The First Ransomware Death: Springhill Medical Center
In this episode of IAM Pulse, we review ransomware and unfortunately, the first ransomware-caused death. How does ransomware affect critical infrastructure and does this upcoming lawsuit against Springhill Medical Center change anything notable in cybersecurity? We talk all about this.
Listen to the podcast:
William Papa:
It's almost 2022. What are some cybersecurity expectations you expect to see in the upcoming year?
Kim Johnson:
Yeah, so I mean, looking at 2022, I think honestly, it's a lot of the same, right? We've seen a tremendous increase sometimes 200% or more in cyber-attacks, ransomware attacks on businesses. I think the continuous digital transformation we're seeing with organizations, right? A lot of organizations have gone remote. We've gone hybrid. We have customers that now have to interact with our businesses online. A lot of that is continuing to yes, transform the business, but also open up a lot of cybersecurity vulnerabilities. And then I think the other point I would make out for 2022 that stands out to me is really the other side of that, which is providing an amazing customer experience. So if your business is also now online, the front door to that experience is oftentimes the login screen or the cybersecurity controls that are in place. And so how do you make that a delightful experience and accelerate your business and make it a competitive differentiation instead of something that makes customers want to go elsewhere? So those are some of just the highlights. But I would say a lot of the same I don't, I don't see things being tremendously different in 2022, which actually, I think some of us wish it was.
William Papa:
You're listening to a podcast, discussing all things, identity, access management from defending against cyber-attacks and to enhancing our overall cybersecurity strategy is broadcast brought to you by BIO-key international, an innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
William Papa:
Hello, and welcome back to another episode of, IAM pulse. Today, I'm joined by BIO-key’s VP of Product Kim Johnson. Kim, how was Thanksgiving weekend? We're recording this right after Thanksgiving weekend. So how was your Thanksgiving?
Kimberly Johnson:
Yeah, you know, I can't complain cooked for about four hours. Made an amazing apple pie and then decorated for the next upcoming holidays. So enjoyed the long weekend. How about yourself?
William Papa:
Mine was good. You know you just had the standard Turkey and such I made sourdough bread. So I have a sourdough starter prepared. It took a little while; arguments with me and my family over who controls the kitchen at what time, but, you know, that's pretty standard for the holidays. And we've had our holidays like our home decorated for the holidays since October. So we're ready. We're way ahead of the pack here. But yeah, looking forward to the holidays, but for sure. Yeah, that's really that's how we're getting to today.
So this episode of IAM Pulse, we actually want talk a lot about ransomware. So let's talk about it. Let's talk about ransomware. It's not really a new concept, but you know, it's still prevalent amongst all the other newer cyber threats in the air. So Kim, what trends are you seeing around ransomware in COVID-19?
Kimberly Johnson:
Sure. Yeah. I mean, there's, it is interesting. Ransomware is definitely not a new concept. But it has just taken over in terms of news headlines. I think more consumers are aware of it and everything else. So it's definitely become top of mind in terms of this year and even during COVID-19. I think the main thing is that it just accelerated, right? As things moved online, as people move businesses and interactions they do with employees online, for example, there was just an opening up of different attack vectors for these cyber criminals. I also think the sophistication of these ransomware attacks are increasing, but at the same time, the other, the other reason they're becoming just so widespread is cyber criminals are going after anybody. You know, that mentality. It used to be that, oh, we're a smaller organization, or we're not in a vertical where we have sensitive data that people would specifically target.
