A woman became the first death associated with a cyberattack after the University Hospital of Düsseldorf (UKD) was forced to turn away her ambulance.
On September 10, 2020, hackers encrypted UKD’s computer system.
The threat actors infiltrated UKD’s information system through a flaw in its Citrix virtual private network (VPN). The hackers then inserted ransomware and encrypted the hospital’s data.
The hospital immediately was unable to access its data; emergency patients had to be taken elsewhere and operations were postponed.
On September 11 an ambulance attempted to deliver a patient but was turned away. Unfortunately, the woman died en route to Wuppertal, 20 miles away.
A note left by the hackers (excluding a ransom amount) demanded that Heinrich Heine University, affiliated with UKD, contact them.
The hospital requested help from BSI. Authorities reached out to the threat group to inform them that the attack had endangered a hospital and its patients.
The group then withdrew its extortion attempt and provided a decryption key.
An investigation was subsequently launched against the unknown attackers; UKD’s computer systems remained inoperable as of BSI’s press release.
The Citrix flaw
The hackers exploited a common vulnerability and exposure (CVE) with Citrix Application Delivery Controller, which allows unknown parties to perform arbitrary code execution. Cyberattackers used this VPN vulnerability, CVE-2019-19781, to gain access to the hospital’s computer system.
In fact, cybersecurity officials have known about this issue since December 2019. A U.S. Department of Homeland/Federal Bureau of Investigation joint alert from May 2020 included CVE-2019-19781 as a vulnerability exacerbated by the pandemic and social distancing, which has lead tan increase in remote work and the cybersecurity challenges that come along with it.
Citrix released a statement in January 2020 stating that the company created its final permanent fix for the flaw. It is unknown how many organizations applied the update.
Head of BIS, Arne Schöenbohm, implored hospitals to utilize upgrades and patches as soon as they are available:
I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately. This incident shows once again how seriously the danger must be taken.
While healthcare organizations must focus on additional components of cybersecurity, such as HIPAA compliant email, attention must also be paid to safe technology use.
This VPN vulnerability, as well as other, similar problems, represent a threat vector, or gateway, into any system.
Updating and patching should be a standard part of every cybersecurity program.
This is especially concerning given the coronavirus and the subsequent growth in cyberattacks over the past few months, particularly against healthcare organizations.