Gaps in the system

Gaps in the system

Many hospitals are not well equipped against cyber attacks: insufficient linkage, too few IT specialists, no 24/7 monitoring – which can end quite badly. And now, AI is becoming yet another challenge for hospital managers. Prof Dr Volker Penter and Franziska Hain outline the dangers, their causes and possible solutions.

The thriller “Whistleblower” was recently shown on German TV channel ZDF. Its storyline: anonymous hackers have infiltrated the control systems of the fictitious Berlin Central Hospital. After a system failure, a patient dies. A Russian whistleblower claims that she has the code to save the day and can thwart further attacks – and she’ll do just that if she is paid millions, granted asylum in Germany, and accepted into a witness protection program.

The script is not based on a true case, and it doesn't necessarily involve dark forces in Russia, China or North Korea. But cyber attacks on hospitals are certainly not far-fetched. There are constant attacks by cyber criminals, which are often not made public. A hacker attack on Düsseldorf University Hospital in September 2020 was particularly dramatic. Around 30 servers were encrypted overnight, resulting in hospital having no access to patient data anymore, communication being completely shut down and most of the technology in the operating theaters failing. As a result, emergency patients could no longer be admitted and cared for and the hospital was at a standstill. No more ambulances or helicopters could arrive.
BSI speaks of a major threat
The Federal Criminal Police Office, which monitors hacker activities on the darknet, has noted a significant increase in global attacks on medical facilities. And the President of the Federal Office for Information Security (BSI), Claudia Plattner, calls cyber attacks on German hospitals “a major threat”. This applies to the entire healthcare sector and can be seen in numerous headlines over the past two years: “Medical service in Lower Saxony affected by hacker attack” ... “Caritas expects longer restrictions after hacker attack” ... “Cyber attack against the International Red Cross” ... “Hacker attack on CompuGroup Medical” ...

There are big differences in how well hospitals are equipped against cyber attacks. Unfortunately, however, we have to realize that the level of information security in many hospitals is not in line with the threat situation. To put it provocatively: the industry has to protect and save lives every day; protecting data consistently and permanently might often seem secondary to this and therefore does not have the importance it deserves. The guiding principle should be: just like a sterile scalpel in the operating theater, IT security systems must also be “sterile” and their security against any kind of attack must be a matter of course.

After all, hackers are after valuable personal patient data - because clinics are of great importance for the provision of healthcare in society and cyber criminals assume that management would rather pay for blackmail than endanger their patients and also risk damaging public trust. Additionally, private healthcare data can also be sold on to third parties after the blackmailing part is done. In renowned clinics, there is another special reason: Where celebrities from all over the world are treated, the potential for blackmail is even greater.
Numerous gateways for hackers
There are many gateways for hackers in hospitals. The critical digital infrastructure (CDI) includes all digital systems and networks that are important for the operating and security of hospitals. These include electronic health records, medical devices, laboratory information systems, hospital information systems and more. The failure or impairment of these systems can have a devastating impact on patient care and the general functioning of a hospital.

The risks and dangers are as diverse as the points of attack:
  • Data theft and manipulation: cyber criminals can attempt to access patient data in order to steal or manipulate it.
  • Ransomware attacks: cyber criminals can use malware to encrypt hospital data and thus block access to vital patient data in conjunction with demands for ransom. This can lead to significant delays in treatment and potentially life-threatening situations for patients.
  • Attacks on medical devices: manipulation of medical devices can lead to incorrect diagnoses and subsequently to incorrect treatments.
  • As many devices are connected to each other in order to facilitate the exchange of information, an attack can also lead to a total failure.
  • Attack on hospital information systems: by interfering with organizational processes, the entire operation can be significantly disrupted. Patient care, scheduling and other important processes are at stake.
The problem is that the CDI consists of many individual systems that are often not seamlessly connected and are not monitored internally day and night. External solutions, from security consulting to testing and emergency drills and 24-hour monitoring, as offered by BDO Cyber Security, are often not used. There is a firm conviction that one has everything under control and can do without outside support. Though, the technologization of the healthcare system also requires continuous improvement of security systems - and this is expensive.
Financial plight of hospitals
Unfortunately, many hospitals generated deficits in 2023. After covid, the number of cases fell and therefore revenue was lost, but costs remained. 60 percent of the expenditure side of a hospital budget is staff costs, and these are now rising significantly due to inflation compensation and staff competition. The federal states, on the other hand, have been neglecting their duty to finance investments for years. For example, necessary investments in IT security systems are often delayed or simply ignored for a certain period of time.

There are subsidies for digitization in hospitals – but this is primarily an initial subsidy for the purchase of hardware and software. However, in view of the high level of innovation, updates and - particularly with regard to system security - new purchases are necessary after a relatively short time, for which there is no consecutive funding.
BDO study: IT skills shortage
This plight is exacerbated by the shortage of IT specialists, as a new study by BDO in cooperation with the German Hospital Institute reveals. It is based on a representative hospital survey and comes to the conclusion that three quarters of hospitals have problems filling vacancies for IT specialists. On average, 14 percent of IT positions cannot be filled. The main reasons for this are shortcomings in remuneration, such as the inflexible wage structures in hospitals and lower pay than in other sectors.

This explains why hospitals employ comparatively few IT staff. Around a quarter of them have to make do with four full-time IT staff. And hospital managers are rather pessimistic about the future. Around half of those surveyed expect the IT job situation in their hospitals to deteriorate. Only around a fifth of hospitals expect the situation to improve.
AI requires new concepts
The challenges regarding the staff situation in IT will grow. The use of AI will accelerate digitalization and, as in many industries, also offer completely new opportunities in medicine. But what is currently happening? The euphoria in the economy is so great that nobody seems to be sufficiently concerned with the accompanying dangers. The application of AI is progressing rapidly, while regulations are only now being considered. This gap is dangerous. Potential damage caused by AI errors and mistakes may cost a lot of money. The damage in the healthcare sector and in hospitals in particular can cost lives.

That's why the leaders of the healthcare industry and hospital managers in particular should develop concepts for the regulated use of AI in patient care. And they should think about setting up cyber security measures now, before they are overrun by the technology.

Critical digital infrastructure
The critical digital infrastructure (CDI) in hospitals comprises a range of systems and technologies that are crucial for smooth operation and reliable patient care. These include the following.
  • IT infrastructure: networks, servers, and storage infrastructure for data exchange and communication between different systems.
  • Electronic patient records (EPR): digital systems for storing and managing patient information that contain confidential medical data and therefore require special protection.
  • Hospital information systems: systems for managing and organizing hospital processes, from personnel and scheduling to billing.
  • Laboratory information systems: systems that collect, manage, and analyze laboratory data to support medical tests.
  • Medical devices and networks: digital control systems for ventilators, infusion pumps, and monitors as well as for networking these devices in the Internet of Things (IoT).
  • Imaging diagnostics: digital X-ray, CT and MRI systems that play a crucial role in the diagnosis and treatment of patients.
  • Telemedical devices: digital platforms that enable the remote monitoring of patients and teleconsultation.