IT security in hospitals

Cyber criminals do not only target the private sector but also increasingly set their focus on critical infrastructures such as hospitals. When it comes to IT security, however, hospitals are confronted with specific challenges which make it harder for them to protect their infrastructure and people. The German Federal Office for Information Security (BSI) warned that this might lead to serious consequences in this year’s report about the state of IT security.

Famous cases

This year’s report about the state of IT security by the German Federal Office for Information Security recently confirmed that hospitals are increasingly targeted by hackers because of their societal relevance and specific working routines. None of the other critical infrastructure sectors reported as many incidents to the Federal Office as the healthcare sector (in Germany, they are legally required to do so in the case of an IT incident). Among the most common reasons: technical failure of the systems and cyberattacks specifically targeted at employees.

  1. Ransomware disrupts emergency operations at Düsseldorf´s university hospital

    Düsseldorf’s university hospital reported a ransomware attack on its systems in September 2020. In that type of attack, cybercriminals encrypt data only to demand a ransom for unblocking the systems later on.. In the Düsseldorf case, the ransomware encrypted 30 servers and paralyzed not only the IT systems but also the emergency operations for 13 days. Although the data was quickly decrypted again, it took nearly two weeks to restore and secure all systems. What was particularly dramatic was that the hospital could not provide an urgently needed emergency care because of this lengthy recovery process. A woman had to be transported to a hospital further away in Wuppertal which ultimately cost her life.

  2. WannaCry cripples medical devices worldwide

    Cyberattacks on hospitals are problematic considering both the danger of losing data or its’ misuse as well as the patients’ safety. The popular ransomware WannaCry crippled dozens of hospitals and other healthcare institutions in 2017. They had to reject patients from being admitted to the accident and emergency department and had to suspend the treatment of patients with cancer or cardiac diseases because digital data was missing.. The Internet of Things is increasingly common in hospitals: today, many medical devices are connected with each other via the Internet. The lives of patients are at stake when cyber criminals gain access and control to this complex network.

IT security in hospitals meets specific challenges

Diese Herausforderungen gilt es zu meistern

1. Sensitive health data

A hospital has access to very sensitive health data. The Hospital Information System (HIS) records, processes and passes on patient files which should by no means fall into the wrong hands. Ensuring cyber security, however, becomes more and more complex because of digitization in the healthcare sector, e.g. in form of electronic patient files. All employees who use the Hospital Information System, therefore, must be sensitized and trained for reacting to possible attacks.

2. Internet of Things (IoT)

Electronic patient files are not the only thing “going digital” in hospitals. Many medical devices for monitoring and examining patients are connected to the Internet as well as to each other. At the same time, they often run on different operating systems and thus have specific security settings. Securing these complex, networked systems against hostile intrusion is an ongoing process which demands a lot of time and money.

3. Little time and capacity

Working in a hospital involves a lot of time-sensitive requests and instructions. From head physician to administrative employee, employees on all hierarchy levels have limited time for patients’ individual concerns. The high workload and stress, further increased by the COVID-19 pandemic, make employees less considerate in using the IT systems. Urgently needed employee trainings are also not yet on the agenda of most hospitals.

4. Outdated IT infrastructure

To ensure IT security, both employees and the infrastructure need to be resilient. In hospitals, many systems run on a 24/7 basis making it harder to regularly update and backup. This can cause loopholes in security systems and, in case of an incident, it takes time to restore the systems. Another major problem in the sector is that there often is no money to replace obsolete software with a safer version. In many hospitals, the rule “better not change anything as long as it is running” still applies.

Hospital specific IT

Reasons why hospitals are such a popular target

  • Click rates are above average– Difficult working conditions are one of the reasons why employees in hospitals click on phishing mails particularly frequently. While the average click rate in SoSafe´s phishing simulation is 18%, in hospitals 23% of employees click on the simulated phishing mails.
  • Healthcare data is particularly lucrative– Medical data is precious and lucrative for both the owner as well as cyber criminals. Patients’ data is often sold for higher prices on the darknet than credit card information.
  • Ransom payments are higher– A data theft in hospitals followed by a ransom demand is extremely expensive. On the one hand, hospitals are more likely to pay because of the explosive data. On the other hand, there are tough legal consequences for hospitals – In Germany, a violation of the Critical Infrastructure Ordinance goes along with high fines.

Industry-specific training with SoSafe – customized to hospitals

How can the healthcare sector become safe? Answering this question is more urgent than ever before. Hospitals should aim at training all employees on how to handle ransomware attacks since hospitals are one of the most important parts of public infrastructure. Improving IT infrastructure and developing effective emergency plans will not be enough in the long term. What is missing are preventive measures, especially those that focus on the human in the center of cyberattacks. All employees using the hospital’s information system must be sensitized and trained for detecting and handling cyberattacks. The most effective way is a combination of phishing simulations and e-learning. Small e-learning units explain secure behavior, e.g. how to act when receiving phishing mails, in a playful and illustrative way. In combination with phishing simulations which confront the learners with realistic examples of such attacks behavior can be changed sustainably while helping employees to deal with data, software and hardware. SoSafe’s industry-specific training is tailored to the needs of hospitals:

Advantages of SoSafe’s customized training

  • Time-efficient: The e-learning is time-efficient and can be completed in small units so that it fits into the employees’ tight schedule.
  • Tailor-made: Phishing mails are adapted to hospitals’ daily working routine, e.g. they receive a payment notice of a fake bill for medical technology.
  • Customized: E-learning and phishing simulations can be customized to the hospital’s corporate identity with our customization engine – various placeholders can be filled in individually.

Über SoSafe

Die Awareness-Plattform von SoSafe sensibilisiert und schult Mitarbeitende kontinuierlich im Umgang mit den Themen IT-Sicherheit und Datenschutz. Phishing-Simulationen und interaktive E-Learnings bringen den Mitarbeitenden auf effektive und nachhaltige Art und Weise bei, worauf etwa bei der Nutzung von E-Mails, Passwörtern oder personenbezogenen Daten besonders zu achten ist. Das Unternehmen erhält ein anonymes, aber differenziertes Reporting und kann Awareness-Building so messbar machen – vollkommen DSGVO-konform.