Hospital cybersecurity: secure technology and trained employees go hand in hand

When it comes to IT, the medical sector has a dilemma: On the one hand, digitization and networks are designed to save both time and money. Yet on the other hand, medical systems, physician offices, and hospital networks don't have nearly the same levels of protection as online stores, payment service providers or financial institutions. That's also partially due to an absence of risk awareness.

According to the "Hospital Study 2017" ("Krankenhausstudie 2017") by the global strategy consulting firm Roland Berger, more than 60 percent of German hospitals have been victims of hackers in the past. These cases are rarely made public - either because they are not considered newsworthy or hospitals choose not to publicize the event because it may have a negative impact on their brand image or cause potential financial losses. One notable exception is the Lukas Hospital in Neuss, Germany. It came under attack by ransomware in the spring of 2016, paralyzing its computer systems for several days. Ransomware is a type of malicious software that blocks access to computer systems or encrypts the user's data unless a ransom is paid. In May 2017, the “Wanna Cry” ransomware targeted several hospitals in the UK. Although there were no reported cases of harm to patients due to these incidents, the breakdown, disruption, and restoration of systems proved costly to resolve for the hospitals.

Employees are often the likely cause of hijacked hospital networks. They unknowingly open and click on malicious email attachments, plug in their own USB sticks or use weak passwords. This makes cybersecurity primarily a matter of responsible and vigilant behavior. Employees in hospitals and medical practices must be aware of cybersecurity threats and know how they can take easy steps to reduce the risk of falling victim to attacks. The BSI Group offers a playful and interactive security awareness training solution called "Wombat", which teaches employees to recognize and avoid the risks posed by emails, phishing attacks, and data mediums.

Entire networks are not the only targets of cybercriminals. These days, portable devices such as insulin pumps or pacemakers are wirelessly connected via Bluetooth. While this enables physicians and patients to easily manage diseases and adjust the devices via an app, it also creates a new gateway for those with criminal intent to tamper with systems that ultimately are a life-or-death tool for patients.

This is where manufacturers are tasked with implementing better security measures and precautions from the outset or delivering subsequent updates – for portable devices such as pumps, pacemakers or inpatient networks. The Internet of things is meant to improve processes in hospitals and medical practices by making operating room equipment from different manufacturers compatible and able to communicate, by enabling shelves and medical cabinets to self-check and manage their inventory and report missing items to the purchasing department or by tracking portable and mobile devices. It is merely a matter of time before medical devices such as infusion pumps or patient monitors are all connected and centrally managed.

In the past, this integration proved difficult because there were no interfaces to connect devices from different manufacturers. These barriers are gradually removed thanks to projects like OR.Net, which has created a universal interface over the past few years. In 2018, OR.Net released the service-oriented device connectivity (SDC) family of standards. The "Sim.Move 800" mobile operating table that was introduced by Simeon Medical during the 2018 MEDICA trade fair is one of the first devices to use SDC. As soon as more and more devices are equipped with SDC, it is ultimately possible for the operating room personnel to effortlessly monitor and control multiple devices with one tablet or one dedicated touch screen. While this substantial advancement in healthcare technology improves hospital operations, it can also become a problem: Connected devices can open the door to malicious software that can shut down an entire network thanks to an insufficiently protected device.

Technical measures are vital to build, use and protect secure networks and ensure cybersecurity in hospitals. However, they fall short on their own. The most advanced technology in the world is useless if it is not used properly and safely. When it comes to IT, people are often the weakest link in the security chain. That’s why next to common sense, hospital employees need effective security training to defend hospital networks against attacks and keep them safe.