There are stories you would never want to tell, tragedies announced that must lead us to important reflections and understand how exposed our society is to cyber threats.
The news was reported by the Wall Street Journal that an Alabama woman named Teiranni Kidd filed a lawsuit at the local Springhill Medical Center hospital following the death of her daughter in tragic circumstances.
According to the mother, while she was intent on giving birth, the hospital was under a heavy cyber attack that would have paralyzed its systems not allowing the structure to be able to provide the baby with the necessary care. According to Kidd, the hospital did not inform her that she was hit by a serious cyber attack that interfered with the necessary care of her daughter, Nicko Silar. The child suffered severe brain damage and died after months of intensive care.
According to the New York Post, Nicko suffered a severe brain injury as medical staff did not notice that the umbilical cord was wrapped around his neck due to inability to use hospital systems affected by the attack. The baby died nine months later due to complications caused by the interruption of oxygen supply to the brain caused by the aforementioned complication.
The events date back to 2019, then the hospital released a statement about the attack the day before the baby was born, announcing that the facility would “continue to take care of its patients safely and continue to provide the high quality of service. that patients deserve and expect. “
The lawsuit filed at the hospital is based on the accusation that medical personnel were unable to adequately monitor the condition of the baby during childbirth. The lawsuit was initially filed in Mobile County in 2019, when Nicko was still struggling, hovering between life and death. The woman requested unspecified compensation from the hospital and from doctor Dr. Katelyn Braswell Parnell, who gave birth to Nicko.
The woman’s lawyers argue that if the woman had been informed of the difficulties brought about by the attack, she would have chosen to give birth elsewhere, avoiding the tragic ending. The Springhill Medical Center administration denied creating a “false, misleading and deceptive narrative” about the cyber attack and said it has always worked to ensure the safety of the birth. The hospital blamed Dr. Parnell because “she was fully aware of the inaccessibility of the relevant systems, including those in the labor and delivery unit, and decided to operate anyway, believing the conditions to be safe for the patient.
The Alabama hospital also added that under Alabama law, the hospital had no legal obligation to notify the patient of the ongoing cyber attack. Parnell and his staff denied causing Nicko’s death, they chose to perform a caesarean section but the unavailability of tools to monitor the baby’s vital signs dramatically interfered with the birth. The hearing is set for November 2022, if the allegations are proven and upheld, it will be the first time that a ransomware attack is the direct cause of an individual’s death.
I had announced that the story is a strong one, however, we are aware that hospitals are completely exposed to cyber attacks and with them the fate of their patients. Delays in providing necessary care and unavailability of machinery in the midst of critical operations may be just some of the possible causes of a patient’s death. For some time we have been bringing the attention of the protection of critical infrastructures to the institutional level first, and then to the attention of public opinion.
The choice of a hospital facility could one day be determined by the level of cyber security it offers to patients and the history of previous attacks. You may wonder what the level of our health facilities is, and the answer can only be bleak. Just this week, journalists Milena Gabanelli and Simona Ravizza published an interesting investigation with the eloquent title, “Hacker attacks, health data in danger: the secret list of the 35 hospitals affected.”
The investigation highlights the cyber risks of healthcare facilities, explaining what are the possible attacks on the facilities and what the potential consequences for the patient. We start from data theft that exposes patients to various types of fraud, including identity theft, to reach ransomware attacks that can paralyze entire hospitals for days with dramatic and unpredictable consequences for patients.
In September 2020, another shocking news spread around the world, German authorities revealed that a cyber attack had hit the Düsseldorf University Clinic and a woman in need of urgent hospitalization at the facility died after being transported. in another city to receive the treatment he needed and that the clinic could not provide for the paralysis of his systems. According to the investigation by journalists Gabanelli and Ravizza, in Italy in just over two years 35 health facilities have been hit, but I would add that this number could represent the tip of the iceberg. In fact, many attacks are not reported, or worse, the security breach is noticed even a year after the first intrusion. On average, it takes a whopping 236 days before a data breach is noticed.
However, the problem is in management terms, investments in IT security are negligible, the investigation reports only 5% of turnover on average, and I add that this figure would be an important milestone given the current situation of our facilities. I invite you to make a survey of the main national structures, asking managers to separate the expenses for IT from those for security, you will discover that it does not even reach 1% for many of the structures interviewed.
Often making managers in the healthcare sector understand the importance of a cyber security management system is a huge undertaking, sometimes impossible. A cultural change is needed, just like patients, health facilities should also conduct regular cyber security check-ups, they should also equip themselves with systems for monitoring threats and above all invest in the training of employees, but above all of managers.
.