236 comments

[ 3.1 ms ] story [ 221 ms ] thread
That's horrible, is suspect this will only get worse as more companies pay out, more people will launch these attacks
> The hospital couldn’t accept emergency patients because of the attack

Yes they could.

Yeah I'm a bit skeptical to this.

What exactly about a computer system prevents them from admitting a person?

Just pick up a piece of paper and write down whatever you'd write down later in the computer once it's back up. It's not that hard.

I could understand if a particular machine that goes ping couldn't be used because of the computer system being down. But that's a very specific issue.

Have you worked in an ICU a lot?
No but one of my clients is a major health care provider with over 35000 employees.

I don't manage their MT systems but I know about them and I hear about them from co-workers.

And just going on common sense I don't see how a computer could prevent a hospital from admitting a patient. We're talking about admission, not any special treatment.

So it's an honest question to the community, not trying to be dogmatic here. I'm honestly asking, what in a computer system could prevent a patient from being admitted for care?

As far as I can reason, no drugs are being held hostage by a computer. Doctors can still use their training without a computer.

Humans have been treating ailments for thousands of years without the aide of computers.

It would be really sad if this woman died because hospital staff felt hopeless without computers.

Edit: Going beyond just the human dependence on computers, it would be a good exercise in society readiness to be able to treat patients during a blackout for example.

> just going on common sense I don't see how a computer could prevent a hospital from admitting a patient.

Common sense is knowledge gained by experience. Thats' why kids "don't have any".

> I'm honestly asking, what in a computer system could prevent a patient from being admitted for care?

This is a good question for us to have more detailed understanding of.

>Common sense is knowledge gained by experience. Thats' why kids "don't have any".

I'd say it has more to do with sound logical reasoning, and not only with accrued information.

If you don't know what a DAG is, it won't be common sense to use one when you should. It's a mix.
>It's a mix.

That's exactly why I said "not only" instead of "not".

You are right about the general definition. In our specific case when someone says

> I don't see how X

Then what's often lacking is an experience or knowledge that would allow them to imagine X.

> Humans have been treating ailments for thousands of years without the aide of computers.

And now computers are in many cases deciding about life and death. Very trivial example: Boeing 737 MAX. Not able to turn off automation can cause death.

> Going beyond just the human dependence on computers, it would be a good exercise in society readiness to be able to treat patients during a blackout for example.

I agree but this does not mean that we are ready for that.

The Boeing was a major scandal though. We didn't blame the pilot or the software developers. We blame Boeing and the Air regulation authorities for not doing the necessary QA.

>I agree but this does not mean that we are ready for that.

Yes, well then this issue is even more important.

Because the german police are treating this as a type of homicide. So they seem to be going after the hackers as the cause of death here.

Then it becomes even more important to clarify why the woman was turned away.

Others have pointed this out but it could be as simple as general policy, or a manager not willing to risk treating her without the proper tools.

Either way, european countries have been talking about society readiness lately and this is key for society preparedness.

Therefore I'm not sure we should be pointing fingers at the hackers here, seems like an easy scapegoat for a deeper issue.

Even if they have to manually operate a ventilator for 4 hours in shifts, they are still a hospital. The most qualified place to save a life, and they turned it away.

Automation can also go very far in saving lives. We hear about fatal plane crashes in the news, but don’t really hear about the times that automation and computer systems catch or report a pilot overspending the aircraft, making an unsafe maneuver, deviating from standard operating procedures, or touching down too hard.

The Boeing situation is an interesting. With the Max, Boeing broke a core tenant of aircraft design that’s been a major factor in making airliners so safe. The MCAS system’s inputs (from angle of attack sensors) were not redundant. They should have been at least doubly-redundant given that the ultimate design of MCAS could pitch the aircraft down to such a degree that the pilot could not overcome it using their own control inputs. While Boeing probably should have redesigned its airframe instead of adding MCAS, it wasn’t a fundamentally bad idea to employ automation. The system behavior changed, but the company failed to re-assess the safety implications.

All Airbus products are fly-by-wire and there’s always some level of automation in play. It degrades to employ less protections when system faults occur. There’s a lesson there for Boeing!

Its not that they cant be admitted for care, its that they can't provide care, if devices that they need to provide the care don't work.

A lot of devices in hospitals work on vendor provided machines that are not up to date. If anything happens on either end, you can't use device. I am talking about CT, MRI, endoscopy, and other devices.

If you have integrated single sign on with access cards, and AD dies, you can't login, and if you can't login you cant use the device. The reason I am pointing AD out, is because I am working in integrating such device in our software as we speak.

more here: https://news.ycombinator.com/item?id=24514441

Okay, so you write down that info on that piece of paper. You put the paper down somewhere.

A nurse gives someone medication that they told you they are allergic to.

I agree with you mostly because doctors were evidently capable of running their departments way back when on paper and pencil alone. But I also think it's possible that there's a well-intentioned regulation somewhere that says that a hospital is legally required to turn away patients when their systems are down. E.g., it could be a regulation for establishing a minimum standard of care and having the systems up and running is defined to be part of that minimum standard. I don't know anything about this case though.
Doctors trained in a 1940s environment with 1950s communication habits and 1950s information-management systems were capable of doing that.

I'm not sure a nonmilitary a doctor today could spin one of those info-management systems up in a single day though.

I don't see how that is relevant

The world has moved on a bit since everything was done on paper. The new process is not necessarily backwards compatible. Everyone is trained on using a computer interface for their work, there's a reliance on the computers to move the data to wherever it needs to be.

I reckon even a restaurant with a modern POS system would be problematic to switch to paper, ad-hoc.

Sure I can accept that we have a very hard dependence on computer systems. In that case there is work to do because imho a hosptial should keep working during a war or a blackout.

This is essential for society readiness.

I'm sure they have generators for handling blackouts. Even my local grocery can keep operating in a blackout. Some people can't survive without machines after all.

They occasionally get caught by rarer situations like a blackout combined with a flood which takes out the generators.

I've more than once been turned away from a supermarket because the POS system is down.

My local shop on the other hand would have no issues. Strictly cash only, or a verbal credit agreement if you don't have enough on you. The proprietor refuses to get a card machine, says the risk is too great for a business with such low margins.

> I reckon even a restaurant with a modern POS system would be problematic to switch to paper, ad-hoc.

it would be slower and a couple more orders might get messed up, but it's not that big of a problem. a lot of restaurant POS systems are just a calculator with a touchscreen that prints two tickets per order (one for the kitchen, and one for the servers) and tells you how much to charge the customer. then the kitchen spikes their copy when they finish the order, and the server spikes theirs after they bring it to the table. on fancier ones, the tickets are just shown on a screen and you "spike" them by pressing the done button. anybody who understands how to do their job in the first place can emulate the digital system on pen-and-paper. in fact, the POS went down more than once when I worked in restaurants, and this is exactly what we did.

When I worked at a grocery store 25+ years ago, having the computer systems go down didn't mean we couldn't check people out.

But it was hard enough to deal with that we always waited for them to come back up before checking people out again.

Recently, after a hurricane, I heard local supermarkets were checking people out manually. It involved looking up prices of everything (by running to the shelf, I think!) and then writing it down and doing actual math. I was amazed that they even tried it. It's so difficult as to be nearly impossible thanks to the way things are done in normal times.

