Hospital Deaths Due to UPS Hack

The Angels Memorial Hospital in Los Angeles announced today that three deaths overnight in their intensive care ward were due to cyberattacks on the hospital’s backup power system. A local power outage led to the failure of critical medical devices when the hospital’s UPS systems failed to switch power to the battery backups designed to take over in the event of local grid failures. The hospital has not released the names of the victims. The Federal Bureau of Inquiry is investigating the apparent cyberattack that stopped the UPS control system from activating the backup power system. “Potential suspects have not yet been identified,” Johnathan Quest, FBI spokesperson, told reporters this afternoon; “But we are in the very early stages of the investigation.” SotoPower has been identified as the manufacturer of the uninterruptable power supply system used by Angels Memorial. Jake Hanley, company spokesperson, told reporters in a brief statement that the company was cooperating fully with investigators. “The security of our systems is a high-priority for our company,” Hanley said. In the early summer of 2022, the Israeli cybersecurity firm, BuddaHack, published a report outlining three vulnerabilities in the SotoPower HMI, the control system used in the medical facility power backup system. Last month the federal ECS-CERT, published an advisory about the same vulnerabilities. “SotoPower did not respond to our coordination efforts about the vulnerabilities reported by BuddaHack,” Immanuel C Securitage told reporters this afternoon. “We have no indication that the vulnerabilities have been addressed.” Hanley responded to questions about the reported vulnerabilities, “We are continuing to work on remediation efforts,” he said; “Our web site includes instructions to protect systems from outside access.” Ira Haaretz, a researcher with BuddaHack, told me that the vulnerabilities identified last summer could allow an attacker with access to the hospital network to reprogram the UPS control system. “These access control vulnerabilities provide a relatively low-skilled attacker with the ability to obtain administrative level access,” Haaretz said; “They do not require any significant programing capabilities beyond changing a publicly available URL.” A wrongful death lawsuit was filed today in Los Angles Superior Court on behalf of one of the families. Details were not available when this article was published.   CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More