Lives on the Line: Life Threatening Cyber Attacks Raising the Stakes for CISOs

Deadly and life-threatening cyber attacks are on the rise, reports Phil Muncaster. That’s one more thing for CISOs to worry about…

At the beginning of June, healthcare workers in the south-east of England woke up to a digital nightmare. Six NHS trusts in London and countless GP practices in surrounding regions suffered major disruption after a ransomware attack targeted a little-known provider of pathology services. Over 200 emergency and life-saving operations were cancelled, as were hundreds of urgent appointments for suspected cancer patients.

With weeks of disruption suspected, it’s anyone’s guess what toll it will ultimately take on patient health. But experts agree that life-threatening cybersecurity incidents are no longer the rarity they once were. That has major implications for CISOs.

When things go badly wrong

Lives are arguably at greatest risk from cybersecurity incidents in the healthcare sector. Ransomware actors have relentlessly targeted hospitals, clinics, and their suppliers in recent years, even during a pandemic in which such services were already pushed to the breaking point.

“Although there are no deaths directly attributed to hospital cyber attacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” a report from the US Cybersecurity and Infrastructure Security Agency (CISA) concludes.

German police launched a murder inquiry after a ransomware attack forced a Dusseldorf hospital to divert an ambulance

The latest Qilin ransomware attack on NHS supplier Synnovis is therefore symptomatic of a growing threat to healthcare organisations (HCOs). Ransomware is particularly dangerous as it can lead to the disruption of critical IT services – whether systems are unwelcomingly encrypted or if technical teams have been forced to disconnect systems from the internet.

The knock-on impact on an increasingly digital sector is obvious. In London and the South East, the affected healthcare organisations are said to provide care for two million patients. Hospitals have issued appeals for blood donors to come forward, and for trainee medics to volunteer as ‘floorwalkers’. They will need to toil on manual processes such as signing transfusion bags – perhaps for weeks – until digital systems come back online.

Yet despite the likely deadly impact of ransomware during the pandemic, few directly attributed cases have ever emerged. In one much-publicised incident from 2020, German police launched a murder inquiry after a ransomware attack forced a Dusseldorf hospital to divert an ambulance. It had been carrying a 78-year-old woman on her way to receive life-saving treatment. However, a public prosecutor later ruled that the delay to her treatment did not contribute to “the final outcome”.

A potentially more clear-cut case emerged in Alabama a year later after the mother of a nine-month-old girl filed a lawsuit against the hospital where she was born. She claimed that the hospital didn’t disclose that it had suffered a crippling ransomware attack, which meant doctors couldn’t properly monitor the child’s condition during delivery. Nicko Silar was left with severe brain injuries and passed away nine months later after weeks of intensive care at another hospital.

Under the radar

Ransomware isn’t the only cyber threat that could have potentially fatal consequences. Last year, Proofpoint polled over 650 IT and cybersecurity practitioners in healthcare organisations that had experienced various types of cyber attack. Over a quarter (28%) revealed that mortality rates increased after a ransomware attack. But a similar share of respondents said the same about cloud compromise (29%) and supply chain attacks (21%). Even business email compromise (BEC) led to increased mortality rates for 12% of respondents.

Yet the biggest share (46%) citing an increase in mortality referenced data loss/exfiltration as the root cause. That chimes with a 2019 study from Vanderbilt University and the University of Central Florida, which analysed information on data breaches for 3000 US hospitals from 2012-2016. It revealed an increase in the 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year for breached organisations. It suggested that post-breach incident response processes and delays negatively impacted time-sensitive patient measures.

The impact of kinetic attacks

Healthcare is, of course, just one of many critical national infrastructure (CNI) sectors where cyber attacks could have fatal repercussions. The government’s National Risk Register 2023 report assessed that a serious cyber attack on CNI has a 5–25% chance of happening over the next two years. That would mean fatalities of up to 1000 people and casualties of up to 2000, it said.

“CISOs will think about what regulations tell them to think about” John Bambenek 

The increasing use of connected operational technology (OT) and Internet of Things (IoT) equipment in such sectors also raises concerns. Such tools effectively interface with the physical world and can be manipulated to cause potentially dangerous kinetic effects. In 2016, threat actors breached the defences of a water treatment plant and managed to alter the level of chemicals in the water four times before they were spotted. A similar attack happened in 2021.

Bambenek Consulting president, John Bambenek, agrees that “industrial control systems could create outsized life-safety risks” but says CISOs have historically been slow to address such risks proactively.

“CISOs will think about what regulations tell them to think about, and what can cause financial risks to an organisation,” he tells Assured Intelligence. “This is often a backward-looking endeavour, as it isn’t until some new ‘bad thing’ happens that it becomes real to start thinking about risks.”

Blockmoor CISO, Ian Hill, agrees.

“Most businesses are only focused on the consequence of financial loss or loss of reputation when it comes to cyber attacks,” he tells Assured Intelligence. “However, it’s important now that cyber is also included from a health and safety risk perspective.”

Can CISOs save lives?

Part of the challenge in getting CISOs to start thinking about cyber in these terms is that the causal link between incidents and loss of life is, in many cases, still unclear. Hill believes cyber-related mortality rates are likely being under-reported at present.

“We’ve seen no evidence that health authorities are attributing cyber incidents as a contributing factor to a death, where there is a clear correlation between a death and a major cyber incident causing disruption to critical care services, like we’ve seen recently in London,” he continues.

“In most cases, it would be very difficult to quantify, because the health authorities only tend to consider the actual physiological cause of death. Deaths where cyber-incidents are a contributing factor should, however, be considered by the coroner as part of an inquest.”

So how can CISOs better manage and mitigate life-threatening cyber risk? James Tytler, associate for incident response at IT consultancy S-RM, argues that ransomware actors are particularly opportunistic and will always go after the weakest targets.

28% revealed that mortality rates increased after a ransomware attack

“The most powerful thing CISOs can do to minimise risk is ensure their networks have a secure architecture as a baseline, to make them harder to breach in the first place,” he tells Assured Intelligence. “This should be supplemented by attack surface management, vulnerability management, endpoint detection and response tooling, and employee training. But organisations with limited resources should focus on addressing the fundamentals first.”

Blockmoor’s Hill agrees that security best practice should be the first port of call – citing the National Cyber Security Centre’s ‘10 Steps’ guidance, NIS2, and the 18 CIS Critical Security Controls.

“Businesses must also re-evaluate how they assess the risk and adopt appropriate levels of controls similar to how they would from a health and safety perspective, which may mean lowering their cyber risk tolerance thresholds,” he adds. “From a likelihood and impact perspective, serious injury or loss of life should be considered a much more serious risk than a loss of money, and be treated accordingly with stronger controls.”

For Bambenek Consulting’s Bambenek, it’s about planning for the worst-case scenario.

“The most important thing is to have someone on staff who can create and analyse real-world possibilities of how technology can be used to create real-world impacts, and to be open-minded about forward-looking threats that may not have occurred yet,” he concludes.

“If CISOs wait for someone to be a victim of a technique first, then, quite literally, they are waiting for someone to die before taking any protective steps.”