And that's just a grocery store. Medical stuff has to be way, way harder.

I understand your point, just because they are not internet connected doesn't mean they can't just treat people anyways ("just write down their name on paper for now"). I think the issue here is not bureaucracy around if they can on paper accept patients or not, I think it's more about that a lot of the equipment is connected to the internet (let's for now ignore the question if it should/should not be connected to the internet, as the answer is obvious) and if hit by the ransomware attack, it might not be able to be used.

So while they could take in the patient, a lot of the equipment wouldn't work. So it's better to reject the patient and send them to a facility where they could be treated properly, instead of dealing with faulty equipment.

The equipment isn't online. The EMR and logistics systems are.
Digital patient data creates an interesting ethics problem. A patient could have information like a deadly allergy risk on their record, which maybe you can't read, but 999 other patients are going to benefit from the same care.
Is this really a novel problem? Most treatmments have some risk associated with them, and a 1/1000 chance seems acceptable if the alternative is death or serious health consequences.

I think if the story went like "we treated the patient immediately, but she had a rare allergy which we couldn't look up in time because a ransomware attack took our network down", it would be much more of an everyday story.

It's not novel that hospitals make these choices and review them. It's novel that one of a thousand ransom attacks on hospitals has resulted in the murder threat that makes a ransom attack on a hospital work better than on a hotel or school. We want medical data because not having it might play a role in our death.

Assuming the hospital must have had a better triage response is like assuming authorities should have taken some murder threat seriously and stopped it. Maybe.. depends on frequency and other outcomes and doesn't really absolve the murderer either way.

I work at a firm that does a lot of contracting in medical field including hospitals.

We are currently working with some equipment in radiology. Devices need to be connected to network, so that they can display data on proprietary viewing device connected to the network. Some devices (and viewers) are using old versions of windows (win2000 and linux, still see RH4 ) as a base. You don't have control/access over the windows machines only vendors do, and a lot of them are obsolete versions. Windos 2k is still common.

Network dies (or is inaccessible) for any reason, and device is unusable, because you cant control it or see the results.

I spoke to their systems guys, they are aware of risk, but their hands are often tied.

That practice should be illegal. It's a form of ransomware in itself, as well as negligence in not updating it.

Either have it old and offline, or connected and updated.

Preferably offline and updated though. Forcing an online "subscription" and not keeping up their end of the bargain infuriates me.

They do the subscription+lockdown so that the liability is clear if the system malfunctions... hmm...
Interesting that German authorities are considering treating the death as a homicide. The US has the felony murder doctrine where a death that occurs during the commission of a felony is automatically considered first degree murder. [0] Germany doesn't have that, but does bump up the penalties for certain specific "crimes with deadly outcome." [1]

[0] https://www.law.cornell.edu/wex/felony_murder_doctrine

[1] https://en.wikipedia.org/wiki/Murder_in_German_law#Crimes_wi...

i see why though, as it wasnt the intent to kill, but happened, like with negligence
I'm not surprised. I'm a security consultant in France, and hospitals are amongst the most insecure organizations we work with (along with big industrials that don't need much IT). Low/no budget, insane requirements (very high availability, low/no barrier to access records, while abiding by GDPR), obsolete machines that just work(TM).

However, that "can't accept emergency patients" is surprising. I don't care if the lights are out or if I can't digitally sign their papers: hospitals should be able to run even with no machines at all. Ideas for next time:

- Paper docs available (already printed) in case everything goes under (banks do that for example, for generic papers, like opening an account, etc.)

- Air-gapped backup machines that can be used on the MRI/scanner/ultrasound/whatever machine (that hardware hardly ever changes, so it's not like those air-gapped machines would be a pain to manage)

- Backup 4G-enabled laptop that can read the vitim's Carte Vitale (or equivalent [0]) (and which doesn't connect to the hospitals network whatsoever)

- Backup hardware (Scanner, Ultrasound machine) in case someone actually fries the regular ones thanks to their horrible security (we've had plenty of such articles on HN)

- Read-only machines. Once it works, unless it's for a patch, the OS and applications shoudln't be changed, at all.

- User awareness training. Ransomware rarely happens by accident: someone clicked a bad document in a phishing mail. (Unless, you know, Wannacry, but that's not the norm)

[0] https://en.wikipedia.org/wiki/Carte_Vitale

I also don't understand this, my father died last month because of the same reason. He had an aortic dissection and in those cases time is critical (especially given that he was under anti coagulant). But they took 12 hours before they finally started treating him and claim a computer failure is the reason for that. By the time they started treating him, it was too late.

I don't understand the sheer incompetence involved. He had his prescriptions with him, he was lucid enough in the first 10 hours (my mother couldn't be in the emergency with him due to covid regulation but he communicated with her by phone) to explain his medical history. They had all the elements to actually do something but they didn't because "our computer systems were not working"

Hospitals should be able to run without computer systems and the budget for maintaining those same systems should be high enough to ensure things work. I can't fathom that it's not the case and I would never have expected something like this to happen. It's hard dealing both with the death of a close family member and the anger at the incompetence displayed by the French hospital system.

> Hospitals should be able to run without computer systems

I suspect that they can -but- they're probably concerned about legal issues - if everything isn't logged in or authorised by the system and something goes wrong, someone (and I by no means mean to imply you here!) at some point will launch a legal claim over that mistake.

[Edit: Which is also not mean to defend the hospitals for taking this position - I think it's daft but I can understand there may be reasons for it.]

Well in this case, they only told us about the computer issue as a justification after the fact, they never told my father when he was in the emergency.

If my father had been redirected to another hospital instead of being left there to wait for hours until his situation became critical, I would have been happier with them..

I suspect that they can -but- they're probably concerned about legal issues

Then the law should have a "best effort" provision. I believe aviation regulations have a similar thing, where the pilot doing anything possible in a best-effort attempt to survive or minimise casualties, including violating other regulations, is itself explicitly permitted.

> Then the law should have a "best effort" provision.

Yep, I'd probably agree with that.

OK but killing a patient by refusing treatment is also a legal risk.
> OK but killing a patient by refusing treatment is also a legal risk.

Sure but I think a lot of people would not see "we're not sure it's safe to do the surgery, let's wait" as "killing a patient" especially when you're probably going to find it hard to find anyone who'll say it was safe to do at the time.

Your perspective is all wrong. It's a hospital attached to a university. They were already operating at a loss before Covid made things worse. If they find 1 million bucks on the street, the first priority will be to fund repairs for essential medical equipment, basic hygiene, make sure the broken toilet is being repaired, fix the elevator, etc pp.

If they found enough money eventually it would go to a sensible IT infrastructure, but these people don't view themselves as IT administrators. They view themselves as doctors trying to save lives, not computers.

It takes an event like this to drive home the point that these have become the same thing. You can't be a doctor without also caring for your IT infrastructure.

To you that may sound obvious, but consider the other way around. You can't be an IT guy without caring for your own health. Equally obvious, right? Now look around you how many unhealthy IT guys you can see who always prioritize their computer time over going out and doing some sports.

Important fact not stated in the article: the ransomware in question entered the hospitals' system via the Citrix vulnerability from the beginning of 2020. This has been confirmed by the German BSI (the country's institution responsible for cyber security issues).

So: a gaping security hole known for eight months has been left open. This is especially important to keep in mind because their lame excuse is that they hadn't had enough time to fix the hole.

