It happened early Thursday morning. The IT systems of the University Hospital Düsseldorf have failed. Nothing worked anymore. In the meantime, the authorities have confirmed that the incident was a hacker attack. Isabel Pfeiffer-Poensgen, Minister for Culture and Science in North Rhine-Westphalia, explained in the state parliament that a blackmail letter had been sent, which, however, had been withdrawn after the police had been involved. The Düsseldorf University Hospital is one of the largest hospitals in North Rhine-Westphalia and treats up to 350,000 patients annually.

Due to the hacker attack, normal operations in the hospital are not possible. The ambulance service to the emergency room had to be stopped, people in need are advised not to visit the hospital for the time being and upcoming treatment appointments have been cancelled or postponed.

This is not the first incident in which a hospital’s IT has been overridden by a hacker attack. It happens again and again that hospitals, practices or research institutes are targeted by cybercriminals. In the summer of 2019, the sponsoring company South-West of the German Red Cross fell victim to a ransomware attack. 13 hospitals were affected. Worse could be prevented by a quick reaction and the shutdown of the IT systems. Nevertheless, doctors and nursing staff could only work with paper and pen for days. In December 2019, the Emotet malware spread in a hospital in Fürth, Bavaria. In addition, the Handelsblatt reported that since the beginning of 2020 – and thus since the beginning of the spread of the coronavirus in Germany – the risk of cyberattacks on hospitals has continued to increase. For example, cybercriminals belonging to the right-wing extremist group “Coup d’Etat Orchestra” took advantage of the tense situation and sent a blackmail letter to Health Minister Jens Spahn. It contained a request to transfer 25 million euros to a Bitcoin account in order to prevent large-scale hacker attacks on German hospitals. However, it is not known how the incident ended.

Why are hospitals more likely to fall victim to cyberattacks?

The incident at the University Hospital Düsseldorf illustrates that cyber attacks have a massive impact on hospitals. Patient care is limited, treatment appointments and operations have to be cancelled in extreme cases, and highly sensitive data can fall into the wrong hands. This allows hackers to exert massive pressure. This, in turn, makes hospitals a lucrative target for cybercriminals.

At the same time, hospitals are potentially very vulnerable to cyberattacks, because many different people have access to the complex, networked computer systems. This requires a high degree of IT security. On the one hand, this refers to sufficiently trained personnel who ensure the security of the servers and IT systems around the clock. On the other hand, hospital employees must also be sensitized to cyber risks and adequately trained. There is often a lack of resources for this high level of measures, be it costs, time or even personnel, which ultimately leads to an increase in the risk of a cyberattack.

The most common types of attacks include the spread of malware and ransomware. In addition, DDoS attacks are becoming more frequent. This leads to a targeted overload of the servers, which ultimately also makes normal hospital operations and the associated health care impossible.

How cyber-secure is the German healthcare system?

A population-representative survey by PWC on the topic of “Data security in clinics and medical practices” from 2019 shows that 28 percent of respondents classify IT failures as a major risk in terms of possible complications during a hospital stay. The respondents assess the situation in general medical practices even more seriously. Here, 45 percent believe that they are not at all or at least not sufficiently prepared for cyber threats.

Since 2019, there has been the KRITIS regulation of the BSI (Federal Office for Information Security), which classifies certain industries as relevant to attacks and worthy of protection due to the importance and relevance they have for the entire German population. Hospitals that can accommodate more than 30,000 inpatients are among them. These institutions must provide special evidence and meet IT security requirements. In addition, they are subject to the obligation to report if they have been the victim of a cyber attack. However, this BSI regulation does not apply to smaller hospitals and doctors’ practices. They are independently responsible for their IT security. According to the PWC study, however, 51 percent of respondents believe that small and especially rural hospitals are poorly or very poorly prepared for cyberattacks.

How can hospitals protect themselves from cyberattacks?

As in many other industries, comprehensive employee awareness is important. The respondents to the PWC study also see it that way. 87 percent said that education and training are suitable measures to minimize cyberattacks in clinics and practices.

Richard Renner, Managing Director at Perseus, says:

“A high degree of awareness, regular testing and training can help employees to be alert and attentive even in stressful situations. This will prevent the wrong click or download. If hackers are nevertheless successful in their attack, fast emergency management is essential. In a cyber attack, every minute counts to be able to prevent worse.”

In the case of hospitals, intensive and regular penetration tests can also help. IT systems are extensively tested by IT experts and security gaps are detected at an early stage. The gaps can then be closed immediately by the experts before a hacker can use them as a gateway.