When the clinic’s computer becomes the target of cyber-criminals, human lives are at stake. The healthcare sector is becoming increasingly digitalized: Patient data is no longer stored in paper files, but on computers. Data from pacemakers and insulin pumps is transferred to smartphones via Wi-Fi. Many medical devices are connected to the internet. The increasing connectivity is causing more and more gateways for cyber-attacks, which can have fatal consequences. For example, if patient data is no longer accessible to nurses and doctors due to an IT failure, medication could be given incorrectly. Which dose of which medication does the patient receive at which time? An overdose can be life-threatening, especially with heart or diabetes medication. And there is also an immense danger in the OR: even a minimal manipulation of a medical device during an operation on a patient’s heart or brain can lead not only to irreversible damage, but also to death.

Network-enabled machines in medicine – a danger?

In the medical sector, digitalisation and networking play an increasingly important role – whether in the OR, in the laboratory, or in nursing care. For example, the DaVinci medical robot, is already being used in many US clinics and German hospitals for minimally invasive surgery. The surgeon controls the instruments from a control panel, and DaVinci’s robotic arms execute the hand movements.

Robots that help humans in the laboratory handle potentially dangerous substances and nanorobots that move through blood vessels to bring pharmaceutical substances to the required point in the body. The future of medical technology is promising, but also facing a constant danger: Because every IT system can be attacked if security is inadequate and represents a potential target for cyber criminals.

As early as 2015, security researchers found almost 70,000 medical devices with security breaches, including equipment for nuclear medicine, infusion devices, anaesthesia machines and imaging systems. The vulnerabilities are also found among cyber-criminals. In July this year, the German Red Cross in Saarland and Rheinland-Pfalz became victim of a Ransomware attack. The blackmail software encrypted databases and servers, thus shutting down the entire network of the GRC hospital. For security reasons, the servers were disconnected from the internet. However, the care of the patients was guaranteed at all times, patient admissions and medical reports were done with pen and paper. After a few days the servers of the GRC were put back into operation. Luckily, the data could be restored from a backup.

In the following year, the Neuss Clinic was targeted by hackers. An employee opened an infected attachment of a malicious email which downloaded a Blackmail Trojan onto the internal IT system, which spread across all of the hospital’s computers. Within a very short time, the employees of the highly digitized hospital in Neuss had to switch back to the analogue documentation methods.

Major security vulnerabilities in healthcare facilities

Security measures in hospitals and other health care facilities are less mature than in large companies. Everyday hospital life is busy, computers are often left unlocked when leaving the workplace, and there is hardly time for software updates. Outdated devices and systems are connected to each other through the Internet – security gaps arise in many places. The attack in Neuss shows that the main gateway to cyber-attacks is primarily via email. A lack of awareness among employees allows attacks with malicious attachments in emails to encrypt, copy or steal data. Hackers demand a ransom for decryption, usually in form of crypto currencies like Bitcoins. In the Neuss hospital case, the data could be restored thanks to a backup and no ransom was paid, but the systems still had to be shut down. Despite the backup, the cyber-attack cost the hospital around 1 million Euro.

How can hospitals protect themselves?

Cyber-attacks are no longer just a problem for large corporations in the industry, they belong to the world’s biggest threats, according to the World Economic Forum’s Global Risk Report 2019. In view of the global dangers of cyber-attacks, especially attacks on hospitals and other critical infrastructures, there is a great need for action to secure IT systems.

The problem: Cyber-criminals are using more and more perfidious approaches to smuggle in malware and other harmful programs. A simple anti-virus program is no longer enough to protect the entire company’s infrastructure. In-depth filter systems with sophisticated detection mechanisms, with which malicious emails can be detected at an early stage, form the basis for full protection.

To reduce the success rate of social engineering attacks such as CEO fraud or phishing, the hospital staff needs to learn more about the characteristics of malicious email through IT security training – that reduces the risk of an employee spreading malware and causing subsequent damage.

But the financial means to secure IT systems are limited. And the current legal situation also makes it difficult for hospitals to secure medical devices, because once they have been certified, they can no longer be changed – not even with software updates. Ultimately, digitalization offers more attack vectors for cyber criminals if security gaps are not considered. Although there has not been a targeted cyberattack on a hospital that has harmed a patient, appropriate and effective precautions must be taken to avoid this. The security of the IT infrastructure in hospitals must be given higher priority – because ultimately, any cyberattack on a healthcare facility can not only have financial but also health consequences.