27% of all hacker attacks in the first half of 2016 targeted health facilities – shifting the focus to information security.

Digitization – an Achilles heel

It was an involuntary “blast into the past”: in early 2016, a computer virus virtually immobilized several hospitals in North Rhine-Westphalia. Staff member pushed their PC keyboards to one side and pulled out pens and paper. Ironically, the attack hit institutions known as digitization pioneers.
Author: Silke Kilz
It’s the dark side of digitization: more mobility and connectedness means more vulnerabilities for cybercriminals to exploit. The German Federal Office for Information
Security (BSI) ranks ransomware as a major threat. Official figures are hard to come by, but a recent survey found that 78 of 89 healthcare institutions had sustained at least one ransomware attack in 2016.

Underestimated security risk

That’s no real surprise. Mobile computing, cloud applications and the Internet of Things have become absolutely essential for smooth, efficient processes in the day-to-day delivery of healthcare. Doctors and nurses at Robert Bosch Hospital in Stuttgart, for example, stopped bringing paper charts on their rounds a long time ago. Instead, they tote iPad minis that can instantly retrieve diagnostic and therapeutic information from iMedOne®, the central hospital information system (HIS). Doctors can explain courses of treatment, look up test results or enter new information such as medication changes without leaving the patient’s bedside.
A similar system supports Jena University Hospital. Here, Deutsche Telekom has installed a mobile version of i.s.h.med, an HIS developed by Cerner. Another mobile solution is in use at St. Joseph’s Hospital in Berlin. Obstetrics patients at this Catholic institution schedule all their appointments online using Deutsche Telekom’s “Secure Patient Portal” instead of making a phone call to the hospital.
Unfortunately, many hospitals underestimate the need to rigorously secure the data smorgasbord that their HIS represents. “Most hospitals have basic protection with a firewall and virus scanner, but little more,” said Prof. Thorsten Holz, Chair for System Security at Ruhr University of Bochum in an interview with Die Zeit, a weekly newspaper. The institutions are simply unaware of the risks and reluctant to invest time and money in a complex security solution.

The hospitals attacked by ransomware in early 2016 are highly digitized. Modern, innovative IT solutions optimize processes and ensure superior patient care. However, that also makes them juicy targets for hackers. Cyber criminals had smuggled in malware through e-mail servers, paralyzing the hospitals’ IT infrastructure. The fallout was disastrous. Within hours, the institutions were catapulted back to the previous century. ER employees took down patient information with a pen and paper. Laboratory equipment stood idle. Cardiologists turned away patients because they couldn‘t get X-ray data back quickly enough. The hospitals were incapacitated.
The Act to Increase the Security of Information Technology Systems (German IT Security Act, ITSichG), which took effect in July 2015, requires operators of critical facilities to satisfy minimum IT security standards. The first part of the KRITIS Regulation to Implement the IT Security Act went into effect on May 3, 2016. It applies to the energy, IT, telecommunications, water and food sectors. The second part is expected in 2017. It will cover traffic, transportation, finance, insurance and healthcare and impose stricter security requirements on hospitals. Among other things, hospitals will be required to secure their IT using state-of-the-art measures and undergo security audits at least every two years. Major IT malfunctions will have to be immediately reported to the Federal Office for Information Security (BSI).

More than a firewall and antivirus program

Effective cybersecurity doesn’t have to be complicated or expensive, though. Just consider Robert Bosch Hospital. Here, the hospital’s IT team and T-Systems experts have installed a security information and event management (SIEM) system from AlienVault, a Deutsche Telekom partner. “The SIEM solution identifies potential threats early on – long before the horse has left the barn,” explained Sascha Müller, Assistant IT Manager at the charity hospital. To do this, the system collects millions of security-related log and event entries, assesses and collates them and then identifies trends and patterns in real time. As soon as the system spots anything out of the ordinary, it sounds the alarm so the IT team can take immediate countermeasures. Müller used an example to illustrate how the system works: “It looks for clues of a targeted attack – for example, the creation of a new admin user in Active Directory, the directory service used in Microsoft Windows Server, followed by a significant increase in network traffic.”

Passed the trial by fire

ALTERNATIVTEXT einsetzen (!)
​​​​​​​The SIEM solution recently proved its value to the hospital. One or more attackers had tried to attack Robert Bosch Hospital’s IT system through a website. Since the website hadn’t been blacklisted anywhere and didn’t use any banned protocols, the hospital firewall didn’t block it. However, the SIEM system noticed that the site had been registered only a few hours earlier and so could potentially be a botnet operator. A check with the Open Threat Exchange community and an analysis and comparison of indicators of compromise revealed that it was, in fact, an attack.

Off-the-shelf security package

“T-Systems’ and Alien Vault’s solution is essentially a pre-configured off-the-shelf security package,” said Müller. The sensors and SIEM solution were installed and configured at Robert Bosch Hospital’s data center. T-Systems cybersecurity experts monitor the systems 24/7 from a security operations center, assess signal criticality and take counteraction as needed. “Our IT department doesn’t have the resources to do all that work itself,” noted Müller. There‘s another benefit, too. Rules and updates don’t have to be handled by the hospital itself, but end up on the platform through Deutsche Telekom’s involvement in the Open Threat Exchange community. “That quickly alerts other companies to current security threats, too,” said Müller.