A woman in Germany died during a ransomware attack on the University Hospital of Düsseldorf in what may be the first death specifically related to a cyber attack on a hospital. The hospital was unable to accept emergency patients due to the attack, and the woman was sent to a health care facility some 20 miles away, Associated Press reported.
According to a source from the German news outlet RTL, the cyber attack was not intended for the hospital. The ransom note was sent to the local university. The attackers abandoned the attack after the authorities informed them that the hospital had already been shut down.
Health care facilities are one of the main targets for cyber threats, and cyber security experts have cautioned for years that most hospitals are not equipped. They rely heavily on machines, such as radiology equipment, which are often linked to the Internet. They're not as capable of treating patients without these resources.
When networks are disrupted over the Internet, by an attacker or by an accident, it can have a profound effect on patient care, said Beau Woods, a cyber security advocate and cyber security innovation fellow with the Atlantic Council, to The Verge last year.
Even attacks that threaten patient data and do not specifically affect medical equipment can impair patient outcomes: one study showed that the hospital's mortality rate from heart attacks rose in the years following a data breach. That's probably because hospitals need to redirect resources to respond to an attack or update software in a way that affects how doctors work.
Significant cyber threats, such as the WannaCry cyber attack in 2017, have shut down significant healthcare systems — WannaCry, for example, has taken down the United Kingdom's National Health Service. No deaths were directly related to the attack, but most experts cautioned that it was only a matter of time.
The German authorities are still investigating the death of this woman. If her diversion to another hospital is found to be responsible for her death, the police could treat a cyber attack as a murder.