Do Cyber-Criminals Care When Their Actions Kill Someone?

One of the biggest problems with cybercrime is the perpetrator’s distance from the victim. A criminal stealing a person’s credit card details or taking over their identity can compartmentalize, treating the victim as little more than a set of records (or, as online low-lifes like to call them, ‘fullz’).

They can choose to ignore the stress and misery that identity theft creates. Or they can assume that a bank will ultimately take care of the cost and pretend that it’s a victimless crime. They’d be wrong, of course, but the fact that their victim is halfway around the world and that they never have to directly watch the misery they impose helps them to think it.

What about mortal rather than financial outcomes, though? If a cyber-attack causes a death, would the attacker still sleep easily at night? A new study suggests that data breaches at hospitals have real-world consequences beyond stuffing criminal bank accounts.

Researchers at Tennessee’s Vanderbilt University and the University of Florida compared incidents of hospital data breaches with medical performance data across 3025 hospitals. They measured hospital quality by looking at heart attack rates and the time it took to get a patient to a cardiogram from when they got into the door.

In the three years after a breach, hospitals saw an average 2.7-minute increase in their average door-to-cardiogram time to 11 minutes. That’s significant, because the American Heart Association/American College of Cardiology (AHA/ACC) recommends a window of ten minutes or less, and exceeding that window worsens health outcomes.

This is a possible contributing factor to elevated mortality rates within 30 days of a cardiac event. Hospitals that experienced a data breach saw this rise by 0.36% in the three years afterward, the study found. That sets back general ongoing improvements in mortality rates across all hospitals by a year. More people die.

Why the spike in numbers? The researchers suggest that the extra security imposed after a data breach is responsible for the cardiogram delays. Paranoid hospital administrators, worried about repeat breaches, put more authentication measures in place. Poor usability leads to delays in fast-moving environments where every second is crucial.

This study, which analyzed data from 2012-2016, didn't even focus on the recent spate of ransomware attacks. These short-term breaches have acute impacts, forcing some hospitals to turn to paper-based records and snarling up administrative processes.

“Our findings suggest that ransomware attacks might have an even stronger short‐term negative relationship with patient outcomes than the long‐term remediation efforts studied here,” the paper said.

Perhaps the people behind these attacks don’t realize the human cost of what they’re doing. Perhaps they have an inkling but try not to think about it. Or perhaps—and this is the scariest thought of all—they just don’t care.

Danny Bradbury Contributing Writer