Are we going to pretend that all our systems, software and service are 100% up to date and there are no known issues? 8 months isn't uncommon for a lot of companies I've consulted for.

In fact i've patched things with year with CVEs published in 2012/2013.

Do lives depend on those companies' infrastructure?
Indirectly, they might.
Some would argue the opposite, our inf. being up probably contributes to more deaths then when its down.
Then I don't think the situation is comparable. The hospital should keep things up to date and your clients should run things into the ground.
In all seriousness, how does this happen? Security updates are typically just installed with an apt-get upgrade and you're looking at a few minutes of downtime if the services needs to be restarted. Containers are even easier.
How?

It cost money and there is a... Hmm delayed impact (or none) that's why.

But : germany is bringing out a new law about important IT infrastructure where you need a soc/ siem etc.

I think its called IT sig.

This is definitely the kind of thing we need, when there is law involved, maybe that C library isn't appealing any more, or the CI/CD with all sorts of static analysis finally get the green light for the necessary infrastructure.
There’s no way most hospitals are using containers and a package manager, or even Linux for that matter.
You mean you're just running apt-get upgrade on critical systems which are literally responsible for the life and death of people without extensive testing and roll back procedures?
No, but if companies start getting liable for not ensuring up to date secured software, the priorities will certainly change.
How much of a lowlife do you have to be to ransomware a Hospital? If these people put 1/5 of the work towards a productive software product they would probably make 10x the money.
They did not actually attack a hospital. They attacked a university which happens to have an attached hospital, and ended up on some servers used by the hospital. The ransom notice was targeted at the university.

When the cops contacted them to tell them they had attacked a hospital, the ransomware people gave them the keys. The hospital has access to their data again.

Looks like even criminals have a conscience. Or maybe they figured if someone dies they might be an actual effort by the police to hunt them down and put them in jail for a decade or two so they better cooperate.

It was an accident. The intended target was a University next door. The ransom note was addressed to the University. The ransomers gave them the decryption keys the moment they realised what had happened.
It's not an accident. It is a supposed unintended consequence of a criminal act.
> unintended consequence

Yeah, we call that an accident. Just like hitting someone with your car can be an unintended consequence of driving.

This is a dishonest comparison. A more appropriate analogy would be you were deliberately trying to run someone over with your car and you ended up hitting a pregnant woman as well. Then your defense is "I'm not a monster, of course I didn't purposely hit a pregnant woman."
I think you're reading too much into my correct use of language. The fact that it was an accident doesn't make the people who did this good people.

> Then your defense is "I'm not a monster, of course I didn't purposely hit a pregnant woman."

The question of whether or not I'm a monster is irrelevant to the fact that hitting the pregnant woman was an accident.

You can argue the semantics or meaning of the word accident in this incident, but I think it is important to make the distinction that it was no accident in bringing down the system that both the university and the hospital depend upon. They consciously decided to do this. Their ignorance of the full network does not take away from the intent of the original crime. An IT staff making an update that has an unexpected and unfortunate effect of bringing down the system is an accident. It is why when someone dies during the commission of another felony crime the charge is murder for all of the original perpetrators involved. The rule of transferred intent. The others don't get off, and nobody argues it is an accident [1]. Actions and consequences.

[1] https://en.wikipedia.org/wiki/Felony_murder_rule

> The rule of transferred intent.

Applying that to this incident seems barbaric. The "transferred intent" is stealing. Sure they're jerks, but don't make them out to be murderers. The fact that a woman died was an accident through and through.

The very worst case scenario they saw when they initiated their crime was that some data would be lost. The transferred intent is that the data of another organisation was going to be lost.

That a woman died was an accident.

I guess in today's times barbaric is used a lot more freely than when I grew up. It used to mean savagely cruel, and brutal.

Transferred intent is when a perpetrator intends to harm one victim but then "unintentionally" (quotes mine to point out it is in the defined legalese rather than "accident"). Yes, you can say they meant to steal, and not intentionally kill anyone. IANAL.

If you want to put it in legal scope though, it is involuntary manslaughter. You haven't convinced me to call it an "accident" by any means.

Seems like I won't convince you because your bias is too strong.

Look up any dictionary and I assure you that you'll find the definition fits this case perfectly.

Eg from the Oxford dictionary:

"An unfortunate incident that happens unexpectedly and unintentionally, typically resulting in damage or injury."

Death is unexpected when you hack a University server. Death was certainly unintentional in this case.

Your argument is worthy of discussion, which is why I am continuing the discussion, but I don't think it is bias on my part or yours as far as I can tell. Yes, the general definition of "accident" seems to fit it in the manner you mean, but let me illustrate why I initially made the assertion that it was not an accident. You stated:

> Yeah, we call that an accident. Just like hitting someone with your car can be an unintended consequence of driving.

I would add to your statement above to make it fit the comparison to the actual incident a bit better:

> Yeah, we call that an accident. Just like hitting someone with your car can be an unintended consequence of driving a getaway car during a bank robbery.

I wouldn't use the word "accident" here. I would say someone "tragically" died when a criminal was driving away from the scene of a robbery. Of the 38,000 people who die in car "accidents" in the U.S. each year, if 30,000 of those were getaway cars or tied to criminal activity, and not just "accidents" I think there would be a different response to the scenario I just presented.

Accidental death benefits from the insurance industry exclude death caused by illegal activities, but I think this means by the person committing the illegal acts, so maybe not such a good example. I don't know.

If someone chokes someone, so that they can render them unconscious to rob them or arrest them, and the choked out person dies during the process, would you use the word "accident" in reporting the incident?

If this university/hospital hack was committed by completely naive hackers, they were still committing intentional harm to a business that affects the employees and others doing business with them. It doesn't take much imagination to figure that by using ransomware in this incident, you may affect people's lives negatively without the actual death that occurred. They might have to lay off a worker or two to cover the loss, not buy essential equipment for the university or hospital that year or more, etc.

I'll leave off here, and say you had a "convincing" argument from a concise dictionary definition, but I wouldn't sling that word so nonchalantly in applying it to this woman's death. Perhaps I misread the tone of your "Yeah, we call that and accident.", but who's we?

> The rule of felony murder is a legal doctrine in some common law jurisdictions [...]

Germany is not a common law jurisdiction. If you use legal arguments, at least use ones that are applicable.

Have any other health services been under attack recently?
In modern hospitals, inability to access the EHR will prevent you from doing _anything_! CTs, MRIs, EKGs, automated drug distributing machines, you name it... will simply refuse to work if the patient is not admitted. And no, vendors don't provide you with a "special key" to bypass that. Any problem? Call the company tech and he'll be here real soon... in 12 hours.

People call for more automation but they forget the downsides in resource constrained places such as the public hospital system.

This thread is full of people who don't know what they're talking about.

Could you point to any resources for reading / learning about this? Even articles, blog posts?

I'm not doubting you (I've worked with the manufacturing industry before, sounds eerily similar), it just seems very, uh, precarious, to say the least and I'm interested to learn more about it.

Not really, sorry. This is from personal experience, and all I have is anectodes from the trenches of the OR and ER. I guess you might find some articles on MEDLINE/Pubmed, but I suspect that it's not a well-studied problem because it doesn't make/lose enough money for the right people.

