- By Miriam Friedmann
Cyber attacks on critical infrastructures: how hospitals can protect themselves
One careless click on an email attachment and it's done: Ransomware from cyber criminals installs itself on the hospital server and, in the worst case, paralyzes the entire hospital operation. A medical and economic catastrophe that the German government is urgently warning KRITIS hospitals in particular about. There are effective protective measures - but they are far from being in place in all facilities. The costs of a ransomware attack, how hospitals can protect themselves and what many facilities forget: An overview of the most important questions and answers.
![](https://www.telepaxx.de/wp-content/uploads/2024/09/Telepaxx-GmbH-Effizientes-Management-medizinischer-Bilddaten-0129-1024x683.jpg)
How dangerous is ransomware for KRITIS hospitals?
The latest status report from the German Federal Office for Information Security (BSI) says it bluntly: “Ransomware is still the biggest threat”. Although initial legal measures such as mandatory information security management systems (ISMS) are already having an effect, there were 21 reportable cyber incidents in KRITIS hospitals in 2023 alone.
The consequences for patient safety are immense, quite apart from the immediate economic damage and long-term financial losses due to the loss of trust and image.
Hospital staff who have already experienced the consequences of a cyber attack, for example on an intensive care unit, also give an impressive warning on the TV channel ARD.
What are the costs of a ransomware attack?
There is no general answer to this question. However, the purely financial costs can quickly run into the millions. Two examples:
- The first publicized attack on a hospital caused around one million euros in damage within five days, i.e. 200,000 euros per day. That was in 2016 and the Lukas Hospital in Neuss affected was comparatively small. The Managing Director gave this figure in an interview in 2019. Converted to the hospital's 537 beds, this corresponds to a loss of around 372 euros per bed per day.
- According to the Frankfurter Allgemeiner Zeitung (paid content), one of the most well-known attacks in the industry on Frankfurt University Hospital cost “millions” of euros.
![](https://www.telepaxx.de/wp-content/uploads/2024/03/Zitat_Icon_Dokument.png)
What is ransomware?
Ransomware is malware developed by cyber criminals. It installs itself on the system, for example, by carelessly clicking on email attachments. The criminals' aim is usually to encrypt data and then extort a ransom from the infected company to decrypt it.
Do ransomware attacks also affect smaller hospitals?
Yes, the federal government also strongly advises non-KRITIS institutions to contact government agencies such as the Federal Office for Information Security before an attack and to introduce various measures to improve information security.
The new EU-wide NIS 2 Regulation introduces mandatory measures to improve cyber security. The regulation affects all medical facilities with at least 50 employees or an annual turnover or balance sheet total of more than ten million euros.
Why is 24/7 access to data so important for KRITIS hospitals?
Rapid diagnostics, particularly in the emergency departments of critical illness hospitals, is virtually impossible without data.
If doctors cannot access patient files, X-rays and the like, this puts people's lives at risk. The same applies to operations and all situations in which doctors and medical staff have to make decisions under time pressure.
Which systems are at risk?
In principle, every IT system is at risk, whether in administration or medical technology. However, the German Hospital Federation defines various systems as part of the critical infrastructure.
In addition to the Hospital Information System (HIS), this also explicitly includes the Picture Archive and Communication System, or PACS for short, which is used to view and report on X-ray, CT and MRI images and the like.
Due to the large volumes of data and the high sensitivity of the data processed and archived there, PACS systems are an attractive target for attacks and encryption.
Why is image data encrypted by ransomware relevant to security?
In its comprehensive paper on industry-specific safety standards, the German Hospital Federation explicitly points out that access to image data is of serious importance for patient safety, particularly in time-critical situations such as operations.
The integrity of the data is also crucial. A ransomware attack, for example, could result in images being assigned to other patients.
Why is the PACS in hospitals of all places vulnerable to cyber attacks?
Image data is usually exchanged via the DICOM interface. Although this is a proven communication standard, it has glaring shortcomings in terms of cyber security.
Normally, neither the communication nor the stored data is encrypted by the PACS. In many cases, there is also no modern user and role management in place to prevent unauthorized access.
