Could a cyberattack cause a death? Why police may miss the signs

By Bradley S. Robertson

Thank you for reading this post, don't forget to follow and signup for notifications!

A recent FDA warning on vulnerable patient monitors flagged cybersecurity risks that could allow unauthorized users to access and manipulate certain devices. [1] In the U.K., health authorities issued a cyber alert on Contec patient monitor firmware, warning of a potential backdoor and suspicious external communications. [2] These incidents are not just IT problems — they raise a harder question for law enforcement: what happens when a compromised system contributes to a patient’s death?

When a cyberattack intersects with healthcare or biotechnology, the result may not look like a crime. It may look like a malfunction, a bad outcome or a natural death. But in some scenarios, digital access can directly influence biological outcomes — altering device behavior, manipulating data or shaping clinical decisions in ways that cause harm.

That shift changes the job for investigators. A case that would normally fall outside criminal suspicion may need to be treated as a potential crime scene. The challenge is that the evidence often exists inside systems investigators cannot see and are not trained to examine.

Cyberbiosecurity — the intersection of cybersecurity and biological systems — collapses the distance between a network intrusion and a human casualty. For law enforcement, that convergence will reshape how deaths are classified, how evidence is preserved and how intent is proven.

Why these cases get missed

Investigators are trained to work within boundaries: victim, scene, weapon, timeline. Cyberbiosecurity dissolves those boundaries. The “scene” might be a hospital network, a medical device vendor cloud portal or a research lab workflow. The “weapon” might be a firmware change, a stolen credential or a subtle data manipulation that drives a lethal clinical decision without leaving traditional trace evidence.

For law enforcement, this is the difference between a malfunction and a murder. It is the interface where digital access can change biological outcomes to cause patient harm, manipulate lab results, alter medication dosing, influence fertility decisions or affect the integrity of genomic data that follows a person for life. [3,4]

In my Naval Postgraduate School (CHDS) thesis, I used scenario-based strategic foresight to stress-test how cyber-assisted biological harm could unfold. [5] The takeaway is blunt: when these cases fail, they fail at the beginning.

That failure tends to show up in the following ways:

• Misclassification: A compromised medical device or workflow presents as routine failure, negligence or natural death. If it is classified incorrectly on day one, the evidence window closes.
• Distributed, proprietary evidence: Proof is split across clinical systems, device telemetry, vendor clouds and contractors, often behind encryption and intellectual property protections.
• Ephemeral data: Patch cycles, retention limits and routine troubleshooting overwrite digital evidence unless a preservation request is submitted. [6]
• Hybrid expertise gap: These cases require digital forensics, biomedical literacy and traditional investigative skills. Most agencies do not have that combination and many cannot sustain it independently.

What departments can do now: A readiness roadmap

Law enforcement agencies do not need a new unit to begin. What they need is a preservation trigger, pre-established relationships, and a training plan aligned with agency size and scope. Think forensic readiness rather than perfect cyber expertise.

Write a cyberbio preservation trigger into policy

A preservation trigger is a short list of conditions that prompts an immediate hold on digital evidence, even if it is unclear whether a crime occurred. Consider triggers such as:

• Unexpected death or rapid deterioration involving a network-connected medical device or monitoring hub
• Multiple patients affected within a short period in the same unit, facility or workflow
• Inconsistencies between device readouts and a patient’s observed condition, a warning sign cited in FDA communications. [1] Similar concerns have been raised internationally, including alerts about potential backdoors in patient monitor firmware. [2]
• Unexplained remote access, unexpected updates, new accounts or support activity that does not align with the clinical timeline

Pre-negotiate access pathways with hospitals and MEs or coroners

When a cyberbio event occurs, the first 24 hours are a race between evidence preservation and restoration of care. Establish points of contact with major health systems, including IT security, biomedical engineering, risk management and legal counsel. Include medical examiner or coroner partners early. The goal is not to criminalize medicine, but to prevent accidental evidence loss.

Treat certain deaths as electronic crime scenes

NIJ guidance for first responders remains applicable: secure the scene, recognize digital evidence and avoid actions that alter data. [6] Cyberbio investigations expand the definition of “scene” to include the interface between biotechnology and digital systems.

Build a minimum digital autopsy checklist

Minimum elements should include:

• Device identifiers such as make, model and serial number, along with photos of connections and display status
• Firmware and software details, including version, update history and support tickets
• Telemetry and audit logs, including storage location and retention period
• Account and access history, including authentication details and credential use

If an agency cannot collect or interpret these artifacts, that is not failure. Failure is not recognizing their existence and allowing them to disappear. Preserving this evidence mirrors earlier investigative practices, such as collecting physical trace evidence before DNA analysis existed.

