A few months ago, a colleague told me that she’d given birth to her first child at a hospital in the midst of a ransomware attack. This is the kind of thing that happens when you work on cybersecurity, people confide in you about their terrible passwords, or how much they hate two-factor authentication, or that time they went into labor in a hospital with no working computers. I said something along the lines of “I’m so sorry, that must have been so hard,” and she said, “Oh, it was fine, people just kept coming into the room and asking me whether anyone had already examined me.” It didn’t bother her, she said—she just felt sorry for all the people working at the hospital who were trying to do their jobs without any idea what was going on with all their patients.
I’ve been thinking about that story a lot this week, after reading the Wall Street Journal’s account of the case of Teiranni Kidd. Kidd is suing the Springhill Medical Center in Alabama, where she gave birth to her daughter in July 2019 while the hospital’s internal computer network was down due to a ransomware attack. Her daughter Nicko Silar was born with her umbilical cord wrapped around her neck, a condition that caused severe brain damage; she died nine months later. According to the Journal, the heart rate monitor in the room registered signs of the fetus’s distress, but since the hospital computer network was down, the hospital staff was unable to monitor those signs from the monitor at the nurses’ station. After the delivery, the attending obstetrician obtained the readout from the patient’s room and texted the nurse manager to say she would have performed a Caesarean section on Kidd if she had seen it sooner.
So it’s not hard to understand why Kidd alleges in her lawsuit against the hospital and attending obstetrician that the ransomware attack led to her daughter’s death. But even if the ransomware is ultimately to blame for what happened, it’s still far from straightforward to sort out whether that means the hospital and its staff were at fault because of how they responded to the attack.
The crux of Kidd’s suit seems to be that she was not informed of the ransomware attack by anyone at the hospital and, more importantly, that the staff missed the warning signs on the heart rate monitor in her room. The first of these complaints seems reasonable, if a little strange. Reasonable to expect that a hospital would inform its patients when dealing with a major cyberattack but also a little surprising that patients would need to be formally notified unless a hospital was going out of its way to hide what was going on from patients. The colleague who told me about her experience giving birth during a ransomware attack heard about it from nearly everyone who entered her hospital room. And even though Springhill didn’t immediately publicly acknowledge the attack, the day Kidd was admitted to the hospital, it issued a press statement saying it had suffered a security incident, though it didn’t specify that the incident was a ransomware attack. So by the time Kidd entered the hospital, the ransomware attack—already more than a week old—certainly wasn’t a secret, but neither had the hospital been entirely transparent about what was going on. And I think, overall, Kidd is probably right to expect hospitals to notify patients when their computer networks are down.
I’m less convinced that it’s reasonable to expect those hospitals to be able to monitor all of their patients as continuously as they would when their computers are up and running normally, though. Springhill was doing the best it could with the resources available to it. Perhaps the patient care was not as good as it was prior to the attack, but what would the alternative have been—to turn patients away and send them to other hospitals? That’s what a hospital in Dusseldorf did last year when it was hit by ransomware. One of the patients who was forced to go instead to a hospital 20 miles away died from treatment delays.
There were very few good options for Springhill once its network was compromised. It could have paid the ransom—which it chose not to do—but that would have been no guarantee the criminals would have restored its systems. Even if paying up had gotten the hospital’s computers back up and running sooner, it would have helped fuel more ransomware attacks by funding the criminal enterprises that perpetrate them. It could have shut down the hospital or stopped admitting new patients, but those decisions might also have exacted a toll on patient care. Or staff could do their best with the resources they had available to them, which is what they did. And even though that choice ultimately had a tragic outcome, it would be a mistake to conclude that it was the wrong choice.
If Springhill should be held accountable for anything it was allowing its systems to get compromised in the first place and not having a robust restoration plan in place to get its network back online faster (it took three weeks for the hospital to restore its computer systems). But the complaint barely mentions these issues. It alleges that Springhill withheld information about its “lack of adequate preparation and training for a cyberattack” and that the hospital “wantonly fail[ed] to have adequate rules, policies, procedures, and/or standards related to cyberattacks,” but it never actually describes in any detail the ways that the hospital had failed to adequately prepare and defend against ransomware. Without knowing more details about how the ransomware infected the hospital and what technical remediation steps the hospital management took in the aftermath of the attack, though, it’s difficult to know exactly how at fault it was.
Springhill shouldn’t be blamed for continuing to treat patients or even for not being able to monitor all of their patients as continuously as they would have had their computer systems not been down. If the hospital deliberately withheld information about the attack from patients, then they should be blamed for that, but that transparency issue still doesn’t get at the larger problem of protecting hospitals from ransomware, rather than just informing people when they’re attacked. Indeed, many patients in Kidd’s situation probably wouldn’t know what to do with that information or how to decide whether they needed to leave and go to a different hospital without the medical staff advising them. If Kidd’s case is successful, I fear the takeaway for other health care providers will be that they should not continue admitting patients during cyberattacks, or that they should pay ransoms to try to resolve these attacks faster, and those would be exactly the wrong lessons to learn from this incident.
The moral of Kidd’s story is that we need to do a much, much better job of helping health care organizations (and other institutions) defend themselves against ransomware and put in place incident response plans that enable them to restore their systems in a matter of hours, not days. It can sometimes be productive to use lawsuits to hold companies accountable for failing to protect themselves and their clients against cyberattacks, but only if those lawsuits actually focus on the right things—the things that could actually have prevented the attacks or minimized their impacts. Most lawsuits brought against organizations that fall victim to serious data breaches or cyberattacks, like Equifax or T-Mobile, focus on all the ways that the breached organizations failed to implement established security best practices—things like encryption or multifactor authentication or installing software updates. Those suits are not always successful, but they at least target the security failings of the organizations in question, thereby applying pressure to those (and other) companies to do a better job of implementing preventive and mitigation measures for future cybersecurity incidents.
But Kidd’s suit focuses on all the ways that the hospital was unable to monitor its patients as effectively during the cyberattack because its networks were down, rather than on the things the hospital could have done to prevent the attack or get its networks back up and running sooner. I’m not sure what hospitals are supposed to take away from Kidd’s complaint other than that if they can’t provide the same quality of care to patients during a cyberattack (and they almost certainly can’t) then they shouldn’t be treating patients at all when dealing with cybersecurity breaches. In that regard, it may prove counterproductive to the larger goal of actually incentivizing hospitals to do a better job defending against ransomware and preventing future tragedies.