Kimberly Johnson:
For example, so we're not really a target has become pretty much null and void, right? They'll go after just about anything, especially if it then gives them access to even larger vendors and larger systems. So I think it's, it's here to stay. Ransomware attacks have become probably the most widespread attack that we're seeing at this point, along with phishing attacks, which then kind of lead into ransomware, right. A lot of times that's the vehicle to get there. And then the last thing I'll say, I find scary and somewhat fascinating is not only are companies now being ransomed in the sense of, okay, we're encrypting all of your systems, taking down your systems and you have to pay us to get your data, but I don't know if you've heard about it now. There's like quadruple extortions and everything else where not only is the systems you have to pay to stop being ransom, but then the cybercriminals taking the data and then selling that again on the black market or even, you know, ransoming it again and again. So I think I saw like a fifth level ransom, you know, taking place. And so that's part of it too, is even if you pay off the ransomware, criminals and the people actually conducting it, it doesn't mean that your data is protected and they actually might go make even more of a business out of it. And it's become a lucrative business for some very major organizations around the globe. So fascinating times, scary times. But it's, it's here to stay and just growing.
William Papa:
Right, right. Like I know we've talked about before, about ransomware, thinking about smaller businesses that usually have to succumb to the ransom. And then now they're just a more vulnerable target, you know, they've proven to cybercriminals that they're willing to pay and now they're a larger target than they ever been. So, speaking about how companies are impacted by ransomware focusing on a specific vertical, let's talk specifically in healthcare. So healthcare is one of those sensitive or vulnerable, more vulnerable vectors, in my opinion, just because there's so much going on there. And just because there's so much confidential patient data, you're dealing with a lot of things that if stolen by cyber criminals or compromised, it can actually cause a lot of reputational brand damage and a lot of patient information can just be released out there in the open. So let's talk specifically in healthcare, how has healthcare being impacted by ransomware?
Kimberly Johnson:
Yeah, no for sure. This is one of those verticals that, you know, you have to consider what healthcare does and it's ultimately their business that takes care of people. And so when they have a ransomware and this goes for really any of our critical infrastructure, it's that much more painful because when their systems are encrypted, when they can't access patient records and treat patients, it has a huge human impact to their, to people and to their business. And so that is really the key part of healthcare that people forget. And if you go back to why is this such a challenge? All of healthcare has become digital. The medical records we use today are digital that happened with meaningful use, you know, mandated by the government. I think it was back in 2009. And so they had to move paper records to digital formats and that made it that much easier for cyber criminals to come in and crypt it and basically take down an entire hospital system very quickly, right.
Kimberly Johnson:
They rely on these big electronic health record systems to, to maintain the hospital. And so it's, it is interesting to see that healthcare cyber criminals have figured out because of the human impact and the, the potentially mortality rate increases and other things that that industry feels they're more likely to pay the ransom. They're more likely to really push to get out of the situation, right. And we see that in other critical infrastructure verticals, but nowhere else I would say, is it more of a human impact than in healthcare? And then as you mentioned, the data that they can capture, regardless of how disruptive it is or how much ransom they get for disrupting the systems, the data that they can capture as PHI or personal health information, you can't reset that you can't, you know, restore that. And it's, it's actually very highly valuable on the black market where they're potentially going to share it and sell it. So overall healthcare has this big target on them and has continued to have that. I'd say for years now,
William Papa:
Right. So is there a, is an example of where healthcare was severely impacted by ransomware?
Kimberly Johnson:
Yeah. I mean, I think there's a couple honestly they keep coming out. I, I would say every day you know, a couple that stand out to me, Hollywood Presbyterian was actually one of the older cases, but what is one of the first signals of what impact it can have? And it shut down the ER and ambulance has had to be rerouted and therefore there was impact to patient care and potentially patient mortality. I actually did a podcast at a different role that I had with Vanderbilt university who did a study that it actually a breach can impact and increase patient mortality rate fascinating enough by the breach, but actually more so by the security controls that are put in after, because a doctor can't access the record as quickly, they can't care for the patient as quickly because they can't get to the medical record. But the other one, you know, that really stands out and, and, you know, definitely highlighting today is that spring hill medical center case that we've seen through ransomware really is a historical case in my mind, that's coming up and, and it's going to be front and center for probably the next year or two.
William Papa:
So for those that don't know what happened at Springhill Medical Center?
