Third-party software component vulnerability exploit causes treatment delay, leading to patient death. Healthcare providers have long been a favorite target for bad actors launching cyberattacks, which usually resulted in the loss of sensitive patient data. A recent cyberattack, however, has resulted in the loss of a patient’s life. On September 10, 2020, Dusseldorf University Hospital reported the first death resulting from a cyberattack. An exploit of a third-party software component vulnerability led to the death of a patient at the hospital.
Dusseldorf University Hospital’s clinical servers were hijacked by a large-scale ransomware attack, causing patients to be moved to other facilities for treatment. A critically ill woman, among those patients being relocated, died before she could be treated.
“The Dusseldorf University Clinic’s systems have been disrupted for a week. The hospital said investigators have found that the source of the problem was a hacker attack on a weak spot in ‘widely used commercial add-on software’, which it didn’t identify.”1
This troubling report illustrates the critical condition of today’s healthcare security infrastructure, given the heavy reliance on third-party commercial software in medical systems. With no real visibility into the lifecycle of these third-party components, the risk profile of the medical systems is not easily known. The end result is that hospitals are deploying systems as “black boxes”, most of which are connected to networks and some of which come into direct contact with patients. Not knowing what is inside the systems, hospitals are at a disadvantage when it comes to reacting to vulnerability threats, and they end up spending valuable response time chasing down information from manufacturers and public data sources.
Recent developments are looking to address this visibility issue, including the introduction of a Software Bill of Materials, or SBOM. An SBOM is a list of the software components utilized in a finished product, such as a medical device. By providing this transparency, medical device manufacturers are providing a way for hospitals to respond more quickly to reported vulnerabilities.
Some hospitals have begun requesting SBOMs from device manufacturers, and there are various regulatory developments that could speed adoption. In the United States, the Food and Drug Administration (FDA) has drafted guidance recommending the utilization of an SBOM. In addition, other regulatory bodies around the globe have included reference to the SBOM in recently released documentation.
Healthcare industry stakeholders generally agree that requiring a Software Bill of Materials (SBOM) will help mitigate security issues with third-party components. From a medical device manufacturer’s perspective, the extra effort it takes to generate and maintain SBOMs for their devices can be seen as an investment in brand reputation down the road. As for hospitals, one can easily imagine purchasing processes and decisions reliant on a deeper understanding of device security and SBOM documentation being critical to that decision making.
- German hospital hacked, patient taken to another city dies. ABC News.
https://abcnews.go.com/International/wireStory/german-hospital-hacked-patient-city-dies-73069416