Cyber Attack on Ukrainian Medical Facilities Sets ‘Dangerous’ Precedent: Experts
Dr. Lidiia Podkopaieva was about to click “send” on an order of new surgical instruments when her computer monitor suddenly went dark.
She speed-dialed the clinic’s technician but didn’t even have time to tell him what was wrong.
“We’re under cyber attack,” he told her. “Switch off the computer immediately.”
The call would kick off a “crazy week”‘ as Podkopaieva and her staff struggled with the sudden loss of half the computers at the Left Bank Pediatric Clinic in Kiev, where she serves as medical director. The central phone system collapsed, digital appointments vanished and diagnostic machines dropped offline, interrupting at least one patient’s exam. Podkopaieva said no one suffered in the attack, but academics argue that even glancing blows to medical facilities like this one represent a damaging break with international norms.
“You cannot attack hospitals,” said Duncan Hollis, a Temple University professor and a former treaty lawyer for the U.S. State Department. Although what happened at Podkopaieva’s clinic fell short of the death and destruction that would constitute an unambiguous “attack,” Hollis said the disruption was still a step in a dangerous direction.
“It’s getting close to, if not across the line of, actual harm that international law might be prohibiting,” he said.
Podkopaieva’s pediatric clinic, part of Ukraine’s Dobrobut health group, was one of thousands of victims of the data-scrambling software dubbed “Nyetya” that erupted June 27. Unlike WannaCry, a similarly quick-spreading digital worm that also disrupted hospital work earlier this year, Nyetya’s masters appear to have had the ability to draw data from their targets – meaning they either knew or could have discovered who would be at the receiving end of their attack.
Podkopaieva said the disruption to Dobrobut was considerable.
“For a moment, we were blind and deaf,” she told The Associated Press in an interview at her clinic a week after the attack. Across Dobrobut, a CT scanner, a mammography machine and four X-ray machines were disabled after the worm crippled the Windows computers they were connected to. One patient had just finished being X-rayed when the cyber attack destroyed their scan, she said. Overall, about 100 examinations had to be canceled.
Dobrobut wasn’t alone. Ukraine’s Ministry of Health says public hospitals weren’t touched, but at least two other private medical institutions in Kiev were also affected, according to the Ukrainian website Censor.NET, which published a running tally of affected firms. The media group said several pharmaceutical companies also were affected by Nyetya and anecdotal evidence suggests pharmacies across Ukraine experienced shortages when the cyber attack derailed deliveries of medication.
Volodymyr Varenytsia, who runs a drug store in the Luhansk region of Ukraine, said he ran out of iodine and Citramon, a headache medicine, in the days after June 27. The shortage lasted until deliveries resumed a full week later. Meanwhile, he had to turn some clients away empty-handed.
“People suffered because of this virus,” he said in a telephone interview.
Podkopaieva’s clinic recovered faster.
She said staff moved swiftly and calmly to restore her facility’s systems and work around faults. Even when diagnostic work was canceled, every patient was still seen by a professional. Doctors wrote information down on paper, just as they had in the years before the hospital went digital. Within a day, the appointment system had been restored and by June 30, Podkopaieva finally ordered the instruments she was sending for when her computer went dead. They arrived that evening.
“We had good backups, which helped in part,” she explained. Training helped too, she said, “even if we never expected that medical organizations would be affected by a cyber attack.”
That anyone might be held accountable for the disruption seems unlikely.
Ukrainian officials have laid the blame for Nyetya at Moscow’s door, but Russian officials have denied any responsibility, and in any case hackers who operate at the scale of the June attack are notoriously difficult to bring to justice.
Even verbal condemnation has been hard to come by. U.S. officials have said nothing about the attack on Ukrainian medical facilities and little about the outbreak in Ukraine in general, despite the fact that spillover from the digital outbreak snarled traffic at American ports – formally considered critical national infrastructure – and disrupted several U.S. multinationals. A small U.S. care network, the Heritage Valley Health System, was also affected, with several operations rescheduled.
Academics said President Donald Trump’s administration was inviting trouble by not reacting publicly to cyber attacks on civilian infrastructure, whether at home or abroad.
Scott Shackelford, the chair of the Cybersecurity Program at Indiana University in Bloomington, said that the past progress toward setting international norms for behavior in cyber space “is in danger of eroding.”
“What’s needed is leadership, and right now that’s in dangerously short supply, especially coming from Washington,” he said.
Hollis, the Temple professor, said American leaders at the very least needed to speak up.
“We’re in this era right now that’s almost a constitutional moment for cyber security and cyber space,” he said. “When you’re silent in the face of bad behavior, that does sort of imply that it’s permissible.”