If image data is not stored redundantly - for example in a separate archive - the risk increases further.
How can hospitals protect themselves against cyber attacks?
The bad news: Even if you follow all the best practices for “cyber hygiene”, there is no such thing as 100% protection. These best practices include, for example, the use of strong passwords, physical access protection measures, security information and event management (SIEM) and a security operation center (SOC).
The good news: Nevertheless, all medical facilities can significantly minimize the economic and human impact of a ransomware attack by backing up operationally relevant data such as their image data multiple times, geo-redundantly and, above all, immediately available in the event of a cyber attack. Such business continuity management (BCM) concepts go far beyond a simple backup copy.
What does a coherent emergency concept look like?
As experts in secure image data management in the hospital sector, we recommend that KRITIS hospitals in particular have a comprehensive emergency concept for image data in the event of a successful cyber attack.
We have summarized the most important points for you in a checklist:
- Independent image data archive that allows access to the data backed up in parallel to normal operation within minutes in an emergency - even if the PACS or HIS fails.
- Geo-redundant backup of image data outside the hospital. Geo-redundant means that the data is stored on servers in different regions in Germany. This means that the data can be retrieved even if, for example, the power fails in a region near a hospital or a natural disaster occurs.
- Encrypted data communication and storage in accordance with data protection and the GDPR
- Access to image data via a cloud PACS in combination with mobile data hotspots ensures that emergency operations can be ramped up quickly.
- Functioning image data management in crisis situations - even if the hospital network, important applications or the entire IT infrastructure fail
What legal measures must hospitals take?
The German government has legally defined minimum standards for cyber security and business continuity management (BCM) for KRITIS companies in the KRITIS Ordinance (BSI-KritisV). In addition, there are further legal regulations such as
- The IT Security Act 2.0 expands the KRITIS regulation of 2015 and, since May 2021, explicitly requires the use of systems that detect cyber attacks (Section 8a (1a) BSIG). This is intended to detect digital attackers who are already in the network but have not yet started encrypting the data.
- With the EU's NIS-2 Directive , Germany is significantly expanding the BSIG measures - and also the group of institutions that need to take greater care of their IT security. NIS-2 is to be implemented in Germany by October 2024 through the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG).
- The KRITIS Umbrella Act will regulate the resilience and physical security of critical infrastructures from 2024. With this law, Germany is implementing the requirements of the EU directive “EU RCE”. This law provides for additional obligations for operators of critical facilities and tightens the requirements for BCM in particular.
Which hospitals are covered by the statutory regulations?
Around 120 larger hospitals in Germany with more than 30,000 inpatient cases per year are subject to the statutory KRITIS regulations.
However, NIS-2 now also obliges healthcare facilities with more than 50 employees to implement stricter cyber security measures - in our opinion, this affects almost every hospital in Germany.
Other articles that may interest you.
![](https://www.telepaxx.de/wp-content/uploads/2024/07/TelepaxxMedicalData_Bilddatenmangement_Cloud-1024x631.jpg)
Reliability in hospitals: the benefits of NIS-2
How can hospitals strengthen data security and protect themselves against cyber attacks? The NIS 2 regulation means that small and medium-sized hospitals now also have to deal with this issue.
![CLOUD-FIRST FÜR DIE DIGITALE ZUKUNFT](https://www.telepaxx.de/wp-content/uploads/2022/12/iStock-1189303763-1024x682.webp)
The cloud in hospitals and medical practices: a comparison of options
The cloud makes it possible to set up a modern IT infrastructure in hospitals. Get an overview of the differences between the private cloud, public cloud and SaaS options.
![10 Reasons for cloud solutions in hospitals: less IT effort and more data sovereignty](https://www.telepaxx.de/wp-content/uploads/2024/02/iStock-495829835-1024x683.jpg)
10 reasons for the cloud in hospitals
Discover ten reasons why cloud technology is not only efficiency-enhancing for hospitals, but also indispensable for modern healthcare IT - at the latest with the DigiG. Read our argumentation guide.
Arrange a free personal consultation now.
We are happy to advise you via video call or phone.