The authors pledge for a complementary approach to cybersecurity in terms of regulations and directives that give EU countries the opportunity to safeguard patient safety by acting proactively—i.e., before an attack occurs—thus raising the level of security. Under the requirements of Network and Information Systems Directive (NIS2), hospitals will be able to use devices that, by meeting the provisions outlined in the Cyber Resilience Act (CRA), Medical Device Regulation (MDR), In Vitro Diagnostics Device Regulation (IVDR), and Machinery Regulation (MR), will, together with other technical, operational, and organizational measures, be resilient to potential disruptions, including those caused by ransomware attacks. After all, cybersecurity is more than just a matter of law. In some cases, it is also a responsibility for human life.
An article by Rafał Prabucki, Dominika Prabucka, Mateusz Jakubik & Aleksander Wojdyła
Ransomware – what is this threat?
In 2020, a tragic incident occurred at the University Hospital in Düsseldorf, where a ransomware attack paralyzed the facility’s IT systems, preventing the admission of a critically ill patient. The woman was redirected to a hospital in Wuppertal, 32 kilometers away, which delayed her treatment by approximately an hour. Unfortunately, she passed away en route.
German prosecutors launched an investigation into gross negligence manslaughter (Fahrlässige Tötung), examining whether the delay in providing medical assistance was directly linked to the hacker attack. Investigators had to determine whether there was a causal connection between the actions of the cybercriminals and the patient’s death. After two months of investigation, the Cologne prosecutor’s office concluded that there was insufficient evidence to press charges, arguing that while the ransomware attack contributed to the delay, it could not be definitively established that the hackers were responsible for the woman’s death.
Nevertheless, the German prosecutors sent a clear message to hackers – if a patient dies during a ransomware attack, we will seek to hold you accountable.
An important question to ask is: what exactly is Ransomware? This term is specifically defined by ENISA, the European Union Agency for Cybersecurity. Based on the ENISA Threat Landscape for Ransomware Attacks, ransomware is defined as:
“A type of attack where threat actors take control of a target’s assets and demand a ransom in exchange for the return of the asset’s availability and confidentiality.”
This definition emphasizes three key elements present in every ransomware attack:
- Assets – The resources targeted by ransomware, such as files, systems, or databases.
- Actions – The methods used by ransomware, categorized under the LEDS model (Lock, Encrypt, Delete, Steal).
- Blackmail – The coercion method used by attackers, which may include threats of data leaks, publicity, or additional attacks (e.g., Distributed Denial-of-Service, DDoS).
However, when it comes to the software itself, the “innovation” of the program lies in how encryption has been used. In principle, encryption, as an element of cryptography, serves a defensive purpose. However, in malicious software, the algorithm encrypts data against the will of the asset owner. This unusual phenomenon was first noted by one of the fathers of the Internet, Paul Baran, as early as 1965. Unfortunately, the vision of criminal groups operating in this manner has become the main cybersecurity challenge today. In ENISA’s Threat Landscape reports, ransomware incidents rank among the top threats in the EU (in report for 2024 it is 25.79% and in report for 2023 it is 31.32% for all notified incidents).
Is a patient’s death just a matter of time?
The potential of ransomware as a threat to the lives and health of patients first emerged as a problem with the “WannaCry” software. Starting on May 12, 2017, dozens of medical facilities in the United Kingdom experienced delays in surgeries and cancellations of medical appointments. Although it was not the first attack of this kind, it was the largest at that time.
It should also be noted that later analysis revealed that mortality rates during the attack remained within normal levels, although there was a significant drop in the number of visits and admissions, corresponding to £5.9 million in lost hospital activity.
In 2024, the issue of disruptions caused by ransomware attacks on healthcare-related facilities in the United Kingdom resurfaced. A Russian-speaking hacker gang known as Qilin attacked the company Synnovis, which helps manage blood transfusions. As a result, during the first week of attack, 800 scheduled surgeries and 700 outpatient visits were delayed.
Following the attack, health officials distributed a “damage monitoring” form among staff, asking them to record any deaths linked to the cyberattack. According to media reports, the form included an option stating “the patient died as a DIRECT result of the incident”.
The above situations demonstrate that ransomware attacks on medical entities are highly problematic, and officials and prosecutors recognize the risk where the cancellation or delay of a procedure could result in a patient’s death.
Proactive measures – save the robots!
According to the authors, WannaCry also highlighted two significant issues in the healthcare sector:
- the lack of adequate training (users were deceived by phishing emails and installed malicious software);
- organizational, operational, and technical deficiencies in cybersecurity within medical facilities.
Moreover, the 2024 situation showed that despite early experiences in the United Kingdom, the problem continues to recur. The compromised computers were unable to properly operate medical devices, which meant that surgeries could not take place.
In the case of the EU, it is worth noting that healthcare has been identified as a critical sector since the inception of the NIS Directive. However, the revision of the directive, known as NIS2, introduces a range of new requirements and changes. The motivation for updating the regulations was partly driven by ransomware attacks, as explicitly stated in the directive’s preamble—those very attacks that paralyze hospitals and other medical entities.
NIS2 obliges entities, among other things, to ensure the security of both digital and physical supply chains. In such a case, devices supplied to hospitals must meet the appropriate requirements. For medical devices, the requirements of the MDR, IVDR and also MR regulations were applied. However, certain elements fell outside these legal frameworks, such as devices, apps, and cloud services that are not medical devices themselves, but are nonetheless integral components of many medical device ecosystems.
This is where the CRA – horizontal cybersecurity – comes to our aid. The new regulation addresses these issues by introducing the concept of a product with digital elements. Under this definition, hardware, software, and components will need to meet specific requirements, and manufacturers will be obligated to comply with certain duties under the threat of financial penalties. As, moreover, we can read in motive (2): “This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle”.
What is important is that manufacturers of advanced medical robots — will also need to meet the relevant requirements imposed on them from CRA. Among the most significant elements of the CRA is the issue of handling vulnerabilities, as well as the obligation for manufacturers to provide updates for a minimum of 5 years. For those elements that are not medical devices but are classified as “machines” and “products with digital elements”, the regulatory framework will be defined by the CRA and the MR.
Regulating medical equipment and its ecosystem is not only about ensuring operational continuity, but also about protecting health-related data. While ransomware may allow access to data after a successful attack, a properly functioning device can still pose a risk to data security. Understanding a device in terms of what it consists of and who is responsible for it can also help avoid situations like the case of Contec CMS8000, where a backdoor was discovered after a vulnerability report. This means that the vulnerability was intentionally created in the device’s functionality, putting the data at risk. The code responsible for this was publicly disclosed by the U.S. Cybersecurity & Infrastructure Security Agency:
In this case, patients’ lives were at risk, as the U.S. Food and Drug Administration indicates that the data could be manipulated. In the authors’ assessment, hacker activity on medical devices requires significant debate.
Published under licence CC BY-NC-ND.
