The fight against the pandemic is apparently also exposed to a risk that could have massive consequences in the crisis. IT security is inadequate in at least one third of the hospitals in Germany. In many clinics, servers and software are out of date, databases are only secured with a password.
The protection against hacker attacks is incomplete. There are even hospitals that are using old Windows 2003 servers that have not received a security update from Microsoft since 2015.
This is the Result of an investigation by IT experts from the Berlin consultancy Alpha Strike Labs, the Austrian company Limes Security and from the University of the Federal Armed Forces in Munich. Publicly accessible access to the networks of 1,555 hospitals was analyzed in November and December 2020. Deficits were evident in 36 percent.
More than 900 “critical vulnerabilities” were identified, said Alpha Strike’s managing director, Johannes Klick, the Tagesspiegel. The study is available to the daily mirror. The paper is to be presented in May at “CyCon”, NATO’s cybersecurity conference. The CyCon program committee has already accepted a summary.
Analyzes of deficiencies in the IT security of Berliner Wasserbetriebe
Alpha Strike had already identified serious deficiencies in the IT security of Berliner Wasserbetriebe last year. There was a risk that the sewage disposal would be paralyzed by hacker attacks. The Tagesspiegel reported about it. The water company then began to convert IT security. Similar processes are apparently also necessary in many hospitals.
University hospital did not accept seriously ill woman after cyber attack
How dangerous cyber attacks on vulnerabilities in the IT of hospitals can be was shown in September 2020 in North Rhine-Westphalia. A seriously ill 78-year-old woman could not be brought to the Düsseldorf University Hospital because Russian hackers allegedly paralyzed emergency care. The patient had to be transported to Wuppertal, 25 kilometers away. She died there shortly afterwards.
[Wenn Sie alle aktuellen Nachrichten live auf Ihr Handy haben wollen, empfehlen wir Ihnen unsere runderneuerte App, die Sie hier fürApple- und Android-Geräte herunterladen können.]
The IT experts from Alpha Strike, Limes and the Bundeswehr University looked at a total of 13,497 websites, e-mail and file servers and other network services at the 1,555 hospitals. Research software developed by Alpha Strike was used. Data with a total volume of 1483 gigabytes were evaluated. Of the network services analyzed, 32 percent are “weak points,” said Klick. In more than half of the clinics, it was already possible to identify which software was being used via the server. This could make it easier for hackers to develop attack strategies.
Critical infrastructure hospitals are not better protected either
The experts were surprised that clinics that the Federal Office for Information Security (BSI) classifies as “critical infrastructure” and thus highly security-sensitive are also at risk. These are hospitals with at least 30,000 inpatient cases per year. The number is likely to be exceeded by far in the corona crisis. Given their size, the hospitals belonging to the critical infrastructure bear the brunt of the treatment of Covid-19 patients. Before doing their research, the IT experts expected that these clinics in particular would be well protected from hacker attacks.
But even there, IT security is “obviously not handled more professionally,” said Klick. A “higher number of weak points” was found than in smaller hospitals. The so-called Kritis hospitals must regularly provide the BSI with evidence of their IT security status. The controls, especially the technical review, were apparently insufficient, said Klick.
Weak points nationwide
The experts do not name the clinics whose IT security was tested. You don’t want to give hackers any clues or hints of worthwhile targets. In the study only maps are shown on which blue dots indicate the locations with weak points scattered across the Federal Republic. Accordingly, the whole country is affected. The focus is on Berlin and the surrounding area, the Ruhr area and regions in the southwest.
Federal Health Minister Jens Spahn (CDU) apparently also knows that German hospitals are often only moderately protected against cyber attacks. On the website of his house it is announced that since January 1st, the Federal Social Security Office has been providing three billion euros via a “hospital future fund”, which are to be invested in emergency capacities, digitization and IT security in hospitals. Another 1.3 billion euros come from the federal states. When applying for funding from the fund, it must be proven that 15 percent will be used to improve IT security. This is what the Hospital Future Act passed by the Bundestag in October 2020 provides. Klick is now hoping for the first progress, “that is a push in the right direction”.
The IT expert and his partners took part in their nationwide test without an order. It is about raising the risk awareness of hospitals, said Klick. He and his colleagues appeal to the state to ensure the digital protection of hospitals. There is a lot of catching up to do.
Of course, the commitment of Klick and the other experts is not entirely unselfish. They hope that their know-how will be used to improve the IT security of hospitals and other critical infrastructures. Alpha Strike had triggered a healing shock at the Berliner Wasserbetriebe.