It happened early on Thursday morning. The IT systems of the University Hospital Düsseldorf failed. Nothing worked anymore. In the meantime, the authorities have confirmed that the incident was a cyberattack. Isabel Pfeiffer-Poensgen, Minister for Culture and Science in North Rhine-Westphalia, explained in the state parliament that an extortion letter had been sent, but that it had been withdrawn after the police had been called in. The Düsseldorf University Hospital is one of the largest hospitals in North Rhine-Westphalia and treats up to 350,000 patients annually.
Due to the hacker attack, normal operations at the hospital are not possible. The ambulance service to the emergency room had to be suspended, people in need are advised not to visit the hospital for the time being and upcoming treatment appointments have been cancelled or postponed.
This is not the first incident in which a hospital’s IT is disabled by a hacker attack. It happens again and again that hospitals, practices or research institutes are targeted by cyber criminals. In summer 2019, the Trägergesellschaft Süd-West of the German Red Cross fell victim to a ransomware attack. Thirteen hospitals were affected. Worse was prevented by a quick response and shutting down the IT systems. Nevertheless, doctors and nursing staff could only work with pen and paper for days. In December 2019, the Emotet malware spread in a hospital in Fürth, Bavaria. In addition, Handelsblatt reported that since the beginning of 2020 – and thus since the start of the spread of the coronavirus in Germany – the risk of cyberattacks on hospitals has increased further. For example, cyber criminals belonging to the far-right group “coup orchestra” took advantage of the tense situation and sent an extortion letter to Health Minister Jens Spahn. It contained a request to transfer 25 million euros to a Bitcoin account in order to prevent large-scale hacker attacks on German hospitals. However, it is not known how the incident turned out.
Why are hospitals more often victims of cyber attacks?
The incident at the University Hospital Düsseldorf illustrates that cyber attacks on hospitals have massive consequences. Patient care is restricted, treatment appointments and operations have to be cancelled in extreme cases and highly sensitive data can fall into the wrong hands. As a result, hackers can exert massive pressure. This in turn makes hospitals a lucrative target for cybercriminals.
At the same time, hospitals are typically very vulnerable to cyber attacks, as many different people have access to the complex, networked computer systems. This requires a high level of IT security. On the one hand, this refers to sufficiently trained staff who ensure the security of the servers and IT systems around the clock. On the other hand, hospital staff must also be made aware of cyber risks and receive sufficient training. For this high level of measures, there is often a lack of resources, be it costs, time or personnel, which ultimately leads to an increase in the risk of a cyber attack.
The most common types of attacks include the spread of malware and ransomware. DDoS attacks are also becoming more frequent. This results in a targeted overloading of the servers, which ultimately also makes normal hospital operations and the associated health care impossible.
How cyber-secure is the German healthcare system?
A representative survey by PWC on the topic of “Data security in hospitals and medical practices” from 2019 shows that 28 percent of respondents classify IT failures as a major risk with regard to possible complications during a hospital stay. The respondents assess the situation in general medical practices even more seriously. Here, 45 percent believe that they are not at all or at least not sufficiently prepared for cyber threats.
Since 2019, there has been the KRITIS regulation of the BSI (Federal Office for Information Security), which classifies certain industries as relevant to attack and worthy of protection due to the importance and relevance they have for the entire German population. Hospitals that can accommodate more than 30,000 inpatients are among them. These institutions must provide special evidence and meet IT security requirements. In addition, they are subject to the obligation to report should they have become victims of a cyber attack. However, this BSI regulation does not apply to smaller hospitals and medical practices. These are independently responsible for their IT security. According to the PWC study, however, 51 percent of the respondents believe that small and especially rural hospitals are poorly or very poorly prepared for cyber attacks.
How can a hospital protect itself from cyber attacks?
As in many other industries, comprehensive awareness-raising among employees is important. The respondents to the PWC study also see it that way. 87 percent said that education and training are appropriate measures to minimize cyber attacks in hospitals and practices.
Richard Renner, Managing Director at Perseus, said:
“A high level of awareness, regular testing and training can help ensure staff are vigilant and alert, even in stressful situations. This prevents the wrong click or the wrong download. Should hackers nevertheless be successful in their attack, quick emergency management is essential. In the event of a cyber attack, every minute counts in order to prevent the worst.
In the case of hospitals, intensive and regular penetration tests can also help. In this process, IT systems are extensively tested by IT experts and security gaps are detected at an early stage. The gaps can then be closed immediately by the experts before a hacker can use them as a gateway.