Train for cyberbio investigations like other high-risk cases

Cyberbio readiness is built through scenarios, checklists and repetition. Conduct tabletop exercises with hospital security teams, prosecutors and digital forensics partners. Use realistic scenarios, such as the “Death by 1,000 Bytes” vignette from my thesis, to surface investigative questions early. [5]

Translate existing frameworks into investigative expectations

Use established standards. NIST’s Cybersecurity Framework 2.0 provides outcome-focused guidance for logging, access control and recovery. [7] In healthcare, HHS’s 405(d) HICP outlines mitigation practices tied to patient safety. [8] For investigators, the key question is what should have been logged and what should still be recoverable after an incident.

Genomic theft and the next investigative black market

Cyberbiosecurity also involves data that functions like a weapon. Genomic data is uniquely identifying, persistent and reusable. [4] National counterintelligence authorities warn that foreign collection of U.S. genomic and health data poses both privacy and national security risks. [9]

For investigators, this introduces delayed-harm cases involving coercion, targeting, stalking and extortion that may emerge long after the initial breach.

Legal scholars have described “genetic paparazzi” scenarios, where DNA is collected without consent, and argue that current privacy frameworks may not fully address genetic information. [10] Emerging reproductive technologies further complicate this landscape. OHSU researchers have demonstrated a proof-of-concept method for converting skin cells into egg-like cells capable of early embryo development. [11]

Markets adapt quickly. A January 2026 NPR investigation found that tighter egg donation regulations in India contributed to an underground market facilitated through intermediaries and messaging platforms. [12] The implication for U.S. law enforcement is the increasing complexity of investigating crimes involving valuable biological material coordinated through digital systems.

Strategic foresight: The future crime scene is a system

Strategic foresight is a disciplined approach to reducing surprise. In my thesis, I used the VIRUS lens — volatile, interconnected, rapid, unpredictable, systemic — to describe why cyberbio threats are difficult to contain. These same characteristics make them difficult to investigate.

By 2030, three shifts are likely:

1. Investigations will become partnership-driven, as agencies do not control the systems where evidence resides
2. Expertise will become regional, relying on shared digital forensics and biomedical resources across jurisdictions
3. Prevention will increasingly depend on forensic readiness, as accountability requires the ability to reconstruct events

Key takeaways for chiefs, sheriffs and investigative supervisors

Cyberbiosecurity will not emerge as a single, defined crime category. It will span homicide, fraud, extortion and exploitation. The common thread is that biological harm becomes a downstream effect of digital access. Here are some key considerations for law enforcement:

• Write a cyberbio preservation trigger into policy and train it like any high-risk protocol
• Build a standing contact network with hospital security, biomedical experts and legal counsel
• Conduct at least one cyberbio tabletop exercise annually
• Treat certain deaths as electronic crime scenes and preserve device context early [6]
• Address genomic theft as a public safety issue, not solely a privacy concern [4,9]

If law enforcement waits for a high-profile incident to build readiness, it will remain reactive. The more effective approach is straightforward: preserve early, build partnerships and train ahead of the threat.

References

1. FDA. Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed.
2. NHS England. Potential Backdoor Embedded in Contec Health CMS8000 Patient Monitor Firmware.
3. Murch RS, et al. (2018). Cyberbiosecurity: An Emerging New Discipline to Help Safeguard the Bioeconomy. Front. Bioeng. Biotechnol.
4. NIST. (2023). Cybersecurity of Genomic Data.
5. Robertson BS. (2025). Cyberbiosecurity Threat Forecasting.
6. NIJ. (2008). Electronic Crime Scene Investigation.
7. NIST. (2024). Cybersecurity Framework 2.0.
8. HHS 405(d). (2023). Health Industry Cybersecurity Practices.
9. NCSC. (2021). China’s Collection of Genomic Data.
10. Heled Y, Vertinsky L. (2021). Genetic Paparazzi.
11. Robinson E. (2025). OHSU News.
12. Hadid, D. (2026). NPR.

About the author

Bradley S. Robertson is a detective sergeant assigned to Major Crimes with the Multnomah County Sheriff’s Office in Portland, Oregon, and a scholar-practitioner with more than two decades of investigative and public safety leadership. He holds an M.A. in Security Studies from the Naval Postgraduate School’s Center for Homeland Defense and Security (CHDS), where he graduated with distinction.
His master’s thesis — Cyberbiosecurity Threat Forecasting to Highlight Vulnerabilities in the Bioeconomy — used scenario-based strategic foresight to anticipate cyber-enabled biological harm and the investigative failure modes that follow. Robertson also serves as Vice President of the Oregon Homicide Investigators Association and has contributed to statewide standards and instruction, translating operational reality into practical readiness for the cyberbiosecurity era.