However, even if emergency escape hatches exist for the particular task at hand I'd bet on the staff on site to not be aware of those anyways.

Technology brought complexities to healthcare that healthcare workers are not educated to handle. For instance, try asking to undock a surgical robot for anesthesia to gain access to the patient in an emergency. On DaVinci robots, there's a procedure for doing that in 30 seconds. Last time we tried it in our OR, it took >10 minutes.

Modern hospitals have tested manual downtime processes in place.
You can ventilate or have light in manual downtime. You don't have immediate access to any advanced stuff. And that's for very specific catastrophic situations. In grey zones where things half work and emergency protocols have not been activated, the hospital is almost completely stalled.
This. The EMR does go down from time to time. We still have paper order pads around so that things can get done. Its annoying AF. You have to fax things to radiology to get a scan. You have to walk to pharmacy to get meds. But, the system worked before computers (which wasn't that long ago in many hospitals) and it works without them today.

That said , the first time I had to use paper I felt like I had no idea what I was doing, because a lot of the EMR defaults aren't there to prompt you. So you have to specify a 'start time' for a medication, but in the EMR now is the default, so I didn't think about it as anything mandatory.

And you can transition immediately? When things like that happen over here, adjustments are far from immediate, and my center is not in the middle of nowhere. Of course the papers are there, but radiology is pretty much out of service for a few hours. And then you have advanced/special testing that pretty much does not run at all.
Downtime procedures are definitely a thing in the US. Known downtime is certainly the best time to prepare and practice, this happens when an EMR goes through an upgrade and migrations are run. This can be 6-24 hours.

There are bundled minor upgrades (think service packs) that have short (10-60 minute) downtimes, blocking migrations run in that time but are kept to a minimum. If it is at all possible, migrations will be async (even on major upgrades) and run in the background after the new version goes live.

During downtime, bloodwork and the like involve pre-allocated barcode labels. Either the results will be accessible on the instrument afterwards in its memory, or the results will be printed out and it is up to the lab tech to transcribe the results.

I can't speak in depth for radiology, but I expect that they have file share servers involved for the raw results. Likely less local memory (in number of results that can be stored) than clinical lab instruments.

While tangential to the main story, I'd be interested in learning why they took the patient to a hospital in a different city.

There are multiple hospitals with emergency rooms in Düsseldorf (I grew up there). Wouldn't it have been better for the patient to be taken to one of these, even if they lack the quality of care (in terms of number of different specialists on call) compared to the university hospital?

(comment deleted)
I'd be really interested to learn what specific systems didn't work. I recently commented on the PG&E and fires issue and I think this is significantly different regarding who is responsible - how can a hospital not operate? It's humans performing an operation, they might need data - ok that's something that should be accessible through other systems. They might need devices, is there any specific reason why they shouldn't work offline?
Sounds like murder, at least in some jurisdictions (with felony murder laws.)
German newspapers report that it's currently classed as manslaughter (fahrlässige Tötung)
I would attribute this to both,

- (unquestionable) the attackers but as well as

- the IT-department that did not fix serious vulnerabilities (of an apparently mission critical system)

We have that in all kinds of places: If you neglect your duties on maintenance or diligence in areas where humans could be harmed (electrical installations, fire safety, construction, whatsoever), you are liable for whatever happens. I don't see why IT should be somewhat special. The Citrix patch came out half a year(?) in advance.

Two things can be true at the same time. In this case, that the malware authors are responsible, and that the hospital/management were negligent.

Negligent circumstances seems controllable, whereas having no bad actors in the world (particularly the international world, including rogue states) seems nearly insurmountable.

Every time this happens, I'm going to keep saying the same thing: Management let this happen. The dangers are known, the risk mitigation is known, and their failure to act is tantamount to negligence. This didn't "have" to happen, they allowed it to happen.

But as I said at the start: Two things can be true at the same time, management's negligence let someone die and the malware authors are responsible for the death.

while i wholeheartedly understand your point. i would ask you to keep in mind that not even nurses are paid what they should. IT is not getting any money before them. i dont know who does the IT stuff but ill give them the benefit of the doubt that they have their hands full? or am i naive?
How does one calculate the amount someone “should” be paid?
There’s a distinction between blaming the front-line staff and the management/hospital as an entity. The likely argument is that it is the management’s role to ensure the IT department is staffed appropriately.
That's why I never placed blame on IT. This is a management problem, not an IT problem, front line staff do as they've told.

It is management's responsibility to assess the risks and to decide where money should be spent (in this case on patient critical infrastructure).

To use another poster's example: It is like them failing to upkeep their sprinkler system and part of the hospital burning down.

isn't median wage for a nurse somewhere around $35/hr? this is around the 75th percentile for income in the US, assuming they work forty hours a week.
I look at it like this: if the hospital were being extorted by arsonists, we wouldn't be standing around blaming the architect of the hospital for using wood in its construction as the hospital burned.
A counter-equivalence could be that banks build vaults, because they understand the importance of what they hold. I see your point, but it isn’t as clean as stated.
You might criticize the builders if the hospital had no sprinklers or smoke alarms, though.
Those are regulated amd everyone who builds building knows. Especially in Germany.

Software industry hates idea of regulation.

(comment deleted)
This doesn't absolve the owners from running a hospital that doesn't meet fire code, however.
Then do we have IT code? Pun not intended.
Not sure about Germany, but in the US we have HIPAA which sets security standards (physical and electronic) that everyone in the healthcare industry must meet.
A lot of times these standards can be satisfied by relatively simple mechanisms like access control lists which prevent legitimate users from performing illegitimate actions (like a nurse or doctor shouldn't be able to pull up any patient record) paired with extra-technological controls like stating that only the listed non-medical personnel can access a particular patient's records (like adding your spouse or parents as valid recipients of test results and health status information). These do nothing to actually ensure the security of the system with regard to external actors.

Additionally, you can often satisfy these things with policy statements rather than technological solutions. A weekly review of record access reports may satisfy in some cases, without needing to implement an ACL mechanism.

People generally don't die as a result of failure to meet HIPAA standards, though. To boot, HIPAA covers security standards for the protection of PII--it doesn't cover security standards for network intrusion.
Preventing network intrusion seems pretty critical to protect PII.
Someone can be on the network and fail to crack encrypted data and you'd be in compliance. HIPAA is only about information leaks, not about operational health.
No, not in the general sense. Only for specific kinds of data/applications (mostly centered around securing PII, health data, and the like). But the general IT infrastructure has no foundational standard we require people to achieve.

And after about 60 years of IT, I don't know that we ever will. Efforts to certify systems/processes are often bogus (participate in a CMMI appraisal for a good example of this). Legitimate efforts to certify them are drowned out by the charlatans. And very few in the IT industry would desire personal certifications along the lines of PEs. Either they don't want the legal and financial liability, or they truly believe there's no value in it.

Except for very specific areas (security of vital systems in general) I believe the ability of Subject A to deliver service (including making software) to a Subject B should be strictly a business between consenting adults (bar tax reporting). We are supposed to be a "free" world.
I can mostly agree with this sentiment, but care has to be taken when the system involves people who aren't party to the design decisions, but whose information is stored within the system.
Yes Germany has both general IT guidelines and specific codes for hospitals. Also high levels of IT security are required by law for hospitals. And those standards, guidelines and analysis of industry sector typical problems are made publicly available by a government agency funded with tax money.

