Are you an existing customer and need support? Our support team will be happy to help: +49 9171 89 81 82 | support@telepaxx.de

Operational security in hospitals: better protection with the cloud

KRITIS hospitals have long been grappling with the question: How can we make our resilience more robust and provide the best possible protection against cyber attacks? With the new EU-wide NIS-2 regulation, small and medium-sized hospitals must now also ask themselves these questions. This article summarizes the benefits of NIS-2 and how you can improve your resilience with the cloud.

Data security and resilience in hospitals are becoming increasingly important

The topic of data security is becoming increasingly important for hospitals. Hardly a week goes by without the press reporting on cyberattacks on healthcare facilities.

The resulting damage for hospitals is complex: in addition to negative media coverage, there is the threat of economic consequences. Even more serious are system downtimes, which can sometimes last for several months, or the encryption of data by hackers, which cannot be restored or can only be restored with considerable effort. The situation is particularly critical, if the attack is aimed at medical image data: this massively jeopardizes patient care, as image data is essential for diagnosis and treatment.

The new EU Directive NIS-2 creates additional urgency. This must be implemented at national level by October 2024 and affects not only KRITIS hospitals, which have already had to establish comprehensive security measures, but also small and medium-sized healthcare facilities.

NIS-2 steht für „The Network and Information Security Directive“. Die EU-Richtlinie wurde im Dezember 2022 veröffentlicht und ist auf EU-Ebene im Januar 2023 in Kraft getreten. Das Ziel der Richtlinie, die bis Oktober 2024 in nationales Recht überführt werden muss, ist es, die Cyber- und Informationssicherheit von Unternehmen und Institutionen zu regeln.

Which healthcare facilities are affected by NIS-2?

The NIS 2 Directive came into force as EU law in January 2023 and must be transposed into national law by the EU member states by mid-October 2024. In Germany, the "NIS-2 Implementation and Cyber Security Strengthening Act" - NIS2UmsuCG for short - is intended to ensure this implementation. The law is currently (as of July 2024) still in the legislative process.

However, the published draft bill for the NIS2UmsuCG shows that the management of hospitals and other healthcare facilities will be required to implement defined cybersecurity measures. In addition to protective measures, it is also about the ability to be quickly operational again after and during an attack. Failure to comply with the measures defined in NIS2 could result in significant fines.

Whereas previously only KRITIS facilities - i.e. hospitals with more than 30,000 fully inpatient cases per year - had to comply with certain cyber security guidelines, smaller facilities are now also required to take measures to protect themselves against cyber attacks. NIS-2 applies to all healthcare facilities that employ at least 50 staff or have an annual turnover or balance sheet total of more than ten million euros.

NIS-2: What measures do hospitals need to take now?

The measures to be taken as part of NIS-2 are not insignificant. Hospitals must consider various aspects to increase cyber security.

According to the association "Der Mittelstand. BVMW", healthcare facilities must have the following aspects in mind:

  1. Risk management measures such as technical and organizational measures for risk analysis, the management of security incidents or the maintenance of operations.
  2. Obligation to register with the Federal Office for Information Security (BSI) for affected facilities
  3. Obligation to report incidents to the BSI within 24 hours
  4. Governance as the control of cyber security by the management, which is also liable for its implementation.
  5. Supply chain security to ensure, among other things, that downstream service providers comply with cyber security measures and that continued operation is possible.

DICOM data: High risk potential due to the volume of data

Medical image data makes up the largest proportion of a hospital's total data volume. Depending on the number of beds and the CT, MRI and X-ray equipment available, over 100 GB of data can easily be generated every week. In our experience, a medium-sized hospital with 400 beds has an average of 30 terabytes of DICOM images alone in its archives.

Not only is the management of these large amounts of data a challenge for hospitals, but also their secure storage. With increasing digitalization, the necessary protective measures go far beyond special server rooms and failure concepts. Due to the close internal networking in hospitals, cyberattacks usually bring all processes to a complete standstill - including image data management.

Patientendaten in der Cloud

More data security through cloud solutions

Cloud solutions are a tried and tested option for increasing data security. The cloud can be used in various forms in hospitals. In the area of image data management, for example, software-as-a-service solutions from the cloud, such as the TMD Cloud, ensure that medical image data is reliably archived outside the hospital and better protected against cyberattacks.

The advantages of DICOM archiving in the cloud include

  • Professionally protected archiving of image data in data centers of external providers
  • Faster access to the geo-redundantly stored DICOM data in the event of hacker attacks and other disasters (e.g. fire, flooding)
  • Protected access to health data stored in the cloud, for example from other clinic locations or from the home office 
  • Fast recovery of image data in the event of data loss on local systems

In the event of a crisis: quickly switch to emergency mode

In the event of an acute threat, hospitals must manage emergency operations as quickly as possible in order to be able to maintain critical care services - for example, the operation of the emergency room or cardiology or gynecology departments.

If hospitals have location-independent data storage, for example for their DICOM data in a long-term archive in the cloud, this can be restored and made available in the shortest possible time. Archiving newly generated X-ray, CT or MRI images in the cloud archive is also no problem - even if the PACS or HIS used is affected by the cyber attack.

This is because DICOM images can be transferred directly from the emergency modalities to the cloud. If the internet connection is cut, the required connection to the cloud can be made via a mobile hotspot specially provided for emergency operation.

Diagnostics of DICOM data in emergency operation

In addition to archiving and retrieving data, cloud solutions can also be used to ensure that reporting can continue to be made independently of individual workstations in the event of an attack.

The TMD Cloud  from Telepaxx, for example, offers a web-based user portal that allows doctors to view DICOM data and findings securely via a web browser from any computer. This means that important departments can be quickly deployed in the event of an acute threat.

Conclusion: Increase reliability with cloud and SaaS solutions

The data security of healthcare data is at great risk due to the increasing digitization of processes and the networking of systems. This is where the NIS 2 Directive comes in and aims to improve data security in institutions in the European Union that are critical to society.

Innovative technologies such as cloud solutions and software as a service should play a central role in the development of a cybersecurity strategy in hospitals, as they can minimize risk and increase resilience.

External archiving in the cloud is particularly recommended for medical image data, the largest data volume in a hospital, in order to be ready for use again more quickly in the event of a crisis and to minimize possible data loss.

Further information

Would you like to find out more about how you can improve reliability by archiving image data in the cloud? Please contact us for a no-obligation consultation.

Other articles that may interest you.

10 Reasons for cloud solutions in hospitals: less IT effort and more data sovereignty

10 reasons for the cloud in hospitals

Discover ten reasons why cloud technology is not only efficiency-enhancing for hospitals, but also indispensable for modern healthcare IT - at the latest with the DigiG. Read our argumentation guide.