As the latest incidents in the clinic, Neuss in Germany show cyber dangers have emerged as a part of hospital managers’ reality: ransomware attacks and encrypted patient data give hackers opportunities to blackmail clinics. Besides, attacks can mean massive disruption of workflow and result in heavy reputational damage. Considering the networking of crucial machines in operation rooms, a lack of security can even become a matter of life and death. Until today there is much uncertainty in hospitals where security gaps are and which steps for their remedy are to be taken. However, some basic guidelines are crucial to consider in the course of every conversion of security structures.

Security over convenience

Security over convenience is an approach that should always be the main guideline during the implementation of security infrastructures. Naturally, nobody will stop digitalization and very often the networking of systems has its legitimacy. Still, it is not an end in itself. Before the implementation of a new connection between systems, it should mainly be checked how big the added-value of such a connection would be and if it is still reasonable considering the emerging attacking opportunities. The WPS function, implemented in a vast number of hospital devices, serves as an excellent example. The majority of these devices is already connected via physical cables and therefore more or less safely connected to the central system. Therefore an additional WPS function for wireless connections does simply make no sense but is readily usable as an entrance for intruders.

Departments and policies

Looking at internal IT security infrastructures of most clinics does give headaches to security experts. In many cases, the whole system is based on one or only a small number of servers that are only divided into several functional areas by an enormous amount of switches. In this way, the entire infrastructure of various clinic departments runs over the same network. This means, for example, that the accounting department has access to electronic systems of all hospital wards. In a vast number of clinics, IT security experts were able to access critical systems like artificial respiration machines and manipulate them using the guest WIFI. Prevention and damage reduction can only be realized through clearly divided departments and strict guidelines. Different working units need different and independently working network solutions.

In-house over outsourcing

Increasing complexity of cyber threats also leads to rising prices of external security service providers. Also, legal aspects regarding the safe storage of health information are a complicated issue and will result in a lot of discussions shortly. Due to this situation, Bosen AG experts recommend comprising and future-oriented security concepts. Apart from technical components, human and structural levels must also be taken into consideration. Awareness for information security has to rise significantly among all employees. Besides, the vulnerability of security systems by mistakes of single persons must be reduced. An individual, sustainable and holistic in-house solution can save money and builds a strong foundation for further development of security structures in the face or increasing security requirements. Digitalization of hospitals will go on, and the current upheaval is the right moment to prepare clinics for the future.