Increasing risks on the operating table: Why hospitals are increasingly targeted by cybercriminals
by Svenja Koch
Hackers are aware of the weaknesses in the IT security of hospitals. This is one of the reasons why attackers specifically select healthcare facilities as targets. In the context of an Advanced Persistent Threat (APT), attackers invest a lot of time and resources in preparing an attack. Here, they deliberately select targets with vulnerabilities in IT security. Attacks on hospitals are often promising because IT security has kept pace with the pace of digitalisation and is therefore often dangerously patchy.
Another reason why hackers choose hospitals and clinics as targets is the dependence of the healthcare sector on digital systems. If the digital payment system in a kiosk fails, this is annoying, but the operation continues or a failure is unproblematic for a certain period of time. If, on the other hand, systems in hospitals are affected, it is not uncommon for vital services to be at stake. Network-controlled infusion pumps are now widespread. Likewise, patient records are now purely digital. For this reason, in the event of a cyberattack, important medical equipment fails, as does access to patient information. Doctors and nurses then have no way to help patients. When it comes to vital systems, seconds or minutes matter in extreme cases. Therefore, failures of these systems, for whatever reason, are completely unacceptable.
The attackers are aware that the responsible persons in the hospital are forced to act quickly. If there is no way to restore the digital systems immediately, then the chances increase that the hospitals will respond to the blackmail attempts in order to regain access to the data.
The weaknesses of hospital IT security
A study by IT experts from the University of the German Armed Forces, the consulting firm Alpha Strike Lab and Limes Security at the end of 2020 revealed that one third of more than 1,500 hospitals checked had inadequate IT security. In some cases, the experts found glaring gaps in the hospitals' IT security. Among others, servers with the Windows 2003 operating system were in active use. This version of the Windows operating system is several generations out of date and has not been provided with security updates by Microsoft since 2015.
In total, more than 900 critical vulnerabilities in the IT security of hospitals were identified during the investigation. The experts focused exclusively on publicly accessible areas of the networks.
Targets of cyber criminals in attacks on the health sector
The targets of the attackers vary. As already mentioned, the interests are often financial, but this is not the only reason for cyberattacks on hospitals. Attacks also target medical records. These are stored in digital form on the servers of hospitals. Such data are also among the targets of attackers, who use them to commit identity theft. In addition, some attacks fall into the area of industrial espionage. Especially since the beginning of the Corona pandemic, vaccine-related documents have been the focus of attention. Here, the attackers are interested in tapping information on the Covid 19 vaccines.
Consequences of cyberattacks on hospitals
Cyberattacks on healthcare facilities have serious consequences. As a result of the attacks on critical systems, patient care is affected. In September 2020, the university hospital in Düsseldorf was affected. Hackers had blocked the hospital's emergency care. A patient who acutely needed help therefore did not receive any care and had to switch to Wuppertal, 25 kilometres away. Shortly afterwards, the patient died in the hospital in Wuppertal. This sad example shows that cyber attacks on hospitals as well as the inadequate IT security of hospitals concretely threaten lives. More and more systems within hospitals are networked and function purely digitally. Cyber attacks with ransomware, for example, cause these systems to fail if the hospitals' IT security does not offer sufficient protection.
Attackers use these methods to overcome IT security in hospitals
The analysis of cyberattacks on hospitals shows that hackers primarily use web-based applications and application-specific attack methods. These attack vectors exploit vulnerabilities in client portals and interfaces for remote access. In recent years, healthcare institutions have increasingly deployed systems that use these technologies. These include technology from the field of telemedicine and remote device support. Analyses and statistics show that about 97 percent of attacks on hospitals take place via this route. At the same time, the number of attacks on healthcare facilities has increased by around 200 per cent year-on-year in 2020.
In mid-July 2021, the hospital in Wolfenbüttel, Lower Saxony, was the target of such a ransomware attack. Apparently, the hackers tried to blackmail the hospital. The attack cut the hospital off from the internet. Digital systems were also affected. So for the time being, the hospital switched its documentation to classic paper systems. Immediately after the attack, the IT department could not provide any information on how the attackers penetrated the hospital's systems.
At least current backups were available, so that a prompt restoration of the digital data was possible. Nevertheless, this example shows the impact cyber attacks have on hospitals and that IT security in hospitals far too often only reacts instead of taking preventive action.
Measures against the weaknesses of hospital IT security
IT security in hospitals must improve as quickly as possible to keep up with far-reaching digital developments. There are two main reasons why IT security has not yet reached this level: Firstly, a lack of financial resources is responsible for this, which is also evident in other areas of the hospitals' IT infrastructure. Servers with the Windows 2003 operating system, for example, bear witness to the fact that systems have been in use for decades, which indicates an investment backlog. The IT departments then have to make decisions on where to use the scarce resources available. The topic of IT security in hospitals then often falls by the wayside.
On the other hand, lack of expertise is an obstacle. This is also partly related to the lack of budget for the IT departments of hospitals. The existing staff is already working to capacity and thus there is no time to deal sufficiently with IT security. In such large and complex digital infrastructures, however, IT security requires increased attention. This is evident in the private sector, which uses its own Security Operations Centres (SOC), where employees focus exclusively on IT security tasks. In hospitals, on the other hand, the IT department often has to perform this task additionally. In combination with the advancing digitalisation, the work pressure increases disproportionately. The end result is overburdened IT departments that cannot fulfil their core tasks.
In October 2020, the Bundestag introduced the Hospital Future Act. Part of the law is also to ensure future investments. The Act has created a Hospital Future Fund, which provides three billion euros from the Federal Government and a further 1.3 billion euros from the Länder. These funds are primarily used to support digitisation and the acquisition of modern technical equipment. Hospitals have the opportunity to apply for funding from this pot for investments. The Hospital Future Fund supports acquisition costs in this area proportionately with up to 30 percent.
In addition, binding safety standards now apply to hospitals that treat more than 30,000 full inpatients per year. These are among the critical facilities in the health sector and must fulfil the sector-specific requirements according to B3S in the area of IT security. For these hospitals, there is also the Hospital Structure Fund. Here, the federal government provides a further four billion euros in funding intended for investments in IT security.
Experts recommend the use of external service providers as a further measure to improve the IT security of hospitals. Expensive and labour-intensive tasks in the area of IT security can be outsourced in this way. This applies, for example, to the active monitoring of networks, which would otherwise be carried out by a SOC. The budget of many hospitals does not allow them to set up their own SOC. At the same time, it is increasingly important that hospital IT security has the means to monitor network actions in real time around the clock. External service providers take over exactly this task. This is the only way to establish a holistic cyber security strategy in hospitals.
The number of real-life cases in which hospitals are the victims of cyber attacks is increasing. In parallel, it is becoming apparent that in many cases, IT security in hospitals has major gaps and does not meet the required level to ensure a robust cyber defence. Dramatically, this poses a glaring threat to our healthcare system, as failures in critical healthcare can quickly put lives at risk. For these reasons, it is important that decision-makers review and, where necessary, improve IT security in hospitals. The federal government provides both guidelines for security standards and financial support. It is important that IT security in hospitals is both up to date and protects critical systems from increasing cyber threats. This requires both passive mechanisms, such as a properly configured firewall, and active techniques that ensure early attack detection and report network anomalies around the clock so that immediate action can be taken.