However: Despite a law being in place since 2015 many hospitals are still underdeveloped when it comes to IT and IT security in particular.

Some places, the 'code' is merely a tool for businesses or other organizations to avoid liability. "We met all the standards, we shouldn't be accountable."

If the brakes go out on your care, and you smash into a building, even though it was recently serviced to whatever 'standards' are you liable? Yes. And then it will be up to you to pursue the manufacturer of the car, who will claim they met all standards, so they're not liable. See how it works?

> Some places, the 'code' is merely a tool for businesses or other organizations to avoid liability.

And that's important. You have to have some place to draw the line between "we did nothing and we're all out of ideas" and "what do you mean you didn't write your own operating system from scratch and hire fifteen security experts to continuously analyze it for un-patched zero-day exploits?"

That's where industry standard "best practices" come in. Once some sort of standard is issued (by regulation) or accepted (by industry), it becomes the thing that a Reasonable Person does. Meeting that standard is then usually sufficient to avoid charges of (or additional liability for) negligence.

> If the brakes go out on your car, and you smash into a building

In this case, you're liable because you carry strict liability for your actions as a driver. However, proof that you've kept the car in working order would be sufficient to escape any criminal charges (dangerous operation of a vehicle, for example)

I would need to give you a very deep dive into how europa and germany especially handle this so you can understand it ... I often forget how different the way people think about regulations is in the USA. On the surface: There is a joint initiative of the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI) which work with domain experts to define the abstract standards for critical infrastructure. There are more specialized sets where the German Hospital Federation (DKGeV) has more influence in how to make it happen for hospitals in particular. The whole regulation is set up to focus on continuous improvement, risk management, escalation processes, investigation of breaches and the like. It is related to ISO27001, but goes beyond that.

Maybe comparing it to MilSpec makes it understandable to citizens of the USA: we want our hospitals IT infrastructure to be like the navy wants its warships: made out of steel, with redundant systems and sane compartmentalization so it can withstand most attacks. And we are willing to invest billions of tax money to get our existing hospitals up to these standards, because many are like viking longboats: they stay afloat and cure disease, but they are not protected against torpedoes. A hospital looses most of its infrastructure to a some ransomware? There is an investigation by the supervisory body into the technical and organizational details of the specific security incident and they really don't care about certifications printed by some private company that claims to have audited the hospital. The expected result is a "how this hospital intents to prevent this type of incident in the future" document. These standards are not about certifications of industry sector mediocrity waved around to shift blame and win liability cases in court. Also I don't think liability cases work that way over here, but i am not a lawyer.

So did the hospital violate it?
They got dozens of servers with patient data hacked and encrypted and had to shutdown their intensive care and reroute patients elsewhere.

What do you think?

I don't think there is a single hospital that completely fulfills those standards. The bar is very high and the umbrella organization of hospitals says there must be millions per hospital invested to reach the requirements.

In unrelated news: a new law was passed today, after years of preparation, that includes a 4.3 billion euro investment of tax money into hospital IT systems.

> They got dozens of servers with patient data hacked and encrypted and had to shutdown their intensive care and reroute patients elsewhere.

Wouldn't simply using a cloud-based B2B service with something like Chrome OS / Cloudready instead of Windows solve the entire problem?

If that wouldn't work for data privacy or network availability reasons, it could be an open-source self-hosted server application, accessible locally only through a REST API.

And the server security? Just use something like self-updating RHEL CoreOS with a bunch of isolated containers, which greatly limits the entire attack surface.

> I don't think there is a single hospital that completely fulfills those standards.

Why can't a single technical solution be designed and supported for all state-owned hospitals in Germany?

The problem is not in any particular stack. It’s system design overall. All your mentioned alternatives could just as easily fail if not properly secured.
> The problem is not in any particular stack. It’s system design overall.

Are you aware that unlike Windows, Chromium OS has been designed from the ground up with security in mind[1]? And that it can run on almost any hardware[2]?

> All your mentioned alternatives could just as easily fail if not properly secured.

Software has to be designed and chosen with security in mind from the beginning.

If a hospital is running Windows Server instead of automatically-updating, minimal Container Linux[3], it has a much larger attack vector space.

These two factors alone (a proper client OS, and a proper server OS) can reduce the probability of a successful ransomware attack to almost zero.

[1] https://www.chromium.org/chromium-os/chromiumos-design-docs/...

[2] https://get.neverware.com/healthcare/

[3] https://getfedora.org/en/coreos

What about credentials? Access? Administration? DDOS attacks?

I think you can’t tell the attack space from a glance like that. And there’s ways to properly lock down Windows installations too, patched or not. Careful systems design and planning is key, regardless of exact components.

> What about credentials? Access? Administration?

That has been a solved problem, at least in Chromium OS[1]. Even hardware-based two-factor authentication can be required for all users by a click of a button.

> DDOS attacks?

If it's self-hosted by a hospital locally, most parts of the system should not be available on an open network. If it's not self-hosted locally, the largest European hosting provider, OVH, can survive a 1.1 Tbps DDoS attack[2].

> Careful systems design and planning is key, regardless of exact components.

If the solution is not designed around up-to-date technical components, it can fail regardless of careful planning.

[1] https://support.google.com/chrome/a/answer/1289314?hl=en

[2] https://arstechnica.com/information-technology/2016/09/botne...

You list technical solutions, but I'm talking about organisational failure. What about using too simple password, posting passwords on some semi-public forum, using the same password for several people, using the same account for several people and so on.

In large organisations, the problems are always found in the organisation itself, seldom in whatever tech stack is used. That they used unpatched Windows installations is not the disease, it's a symptom of the disease.

You can enthusiastically treat the symptoms and improve the condition of the patient, but unless you go to the root causes, the patient will find new ways to be ill and you can 't be there to band-aid everything, all the time.

1: I have far too few information to even speculate on how to improve this particular hospitals infrastructure.

2: because Germany is federal-social-democratic, not stalinist.

> because Germany is federal-social-democratic, not stalinist

Ah, "federal" is the right answer here. In many smaller EU countries, there is a single central social-democratic government, which can just fund an open-source solution for all regions to use.

well we can fund an OSS, but i have this feeling you underestimate the complexity of all possible hospitals.
I probably do. In any case, I would design a fundamental core system with an open API for extensions, that could be developed and maintained by third-parties, based on additional requirements by each hospital.
> They got dozens of servers with patient data hacked and encrypted and had to shutdown their intensive care and reroute patients elsewhere.

> What do you think?

I don't understand why this apparently seems so obvious to you. I think I would need more information about the attack, the hospital's preparations for such an attack, and the legal and industry-standard security expectations for such a hospital.

The simple fact that an attack took down a hospital's computer systems is not sufficient to conclude that the hospital was negligent in its security. Surely a sufficiently sophisticated actor (e.g. a state) could take down the computers at most hospitals if they chose to.

I did not say that the hospital was negligent
> What do you think?

