When a clinic’s computer becomes the target of cybercriminals, human lives are at stake. The healthcare sector is becoming increasingly digitalized: Patient data is no longer stored in paper files, but on computers. Data from pacemakers and insulin pumps is transferred to smartphones via Wi-Fi. Many medical devices are connected to the internet. This increasing connectivity is creating more avenues for cyberattacks that can have fatal consequences. For example, if patient data is no longer accessible to nurses and doctors because of an IT failure, medication could be given incorrectly. Which dose of which medication does the patient receive at which time? An overdose can be life-threatening, especially with heart or diabetes medication. And in the OR, even a tiny manipulation of a medical device during an operation on a patient’s heart or brain can lead to irreversible damage or death.

Network-enabled machines in medicine – a danger?

In the medical sector, digitalization and networking play an increasingly important role – whether in the OR, in the laboratory or in nursing care. For example, the DaVinci medical robot is already being used in many US clinics and German hospitals for minimally invasive surgery. The surgeon controls the instruments from a control panel, and DaVinci’s robotic arms execute the hand movements.

Robots that help humans in the laboratory handle potentially dangerous substances, and nanorobots move through blood vessels to bring pharmaceuticals to the required location in the body. The future of medical technology is promising. But it brings with it a persistent risk because every IT system represents a potential target for cyber criminals that can be attacked if security is inadequate.

As early as 2015, security researchers found almost 70,000 medical devices with security breaches, including equipment for nuclear medicine, infusion devices, anaesthesia machines and imaging systems. These vulnerabilities are also found by cybercriminals. In July this year, the German Red Cross in Saarland and Rheinland-Pfalz became victim of a Ransomware attack. The blackmail software encrypted databases and servers, thus shutting down the entire network of the GRC hospital. For security reasons, the servers were disconnected from the internet. While patient care was not affected, patient admissions and medical reports had to be done with pen and paper. After a few days, the GRC servers were put back into operation. Luckily, the data could be restored from a backup.

In the following year, the Neuss Clinic was targeted by hackers. An employee opened an infected attachment of a malicious email, and it downloaded a Blackmail Trojan onto the internal IT system. The trojan spread across all of the hospital’s computers. Within a very short time, employees of the highly digitized hospital in Neuss had to switch back to analog documentation methods.

Major security vulnerabilities in healthcare facilities

Security measures in hospitals and other healthcare facilities are less mature than in large companies. Everyday hospital life is busy, computers are often left unlocked when leaving the workplace and there is hardly time for software updates. Outdated devices and systems are connected to each other through the Internet – and security gaps arise in many places. The attack in Neuss illustrates the primary gateway to cyberattacks, which is email. A lack of awareness among employees allows emails with malicious attachments to encrypt, copy or steal data. Hackers demand a ransom for decryption, usually in the form of cryptocurrencies like Bitcoins. In the Neuss hospital case, the data could be restored from a backup and no ransom was paid, but the systems still had to be shut down. Despite the backup, the cyber-attack cost the hospital around 1 million Euro.

How can hospitals protect themselves?

Cyberattacks are no longer just a problem for large corporations in the tech industry, they have become one of the world’s biggest threats, according to the World Economic Forum’s Global Risk Report 2019. In view of the global dangers of cyberattacks, especially attacks on hospitals and other critical infrastructures, there is a great need for action to secure IT systems.

The problem: Cybercriminals are using ever more nefarious approaches to smuggle in malware and other harmful programs. A simple anti-virus program is no longer enough to protect the entire company’s infrastructure. In-depth filter systems with sophisticated detection mechanisms, with which malicious emails can be detected at an early stage, form the basis for full protection.

To reduce the success rate of social engineering attacks such as CEO fraud or phishing, the hospital staff needs to learn more about the characteristics of malicious email through IT security training that reduces the risk of an employee spreading malware and causing subsequent damage.

But the financial means to secure IT systems are limited. And the current legal situation also makes it difficult for hospitals to secure medical devices, because once those devices have been certified, they can no longer be changed – not even with software updates. Ultimately, digitalization offers more attack vectors for cybercriminals if security gaps are not considered. Although there has not been a targeted cyberattack on a hospital that has harmed a patient, appropriate and effective precautions must be taken to avoid this possibility. The security of the IT infrastructure in hospitals must be given higher priority – because ultimately, any cyberattack on a healthcare facility can have not only financial but also health consequences.