Kimberly Johnson:
Yeah. So honestly it's the first ever ransomware attack that caused a specific death. Unfortunately in this case it was the death of an infant. And now it's gotten to the point where the family is actually putting a lawsuit up against the hospital. And so for the record, essentially, the facility SpringHill medical center in Alabama had a ransomware attack. It shut down all of their computer systems for eight days. And that also included the information and the systems and the heart rate monitor system in the maternity ward. So where the actual mother was having her baby and giving birth to this baby the nurses doctor, et cetera, weren't able to monitor heartbeats and status of patients and health of babies as they normally would because their systems were essentially offline. I think some of the most telling if you've read some of the case about it is the text messages that were going back and forth between the nurses and the doctor basically saying like we're running around like chickens with our heads cut off because even a lot of nurses nowadays, if they're newer to the field, they're just coming in, they don't know how to paper chart, right?
Kimberly Johnson:
Most of this is all digital, it's all on a big computer screen. And so when that goes down, they really struggled to be able to give effective care. And so this mother and her infant, unfortunately the infant experienced issues with the heart rate and heartbeat for a significant amount of time after being discharged from the hospital, ended up passing away. And so it just is, you know, being reported as really, truly the first ransomware attack that caused a death directly and potentially of an infant.
William Papa:
So do you think that the hospital should have done more?
Kimberly Johnson:
I think it's a fair question. You know, it goes into kind of what we were talking about too with negligence, right. And defining that you know, it's, it's, it's a kind of a multiple tiered question. I would say first, the question is, should the doctor and the nurses have done more right. That are in that situation. You know, the doctor is somewhat on trial here too. And actually the hospital is pointing a finger at her, right. For her actions because should the nurses and doctor have notified the mother and the patient basically to say, Hey, we are under attack. Our systems are down. It's not safe for us to deliver your baby and care for your baby in our current situation. So that's coming into question. I think the other interesting part in terms of the negligence side of things is usually if you're negligent, you're not doing something that's a standard of care, right?
Kimberly Johnson:
It doesn't mean you're okay? You're not doing control that no one else is doing. That's not going to be negligence. It has to be something that's pretty commonly adopted that you have not done or not adopted well, and therefore you're negligent from the norm. And so before you could say with like Hollywood Pres., which I think was back in, I might be wrong 2012-ish, maybe earlier multifactor authentication was still somewhat of a nice to have. I wouldn't say industry standard had proven that MFA, right. Removes ransomware attacks and other things nowadays it's proven, and there's plenty of statistics and plenty of best practices saying that to prevent ransomware, you should have multi-factor authentication for example, on all accounts everywhere. So that's when it'll come down to the hospital and for example, is there any it implication or even the technology that's used being underneath that kind of negligent, you know, umbrella that it wasn't enough in terms of the cybersecurity controls they should have had. And I think that's really where this case will become very interesting, you know, is it the doctor's issue for care? Is it the hospital's issue? Is it the it department? Is it actually the solutions that they're using? Even it vendors that they're using that could be implied to have some kind of hand in this death.
William Papa:
Right. So following along that, and I, as you mentioned before the hospital versus pointing fingers at the doctor you know, doctors, nurses are running around, like without, you know like their heads cut off. So there's this sense of whose fault could it really be, obviously we don't have a specific outcome. We're waiting on that and we'll talk about that later on in the episode, but whose fault could it be pertaining what we know right now?
Kimberly Johnson:
Yeah, I mean, I think, you know, like I said, it, it's the doctor, the hospital and hospital, meaning, you know, the IT staff even the way it's angled and the way it's looking is pretty much fingers seem to be pointed at the doctor and the nurses because they're really that first line of defense. But I think it's going to be very interesting to see how much the hospital continues to blame the doctor for that, or how much the hospital gets kind of, you know, penalized or called out for needing a better plan and action plan in terms of ransomware response. Right. I think nowadays best practices to have a ransomware response plan. And so, you know, does the lawsuit go that deep? My understanding is, is against SpringHill medical center. It's not directly against the physician. But I think the outcome will be very interesting. There's kind of only two parties that I see potentially being impacted and that's either the provider themselves or the actual medical facility as an entire entity. Right.