I think you can follow all the laws and still get hacked, so I don't think the fact that they got hacked tells us much about whether they were following the rules

We have best practices, laws like HIPAA and standards like PCI DSS.
(comment deleted)
If they shirked building regulations and built the whole thing out of kindling and made it available to any arsonist anywhere in the world, we probably would blame the architect. Of course, if we have to torture the analogy to make it fit reality, it's probably not a very good analogy.
This is more akin to thieves robbing Hospital equipment. If the hospital had inadequate locks and security they'd still be partly to blame.
The wood is not the problem. It's the lack of evacuation plan.
But if someone attacked others in a hospital, we might blame them for lack of security.
probably not. we don't generally have high expectations for physical security in hospitals, outside of controlled medications perhaps. at most hospitals you just have to give your name, the name of someone you claim to be visiting, and then you can go pretty much anywhere you want.
Arson is a physically violent act, hacking is not. For any reasonable moral standpoint those things are very different.
If you hacked with the intention of harming/killing persons then it sure is violent act as the intent matters. Obviously in that particular case hackers did not really want to physically harm.
Attacking hospital, including machines handling life support is still a violent act.

I see no real moral difference between arson and launching ransomware attacks.

It depends on what you hack, doesn't it? If your hack causes physical harm, it is a physically violent act. You wouldn't say that someone firing a gun didn't commit a physically violent act just because all they did was pull a trigger.
There must be a distinction between:

1. Actions that are physically violent

2. Actions that cause physical harm, but the action itself is not physically violent

If 1 and 2 were the same, it would imply that voting for a politician that decides to kill people is just as bad as killing people yourself. The consequences of that wouldn't be good.

> You wouldn't say that someone firing a gun didn't commit a physically violent act just because all they did was pull a trigger.

If the gun is their property, it's their fault that their property is attacking someone. It's not pulling the trigger that's wrong, its that their property attacked someone else. Same idea applies to killer robots.

If the gun is not their property, then it's their fault that they used someone else's property.

If you reasonably know that the politician would murder someone then you absolutely are equally bad if you vote for them
Arson is not physically violent by this nonsensical distinction. It's just a chemical reaction that spreads on its own.
The only difference I see is that hacking is always premeditated, making this a much worse instance of murder by definition.
If we lived in a world where drive-by arson was a common pastime, we'd blame hospital operators for building hospitals that aren't really hard to set on fire.
We might change our minds if fires could be started remotely by someone halfway around the world who doesn't even know the hospital exists.

In that case, the active threat begins to look more like a random-chance natural disaster than the kind of event the human justice system can bring to heel. By all means use the justice system, but if the justice system is failing? Plan for fire.

(Seems like there's a lesson to be applied here to architecture in California, now that I think about it...)

I have a background in civil engineering with a focus on structural / geotechnical / construction engineering. Standards for hospitals are much stricter than they are for houses. In fact, for buildings like hospitals we have specific parts of the law that limit damages. I don't know the details of this specific hack well enough to comment on where it falls on the spectrum of incompetence, but things like bollards are required by law between a hospital and a street. There are also limits on the amount that one can sue for when they're exposed.

Fundamentally though, this is a failure of the tech community to engage policy makers and a failure of policy makers to engage / listen to the tech community. It took me (and others?) years to get self-driving car regulations enacted in Canada. And even there, we're just getting started with the basics. Not enough programmers are politically engaged and the field is moving so fast that it is tough for regulators to keep up. I'm not surprised that people are dying. Quite the opposite, really. I'm surprised so few have died given how horrible our security is for industrial systems and other fuddy-duddy sub-industries of software. Yes it's a lot better today than it was five or ten years ago, but the offensive tools are much better as well. It's literally an arms race and sometimes it looks like only one side recognizes it as such.

The circumstances that led up to this failure of organizational security are a combo of IT apathy and vendor lock-in.

IMO you should not be running windows on hardware whose failure could cause deaths. Maybe windows could be secured to prevent this but that would require IT staff to keep things updated which does not always happen.

A much better solution is to run locked down Linux or BSD.

Now go and try to explain that to the doctors. We all know that they could roll out Gentoo (chromebook style) and be supersecure, but the reality is nothing will change until hospitals stop using proprietary software that requires Windows.
I can't agree with your about the tech community engaging policy makers. Every single time I've seen tech tell policy makers something is bad, or that it will work exactly the reverse of the intended, policy makers do just the thing they were cautioned against. In the last 2 years Australia (for instance) has gone against at least 3 major objections by tech. Costing jobs and security.
A better analogy might be if the hospital had a known defect which, if un-repaired, could lead to someones death. And then it did. As pointed out in the article: "... cybersecurity experts have warned for years that most hospitals aren’t prepared."

Unfortunately, hospitals have a complex and expensive job ahead. I wonder if anyone has developed a blueprint for how to proceed?

Infrastructure only gets second or third grade people, especially in Germoney. The best go to the U.S. as the lower taxes ensure highest bang for the IQ. The next best go into some of the hyped and promising fields like AI. The lowest tier does local infrastructure with minimal reach and prestige in a globalist, centralized world.
> Two things can be true at the same time

Heck, three things can be true at the same time. For example, in the Uber self-driving car death:

- uber's safety systems failed to recognize a human in the road

- the backup human driver failed to pay attention

- the woman in the middle of the street failed to pay attention

There can be N failures that all contributed to a given disaster, and it's important to consider all points of failure which can be mitigated in the future, not just the most controversial point of failure.

> There can be N failures that all contributed to a given disaster, and it's important to consider all points of failure which can be mitigated in the future, not just the most controversial point of failure.

For the Uber thing, what incentive does the management have to do the right thing?

Money damages, potential criminal lawsuits, and reputational harm which is real and costly (though I know HN is skeptical of it).
Funny that being ethical and prioritizing to not do harm is not on the list.
'Prioritizing to not do harm' is an ethical consideration, and ethics are subjective, so I didn't consider them 'incentives'. If the question had been about 'motives' or 'considerations', I would have included 'potential ethical beliefs'.
The reason why is that presenting facts and concrete logic is more compatible with a greater array of people, whereas ethics and morals are subjective. Using a moral argument is not going to be as persuasive in business (particularly if, generally speaking, leadership is largely comprised of sociopaths, which is just a reality of this world)
Thats pretty much what I meant with "funny".
> reputational harm which is real and costly (though I know HN is skeptical of it).

Largely because the world keeps demonstrating that reputational harm just doesn't happen to large companies. Uber included in this particular case.

Here's the Uber trips per quarter (in millions) since Q2 2017 (source https://www.businessofapps.com/data/uber-statistics)

Q2 2017 889

Q3 2017 985

Q4 2017 1,088

Q1 2018 1,136

Q2 2018 1,242

Q3 2018 1,348

Q4 2018 1,493

Q1 2019 1,550

Q2 2019 1,677

Q3 2019 1,770

Q4 2019 1,907

Q1 2020 1,658

The probable reason for the Q1 dip was the pandemic. The number of riders just keeps on rising.

You can see the same with Target etc. Large breaches happen, major negative incidents, and at best you might see a blip. The large majority of people just don't give a shit, so companies are given permission to not give a shit either.

I believe there's still another failure: Uber's systems didn't ensure that the backup driver was paying attention, when it was highly foreseeable that their attention would lapse (although granted watching a show on your phone is more than a lapse of attention).
Why stop at three? What about Arizona's lawmakers for allowing this in the first place, or not demanding that certain safety measures are met?
Careful. If you think about this too much, you might end up realizing how absurd “justice” systems everywhere are.

Maybe say everything has one cause: the initial conditions on the differential equation that governs all existence.

