Trojan Horses in Hospital IT: Hackers Target the Healthcare Sector

"Smart" devices in hospital networks are a gigantic attack playground for cybercriminals

Bad Homburg, June 9, 2021–  In recent months, cyberattacks on the healthcare infrastructure have increased dramatically - and the gateways for hackers are many and varied. While companies and institutions are increasingly protecting themselves against phishing and malware, IoT devices - so-called smart devices connected to the network - are often overlooked as virtual targets. "Numerous devices in a modern IT network - routers, medical equipment, printers, surveillance cameras, sensors and much more - are all too often found to present weak points in their firmware that barely ever get patched, making it easy for hackers to exploit them. With the upcoming German legislation regarding hospital security, legal pressure is now building to ensure comprehensive security of IT and all components," says Rainer M. Richter, CEO of IoT Inspector. The company operates one of the leading platforms dedicated to auditing hard-wired device software (so-called firmware) for security vulnerabilities, efficiently closing these potential gateways for cybercriminals. The latest case - a strike against the Irish Health Service Executive (HSE) - shows that attackers are becoming increasingly creative: "The attack was highly sophisticated, not just standard," says Paul Reid, chief executive of the Irish Health Service Executive (HSE). As a consequence, the entire IT systems there had to be shut down.

Deadline: January 1st, 2022

By the end of the year, clinics and hospitals in Germany will have to strengthen and continuously monitor their IT security - not only in response to the increasing number of threats, but also to comply with legal requirements. Under Section 75 of the German Social Code, Book V, hospitals are required to take "appropriate organizational and technical precautions" to ensure IT security. As of January 1st, 2022, the IT security measures of all hospitals must thus conform to the latest standards.  In addition, regular proof must be presented to the BSI concerning the type and scope of the audits carried out, as well as a list of the security deficiencies uncovered. "This means that security audits and reports on securing the IoT devices used are also part of this duty to produce evidence," summarizes Rainer M. Richter from IoT Inspector.

Take advantage of the "Hospitals of the Future" funding program

In addition to KRITIS clinics, smaller hospitals must also increasingly protect themselves against cyberattacks - this is the only way to ensure the well-being of patients. "Any oversight in this respect can endanger people's lives - a clinic with no IT systems can hardly operate, as shown last year with the Uniklinik Düsseldorf," warns the Rainer M. Richter. The Hospital of the Future Fund (KHZF), which is being set up for this purpose at the Federal Social Security Office, currently provides funding of 4.3 billion euros. "For the first time in decades, the federal government is investing directly into hospitals from its budget: 3 billion euros will be dedicated to the digital infrastructure - for connectivity and not for isolated solutions," explained the Federal Minister of Health, Jens Spahn, after the 2020 resolution was passed. "Operators of a healthcare infrastructure should act quickly and comprehensively to eliminate the risks at all points. Together with our partners, we are happy to provide support in the area of IoT security," advises IT expert Richter.