This week, Charlie discusses the evidence behind cyber attacks indirectly causing the death and injury of people. Also, the importance of exercises to train employees on how to work efficiently during a cyber attack.
This week there was a cyber attack on NHS 111, with the hackers targeting its software supplier, Advanced. As healthcare is one of the most preferred targets of ransomware gangs, it got me thinking about the number of people killed due to ransomware attacks, not just in the healthcare sector but in all sectors. In my research, I came across this article from 2019, “Hackers Could Kill More People Than a Nuclear Weapon” by Jeremy Straub, published at livescience.com. This made me wonder about the potential for cyber attacks to kill a large number of people.
When looking at this question, there are two ways deaths could be caused by a cyber attack. Firstly, direct attacks could cause death in a number of ways. The attack could affect medical machinery, for example in an intensive care ward, the attack could either switch off the equipment or change the dosage, which leads to the death of a patient. There could be an attack on infrastructure causing it to fail, such as a dam which floods downstream, or an attack on a complex manufacturing facility or refinery, which causes the process to fail and results in an explosion. There are also attacks on utilities which change the dosage of chemicals, leading to public deaths after individuals drink the contaminated water.
Secondly, there are the indirect effects of a cyber incident. This can include where a process is degraded when a computerised system is unavailable, so the process has to be carried out manually. This in turn leads to mistakes and public harm, or even death. Also, the terrible effect on people who have been a victim of a cyber-attack, either by having their business destroyed, having their confidential private data available to all or the effect of having to work very long hours due to responding to an attack.
When I did my research on possible deaths caused directly by cyber attacks, the case that was always quoted was the death of a patient in Germany, in September 2020. On the night of 11th September, paramedics in Düsseldorf, Germany, were alerted to the deteriorating condition of a 78-year-old woman suffering from an aortic aneurysm. When they called the local hospital to say that the ambulance was incoming, they were told that the A&E department was closed, and that they would have to take the patient to Helios University Hospital in Wuppertal, which was 32 kilometres away. This led to the treatment of the lady being delayed by an hour. The University Hospital Düsseldorf, whose A&E department was closed, had suffered a cyber-attack. They therefore had to severely reduce capacity due to lack of access to patient files and weren’t able to take this particular patient. In the subsequent investigation, it was not possible to prove conclusively that the lady would have survived if she had gotten to the closest hospital, and so it was not possible to prove whether the cyber attack was directly responsible for her death.
To date, there seem to have been no attacks on critical infrastructure which have directly led to public or employee deaths. There have been attempts, such as in 2013 when Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates, but this was a very minor dam and it was not possible to cause major damage or death. According to CNN, it was more of a proof of concept attack, rather than an attack on a particular target.
An attack on an Israeli water treatment plant in 2020 and on a water treatment plant in Oldsmar in Florida in 2021, both raised the level of chemicals put into the water but were unsuccessful. Learn more here > (https://www.b-c-training.com/bulletin/beware-the-self-wiggling-mouse-cyber-vulnerabilities-in-the-water-industry). In 2018 there was a cyber attack on a Saudi Aramco refinery, which experts believed was designed to cause an explosion at the plant, but the attack failed.
When I deliver BC Training’s two day “BCT Certificate in Cyber Incident Management” course, I talk about the indirect impact of cyber incidents and quote the Ashley Madison hack of 2015. This was a site which predated dating apps, where you could register if you wanted to meet someone for an affair. The company’s website was hacked, revealing the details of those who had signed up, including names, contact details, and sexual fantasies. This information was then posted online where anyone could access it. It led to a number of people being blackmailed and at least two suicides. Although the cyber hack didn’t kill the people, the impact of the attack led them to take their own lives.
It is the indirect effects of cyber attacks which actually causes deaths, rather than direct effects. The USA Cybersecurity and Infrastructure Security Agency (CISA) published a report in September, where they stated they “found a direct correlation between cyber attacks and increased mortality, showing that cyber threats can have lasting effects on health systems”. In many countries, healthcare is under strain, and with the added complication of a cyber attack where staff can lose access to records, notes, their normal operating systems and have to divert patents to alternative sites, it is much more likely for them to make mistakes, leading to increased mortality. Figure 1 shows hospital system services and departments disrupted by cyber attacks.
The attacks on the Ukrainian power grid in 2015 and 2016 may have not directly led to death, but I suspect it would have indirectly led to death from cold, fires and traffic crashes.
In conclusion, to date, a cyber attack hasn’t directly killed anyone, there have been some near misses that may have contributed to a patient’s death, but the evidence for this is not conclusive. On the other hand, there appears to be a lot of evidence that shows cyber attacks indirectly leading to an increase of deaths, due to issues associated with working without an IT system. Those delivering services are used to working with these systems and may struggle to use manual workarounds. This brings me to my last point that one of the ways to mitigate the impact of a cyber attack is to practise working without IT systems. This is so staff are comfortable working without them and are able to deliver the same level of service and not make mistakes which can lead to death or injury.