(comment deleted)
That assumes that the state has a responsibility to micro-manage every activity, with prohibitions on activity that doesn't follow the prescribed regiment, to prevent negligence.

The individuals involved in an activity are the only ones responsible for avoiding negligent behavior in a society based on the liberal democratic principles of individual rights and responsibilities.

However, to give due credit to your musing, the Uber situation is somewhat different in being on public roads, which lawmakers do have some responsibility to govern an individual's use of, for the safety of others who share public roads with the individual.

We allow the state to micromanage the activities of individuals all the time, such as with drug, prostitution, and porn laws.
I learned recently this is sometimes visualized by something called the "Swiss Cheese Model": https://en.wikipedia.org/wiki/Swiss_cheese_model

Regarding self driving cars: I was once told that a big reason for the safety of fly-by-wire systems (when planes first moved from directly attached controls) is that the engineers who built those systems had to take the first flights, so they made sure their systems were good. That is probably the case for self-driving cars too, but falling out of the sky feels more viscerally unsafe than driving on a highway, and the gradual nature of the changeover probably isn't helping either.

This is the reason for “root cause analysis” being obsolete and against best practices for complex systems. The practice seems to be something that less sophisticated management wants for a political scapegoat rather than to actually solve problems.
Three things: Bitcoin allowed malware authors to have a viable business model.

Technology isn't neutral. The world is too complicated to hide behind that argument. We must think about the consequences of the things we build.

Scott Alexander:

> The latest development in the brave new post-Bitcoin world is crypto-equity. At this point I’ve gone from wanting to praise these inventors as bold libertarian heroes to wanting to drag them in front of a blackboard and making them write a hundred times “I WILL NOT CALL UP THAT WHICH I CANNOT PUT DOWN”

https://slatestarcodex.com/2014/07/30/meditations-on-moloch/

Thanks for the link. Very interesting.

Fortunately, Scott is wrong on this. Crypto does not only subvert old forms of coordination, it also allows new forms of coordination. Whether this will is a net win remains to be seen.

That's like saying cash enabled drug and arms trade, or that encryption enables terrorists to communicate.

Cash, Bitcoin, and encryption are neutral technologies that can be used in negative ways.

Analogies are usually not the correct way to proceed in an argument. Let me quote from [1]:

> Weak analogy

> Definition: Many arguments rely on an analogy between two or more objects, ideas, or situations. If the two things that are being compared aren’t really alike in the relevant respects, the analogy is a weak one, and the argument that relies on it commits the fallacy of weak analogy.

> Example: “Guns are like hammers—they’re both tools with metal parts that could be used to kill someone. And yet it would be ridiculous to restrict the purchase of hammers—so restrictions on purchasing guns are equally ridiculous.” While guns and hammers do share certain features, these features (having metal parts, being tools, and being potentially useful for violence) are not the ones at stake in deciding whether to restrict guns. Rather, we restrict guns because they can easily be used to kill large numbers of people at a distance. This is a feature hammers do not share—it would be hard to kill a crowd with a hammer. Thus, the analogy is weak, and so is the argument based on it.

In this case the distinction between cash and Bitcoin is exactly what enables criminals to benefit from their crimes.

[1] https://writingcenter.unc.edu/tips-and-tools/fallacies/

In this context, the malware hackers are probably going to save lives in the future by setting a modern precedent for negligence at hospitals and it systems will be updated. Surely they should be patted on the back for such efforts?
By that measure, hijackers who shoot some passengers or crash an aircraft might 'save lives' by motivating the implementation of more rigorous security measures at an airport. I think this is patently absurd.
You could make this same argument about every criminal act.
(comment deleted)
Here's a simple analogy:

You buy a sprinkler system from Acme. Acme cheaps out and installs defective sprinklers. An arson lobs a molotov cocktail through your window to set your house on fire, but the sprinklers fail and your house burns down as a result.

The arson caused the fire, but Acme is simultaneously responsible for the defective sprinklers.

The analogy breaks down in the context of the law (as most analogies seem to) because in this case the hospital was not explicitly selling you a product to protect against hackers. However, I think it stands up from a purely ethical point of view.

It's pretty easy to establish the malware attackers' responsibility. But the extent of the hospital's responsibility is much harder to establish, especially across all types of potential attacks. Basically, it's not easy to establish precisely which types of attacks a hospital needs to be prepared for in order for them to not be considered negligent.

In this case, I don't see many details, but it does sound like they simply couldn't access patient data and thus were transferring patients. I find it hard to believe that they couldn't have continued to provide emergency treatments that don't require networked computerized machinery.

But I'd want to know more about the attack before I could conclude that the hospital was negligent. Surely for every hospital there is some attack with sufficient sophistication to disrupt service at the hospital.

Well, the article notes:

Even attacks that target patient data, and don’t directly impact medical devices, can hurt patient outcomes: one study found that a hospital’s death rate from heart attacks goes up in the years after a data breach. That’s probably because hospitals have to divert resources to respond to the attack or upgrade software in a way that changes how doctors operate.

There are tough choices to be made here. An attach that spurs them to divert resources to security causing deaths means that diverting resources to security before the breach would cause deaths also. Knowing exactly how much to spend on things other than patient care is tricky. We can say they were negligent because they didn't spend the money, but there weren't any attributable deaths yet, so they would have been spending money with an idea it would probably cause some adverse patient outcomes and not knowing if it was actually needed. That's a hard position to be in.

Ransomware groups targeting hospitals should be pursued with the same zeal that governments pursue terrorists, even if lives aren't lost.
They didn't target the hospital:

"The cyberattack was not intended for the hospital, according to a report from the German news outlet RTL. The ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital."

Source: https://www.theverge.com/2020/9/17/21443851/death-ransomware...

Why are people making such a huge deal about who they were targeting and who not? Ransomware is digital extortion. There’s zero honor to it in any case.
Whether they targeted the hospital might be relevant to what type of homicide they are charged with if they are caught.
Because if only University computers had been affected nobody would have died.

If this was just some ransomware attack it would be barely newsworthy, and we sure wouldn't be discussing it. The death is what makes it interesting. And in this context it is important that the hospital wasn't even the intended target but was caught in the crossfire.

That doesn't justify anything, but I think we can all agree that extortion is a less severe crime than murder.

I get your point, but the tone in some of these is borderline defensive of ransomware. As if it would be legit otherwise, except they just misfired in this case
If that's the case then just to clarify: I think ransomware is like a digital protection racket. You either pay up or they try their best to burn your business down. But it's even worse, because even if you have every intention to pay (which you shouldn't), it still causes you downtime that's probably worse than the ransom itself. It's not something I would wish on anybody, and it's a drag on the entire economy. We should prosecute the perpetrators wherever we can.

But if I had to assign jail sentences, a ransomware author would get a decade or two (add another decade in this case for manslaughter), a murderer would get a life sentence. Life over property.

He's not being defensive, you're being a zealot.

It is important to recognize that crimes have different levels. Society understands that, and it's encoded in our laws in the way we define scaling punishments, and have a difference between misdemeanors and felonies.

For thefts, there's a distinction between "burglary", "robbery", and "robbery with a deadly weapon".

And in this case-- comparing ransomware of a university to terrorism is disproportionate.

