Computers down? Patient reports are handed over personally. Back to the hospital of the 1980s. Inconceivable? In fact a hospital in Germany had to change its mode of operation last year, after its network was paralysed by the Trojan, Locky. The malicious software was smuggled in by an infected e-mail attachment and encrypted all data, making the digital exchange of patient data impossible.

IT security in healthcare

In this blog entry, we will deal with the issue of data and IT security in the health care sector after reviewing the topic of data protection in healthcare.

Medical facilities popular destination for cybercrime worldwide

Again and again, medical facilities worldwide are attacked by hackers. Only this year, British hospitals had to shut down their IT system for two days due to a cyber attack. The hospitals operation was hampered in the normal course and 2,800 appointments had to be canceled.

Already in the 2015 study published by KPMG "Health Care and Cyber Security", 80% of the CIOs, CTOs, security & compliance managers stated that systems had been attacked in their plants in the past 12 months. Three-quarters are of the opinion that they can discover unauthorized intrusion into their IT system – that means 25% do not even know that they have a problem and only about half are able to defend themselves after they have realized that they have been compromised.

For 2017 a record year is expected for cyber attacks on the health sector. Hospitals for example are vulnerable to networked medical devices and do not realize for a long time that an intruder is spreading further and further into the system. In addition, medium-sized health care facilities will become the target of cybercriminals more often.

How do cybercriminals penetrate and how can medical facilities protect themselves?

Reasons for, from an invader’s point of view successful hack, are often lack of virus protection, inadequate or missing network protection (firewall, port security) or outdated operating systems. In most cases, there is also a lack of a single responsible person who can build up, monitor and manage an all-encompassing IT security infrastructure.

Numerous accesses are also due to the undiscerning handling of IT devices. The lack of awareness and lack of knowledge about security risks in the handling of digital devices opens the way for attackers. Often, it is also the factor of time pressure that leads employees to deliberately or unconsciously violate compliance rules. If this illicit way of working (also known as shadow IT) is once established, it is very difficult to erase from the workplace.

In order to tackle these shortcomings, a reappraisal must take place and money must be spent in training for employees on the subject of IT security at the workplace and invested in a range of basic IT security tools such as anti-malware, firewalls and encryption software - ultimately, next to doctors also IT administrators will save patients’ lives in the future.

Laws and relevant regulations for data security in health care

The requirements for IT security in the health sector are laid down in laws and regulations.

In Germany, the Act on the Increased Security of Information Technology ("IT Security Law") requires a minimum level of IT security from the operators of critical infrastructures, including hospitals. The law for secure digital communications and healthcare applications ("eHealth Law") provides a roadmap for digital networking for self-management and for further steps with beneficial applications. It is intended to safely connect the doctor’s offices and hospitals and to provide a fast and secure exchange service for data between insured persons and the people who take care of them by means of a digital data highway, the telematics infrastructure.

At EU level, the "Directive on Network and Information Security" (which has not yet come into force) will place EU-wide minimum requirements on private and public operators of network and information systems. In the US, the Health Insurance Portability and Accountability Act (HIPAA) establishes the standards that require patient health information to be very well protected.

What are the consequences of cyber attacks now and in the future?

Due to the increasing digitization of processes and networking of devices, medical devices are a particular target. To date, cyber attacks against the healthcare sector have always aimed to make a profit. Hospitals are supposed to pay to avoid data loss and loss of reputation.

So far, no personal injury is known from externally manipulated devices. However, it has already been practically demonstrated with sample hacks that infusion pumps or anesthesia devices can be captured and controlled by unauthorized third parties, for example the dosage can be reduced or completely ceased - with devastating consequences for the patient.

The recovery of patients no longer depends solely on excellent medical staff, but also increasingly on how medical facilities are staffed and technically encompassed in the area of IT security. Hospitals should have a responsible person who can identify weaknesses in the system and fix them as quickly as possible so as to offer the smallest possible or even better no area of attack for cybercrimes.

The electronic exchange of data always offers such an area of attack. However, it is essential for the daily business in hospitals, clinics, doctors' offices, etc. With the help of adequate software solutions, such as Cryptshare the risk of being compromised, is limited to a minimum.

How can malicious software be smuggled into the IT systems of medical premises?

  • infected e-mail attachments
  • security vulnerabilities in the web browser
  • data exchange services such as dropbox
  • phishing attacks
  • malicious programmes: ransomware like blackmail-trojans
  • untrained / unskilled employees
  • networked medical devices
  • infected USB sticks