William Papa:
So regardless of the lawsuit, what do you think will happen with concerning the whole idea of ransomware within healthcare or affecting other businesses as we talked before?
Kimberly Johnson:
Yeah. So I think this brings to light a few things, I think we hit upon one, which is what's the standard of care, aka the security controls that you, you have to have in place so that you aren't quote unquote negligent, right? You don't cause harm. What is your ransomware response plan is definitely something that organizations should be focused on and figuring out. I think healthcare is just under attack and we've seen that constantly. So them especially should be having heightened awareness that they need these types of plans and controls in place. From a personal perspective to be honest, I think I mentioned this to you. I was reading this article about SpringHill and my stepfather has been in the hospital actually. And so I called my mother and I said, immediately, I go, let me tell you, if you see in a hospital that they're paper charting, or they're not using the computers, or there's some kind of hiccup in the systems, please ask them if they are experiencing a cyber-attack or if they're limited in their capacity to provide care.
Kimberly Johnson:
So I think that's an interesting dynamic where us as consumers, us as individuals, because we're now heightened awareness, major attacks have happened, right. Colonial pipeline, JBS some of these other cases, I think also individuals will take the responsibility to start thinking about, can this cyber-attack be happening right now? Is it going to impact me? Right. I think before this case you know, the, the mother of this infant didn't know, or wouldn't have known to ask that question. Right. And I think as consumers and individuals, we have to be more aware of that. But you know, I, I would say, well, the, the outcome of this lawsuit is going to be very interesting to continue to watch. I think it'll be a very historic case and the historic ruling on what comes out of it. And who's to blame, I think, is going to be the big question. And then that will impact how organizations respond.
William Papa:
Right? Yeah, no, that makes sense. You know, we, we know from just talking about cybersecurity and I am so often that just everything that like cybersecurity of the two thousands is very different to how it is in 2021. So again, us as consumers have be more aware of that. You know, all consumers now are being pushed to enable to MFA on their phones. I got a Google alert this morning saying my email is going to have a security single sign on, I think we're at this era where cybersecurity is a very big importance, but it's also being pushed to a lot of consumers. Just to, just as a forewarning, knowing that a lot of these things may be inevitable. And it's unfortunate to say, but a lot of stuff, especially in these critical infrastructures, like healthcare government are going to be are vulnerable and they're inevitable to experience a cyber attack. And it's for the goal of it professionals just to hype it up their cybersecurity measures, just to mitigate that risk. And again, we'll have to see and wait, what happens with the lawsuit? It's a very interesting case, as unfortunate as the as the way it started, but we are going to need to just wait and see what happens next.
Kimberly Johnson:
Yeah. This is how change happens. Right. I think this is, these are the type of cases and the things that really change our dynamic and our market dynamic. I would say this is some of the first times I'm really seeing where something like multi-factor authentication. For example, isn't seen as an insurance policy, right. You know, like people have asked me that my whole career will, if it's the way to prevent attack. And it's the thing to do, why don't organizations do it. And a lot of times it comes down to expense and cost and return on investment. And sometimes it's seen as a preventative measure, more of an insurance kind of coverage feel, so why do I need it everywhere if I'm not really a target, right. People start making these trade-off decisions based on it being a protection versus a direct revenue generating activity for the business and those trade offs really can't be made. You know, you're, you're kind of playing with fire. If you're saying that cybersecurity controls are optional still even if you are a small business. So I think that dynamic is, has finally really changed. I think the more cases like this we'll point out that it's even more important that organizations take cyber seriously.
William Papa:
And that concludes this episode of IAM pulse. Thank you for listening to the show. A big thank you to Kim for joining me today for more information about BIO-key, visit www.bio-key.com to learn more about us and multi-factor authentication a solution that may have greatly mitigated the risk of a cyber attack mentioned earlier in the episode to all our listeners. We'll talk to you again soon.