FYI I’m not the original poster who commented on the terrorism aspect, but I think ransomware is difficult to categorize because it is often a spray and pray-type attack. And occasionally a vulnerability and other infection vectors line up neatly enough to cause huge damage.

So in this case, the better analogy would be explosives - someone tried to blow a safe to get the money inside but the explosion also killed an innocent bystander.

Isn’t that like saying that if someone burns down an abandoned building and accidentally kills the squatters living inside that they shouldn’t be prosecuted for man slaughter as well as arson?
If "accidentally" is true then prosecuting them for deliberate murder would not be OK.

Prosecuting them for man slaughter and arson and everything else what applies would be perfectly fine.

We're going down a rabbit hole away from the main topic, but "depraved indifference" can lead to murder charges in some states. And burning down a building without checking if anybody's inside would definitely be depraved indifference.

https://en.wikipedia.org/wiki/Depraved-heart_murder

Holding a university ransom is not much better..
It's definitely better than holding a hospital ransom. It's very unlikely that anyone will die if you spread ransomware in a university.
The incentives remain unchanged; if an untargeted attack hits a hospital, treat it (for resource allocation to bring perpetrators to justice) as equivalent to a targeted attack. This incentivizes crooks to do the work on their end necessary to avoid society-critical targets so they don't end up staring down an INTERPOL red notice.

The Morris worm's DOS nature was a programming error; it was still prosecuted as a felony for total amount of damage done.

Isn't that part of why we treat terrorism more harshly? It's often an indiscriminate attack that harms a lot of people. Like setting off a bomb in a government building and mostly harming private citizens who happened to be there.
(comment deleted)
The government doesn't even care about ransomware groups (and their nation-state sponsors) that target the government.
Given the proliferation of IT in everyday life, we need to change the language and remove "cyber" from cybersecurity and cyberattack. So subconsciously accepts that this is what a modern meaning is.
I wholeheartedly agree with this.

Similar to how we don't refer to our phones as smartphones anymore. Back in the 1990s, if you had asked me to check the weather on my phone, I would've thought you meant calling up the weather channel/hotline, but now we all know exactly what you mean.

Just imagine what a state-level actor is cable of doing to a countries health care / power / transportation infrastructures when damage is the goal instead of money.
A book painting such a picture is "Black Out" by Marc Elsberg ([1], [2]). I can wholeheartedly recommend it, as it points a pretty scary, yet plausible scenario and is a proper thriller as well.

Its plot takes mainly place in Germany, so it's written with a Europe-centric view and I'm not sure how well that translates to the US. However when looking at the brittle electric grid in parts of the US, I believe such attacks could be even worse there.

[1]: https://en.wikipedia.org/wiki/Blackout_(Elsberg_novel) [2]: https://www.amazon.com/Blackout-heart-stopping-techno-thrill...)

(comment deleted)
I'm not sure this is really the "first ever case of a fatality being linked to a cyberattack" as the subtitle claims. Didn't NotPetya take down a bunch of US hospital networks, as documented in the book Sandworm? I can't research the exact citation, but there were fatalities. Perhaps the difference here is there was a legal ruling.
On the other hand, if you apply the same standards to everyone, you would have to put many politicians and hospital managers in jail for having closed many remote hospitals.
I hope they find the accountable party and bring them to justice, but also: sysadmins, consider air-gapping your critical care and patient accounting machines (at least some of them). External ransomware threats shouldn't be able to reach the machines that schedule patient care.
The problem is that a lot of the specialist machines weren't designed with security in mind — it’s not so easy to do as you describe
Neither is learning to do open-heart surgery, but both can save lives.
Do you mean: hospital CEOs, fund IT to do its job, and Medicare, insist on secure facilities?
Everyone blaming the hospital for mismanaged IT is missing a couple things:

1) Hospitals are usually swiss cheese in terms of vulnerabilities because patient safety overrules most security issues. It’s very difficult to patch in time

2) Hospitals tend to have a tricky network and asset profile with security staff potentially inheriting decades of unmapped custom IT

3) Theyre usually underresourced and overworked

From January, when management became aware of this particular vulnerability, until September I'd say is more then enough time make a patch. Management can and should be liable just as the attackers. IMO there is no difference, in this case, between them two parties.
Apparently a lot of systems were backdoored in January (exploits were available before the patches), so even if the patches were installed right away the backdoor is still there [1]. The malware hackers are now slowly processing their long list of compromised systems.

[1] https://blog.fox-it.com/2020/07/01/a-second-look-at-cve-2019...

So I get that the vulnerability should have been patched, but to say that management and the attackers are no different is quite frankly disgusting and a very dangerous thought to have. The attackers clearly had an intent to harm, even if financially, and to lump managers in with them as if they were the ones purposefully breaking the law is unconscionable. Negligent? Yes, perhaps, we don't know the facts. But criminal? Absolutely not.
Yes, it is criminal, defined by law. It's called manslaughter.
4) It's all proprietary incompatible forced-obsolence junk because the government doesn't mandate free software and open prorocols for healthcare.
Oh yeah, so it's noone's fault again. Just a software problem, no one saw it coming, nothing could be done!
Attacking systems that result in people getting killed is a great way to attract entirely more attention than I think these sorts of criminals want.

At best, they might trigger the creation of laws that prohibit paying ransom to take away the incentives. At worst, they might get themselves tagged as terrorists and end up on the pointy side of a fairly urestricted use of attack drones by the US.

The US doesn't drone Russia; too much Cold War history there.
More to the point: Getting people killed could make the Russian government stop turning a blind eye to cybercrime.
And too much Trump-Putin friendship
While there are obvious direct causes of the death here mentioned by others, I believe that everyone who has paid out a ransomware ransom has a tiny bit of blood on their hands for this one. The attackers were targeting a nearby University, the hospital was collateral damage, and they wouldn't have bothered with the attack if they didn't expect that the University would pay-out.
"not negotiating with terrorists" only works if you have the support of your national security apparatus, which is otherwise engaged in starting wars for private commercial benefit.
Care to explain? I don't see how that follows.

To me, it is clear that paying a ransom encourages the crime that the ransom repairs, regardless of anything else going on.

Reading more into the story - the hospital became a hostage to its own IT system. Basically they can not provide emergency services. Somehow I think it is a problem on its own. I do not have enough info but we are becoming more and more dependent on IT systems and up to what point? Are there any limits? Those systems are fragile...
Thats the scary part to me. You're having a heart attack, but the computer's not working. So now we can't treat you.

This is not IT anymore, this is in medical device territory. When you rely on a computer to send a medicine order to a hospital pharmacy, and you can't get drugs without it – that's a critical life support device at that point.

If you can't administer medicine to a PT without scanning the barcode first, that's a critical life support device.

This claim will be retracted by the hospital. We need a betting market, I'd say they will back down next week.

The hospital refuses to state the software, so they can't care to much.

People have died from ransonware many many times before in hospitals. ie [1]

But orders of magnitude more people have died from hospital's shitty IT systems.

[1] https://krebsonsecurity.com/2019/11/study-ransomware-data-br...

Isn't main problem that hospital relied on computers too much? Why cannot they treat patients without them?

What if tomorrow, say a buggy Windows 10 update disables their systems, will someone else die?

Comouters increase efficiency. The problem is under investment in healthcate and over investment in insurance company paper pushers and $800Million fraud by people like US Senator and anti-voting-rights activist former CEO Rick Scott.