rheinische Post article went on to say that “The University Hospital anticipates that it will take some time before patients can be treated normally again. “Due to the size of the IT system and the abundance of data, we cannot yet estimate when this process will be completed,” said the commercial director, Ekkehard Zimmer. "However, we are confident that we will be able to estimate the time span better in the next few days and that we will be there for our patients again step by step."
This apparently was not the first major attack of its kind in the North Rhine-Westphalia region in western Germany, though it was the first that had resulted in a fatality connected to it. Referring to the two national German political parties that have been governing the region of North Rhine-Westphalia in a politically conservative coalition since the spring of 2017, the Christian Democratic Union (CDU) and the Free Democratic Party (FDP), the Rheinsiche Post wrote that, “After several hacker attacks on clinics in North Rhine-Westphalia, the CDU/FDP state government wants to provide more money for the security of computer systems in the future. North Rhine-Westphalia is expected to receive funding of 900 million euros from the Federal-State Hospital Future Act 2020/21, of which 630 million from federal funds,” according to regional Science Minister Isabel Pfeiffer-Poensgen.
In that regard, the Rheinische Post noted, “At least 15 percent of these funds would have to flow into IT security. Funding should be given to all hospitals regardless of the number of patients. The application process has not yet started. The CDU / FDP state government has been providing two million euros for IT security for each university clinic since 2018,” the Post said. "That is indeed not enough, we will work on it,” it quoted Pfeiffer-Poensgen as saying. The Post also noted that, “According to the Greens”—the leftist Green Party—"the reason for the susceptibility of the clinics to hacker attacks is not just the lack of money.” "Solid legal standards" are also necessary, it quoted the Green politician Matthi Bolte-Richter as stating, with Bolte-Richter adding that “The federal government must make clear guidelines here. Many universities and clinics still do not have a full-time IT security officer.” The Post added that, in North Rhine-Westphalia, “In addition to the University Clinic in Düsseldorf, the Lukas Hospital in Neuss, the Jülich Research Center, and several companies have been targets of hacker attacks in the past.”
More details of the situation were revealed a few days later in a report in the German technology publication WinFuture, online. According to the WinFuture report, “The security hole through which the ransomware infected the hospital's systems was located in ‘commercial add-on software that is customary on the market and widespread worldwide,’ as Science Minister Isabel Pfeiffer-Poensgen explained. Rumor has it that this concerns thin-client applications from Citrix, for which the corresponding patch has been available for six months. If the malware could spread to inadequately maintained systems on which life-critical applications were attached, the administrators or their bosses would at least be partly to blame.” That is true, the report stated, “Especially since the blackmailers apparently assumed that they were targeting the university in general. The demand for ransom, after the payment of which the encrypted server should be released again, was addressed at least to the university and not directly to the hospital. In addition, the crypto keys were also released without cash payments after the police got in touch with the extortionists and stated that the ransomware was in the process of paralyzing a hospital. According to the Ministry of Justice, the 30 hijacked servers could be decrypted again.”
What’s more, WinFuture added, “At the political level, there has now been a reaction: The state government of North Rhine-Westphalia wants to make more money available to hospitals in the future in order to improve IT security. At least 15 percent of the funding that flows under the Federal-State Hospital Future Act should be spent on security issues.”
Vulnerabilities Seen Exploited
Further details on the attack were reported by the German business magazine Forschung & Lehre, on Sep. 17. That report noted that, “According to previous knowledge, no data was stolen or irretrievably deleted during the hacking attack. The clinic announced on Thursday that studies by IT experts would have shown. The hackers exploited a vulnerability in an application.” And it quoted Uniklinik officials as stating that "The security gap was in a commercially available additional software that is widely used around the world. Until the software company finally closed this gap, there was a sufficient time window to penetrate the systems," said the clinic. The attackers would have ensured that gradually systems failed and access to stored data was no longer possible.”
The Forschung & Lehre report went on to say that, since the attack on the Uniklinik, “[T]he university clinic has been deregistered from emergency care: ambulances no longer drive to the large facility in the North Rhine-Westphalian capital, operations have been postponed and planned treatment appointments have been canceled. The clinic expects it will be some time before patients can be treated normally again. The central and contact point Cybercrime of the State of North Rhine-Westphalia (ZAC) initiated an investigation last week because of indications of criminal behavior. According to the report to the state parliament, the authority is still examining whether it will also take over the investigation in the event of death - and the procedure may be expanded to include accusations of negligent homicide.”
What’s more, the Forschung & Lehre report stated, “A spokesman for the ZAC confirmed that the hackers had used a security hole in software that is used by many companies. According to the Federal Office for Information Security (BSI) it was a program from the company Citrix. A vulnerability in the company's VPN products that has been known since January is being exploited for cyberattacks. The BSI is "increasingly aware of incidents" in which Citrix systems were hacked before the security updates made available in January 2020 were installed.” And it quoted BSI officials as stating that "This means that attackers still have access to the system and the networks behind it even after the security gap has been closed.”
