Cyber attack: How well are hospitals protected?

The evaluation of the measurement data systematically collected as part of a master's thesis by electrical engineer Martin Darms speaks for itself: only 84% of the hospitals are sufficiently armed against cyber attacks. In some cases, there are even serious weaknesses, as Darms also shows in his thesis "Gefährdung Schweizer Spitäler gegenüber Cyberangrifffen" (Exposure of Swiss Hospitals to Cyber Attacks).

The study works with a specially developed vulnerability index, the Hospital Vulnerability Index, abbreviated HVX. This index makes it easy to compare the various hospitals with one another. Values above 100 indicated that the hospital in question was vulnerable to attack. The lower this value, the better protected the hospital is from external attacks as well as from attacks within the hospital network.

Potentially dire consequences

An attack on a hospital can have devastating consequences: Anything from a harmless outage of the hospital's homepage to a complete paralysis of hospital operations is possible. In the worst case, with a fatal outcome for those in need of care. Think of emergency patients who are connected to lung machines, for example, or the case where urgent examinations need to be carried out with medical equipment, but this equipment is not available. As a result, no diagnosis or an incorrect diagnosis can be made.

With a little specialist knowledge and the right tools from the Internet, it is possible to cause considerable, even life-threatening damage, as recently reported in Spiegel Online 33/2015 in the article "Wehrlos 4.0". In a test, it was possible to shut down respirators with a DoS (Denial of Service) attack. It has long been suspected that this is possible. Of course, these tests must be able to penetrate the hospital network. Here, at least the Swiss hospitals studied are relatively well protected.

Different levels of security - enormous flood of data

Martin Darms on the results of his study: "I have been working for medical companies for over 20 years, so the internal tests do not surprise me. I know the situation from both sides. What did surprise me, however, are the very different safety levels after all. There are differences in the range of 10 times!" This means that some hospitals have 10 times worse protection than others.

With the consent of the respective IT managers, Darms examined 523 systems (medical devices, servers, clients) for vulnerabilities. The data was collected in 7 of the total 278 hospitals and clinics in Switzerland, corresponding to 2.5% of all Swiss hospitals and 4.1% of all nursing days in Switzerland. For a better comparison of the results and as a reference, he additionally included a clinic in Germany in the analysis; here, measurements took place on over 200 systems. From mid-February to the beginning of April 2015, scans were taken over a total of almost 90 hours, resulting in over 5000 pages of scan reports, which the study evaluates.

Relatively well protected from the outside

The evaluation shows that most hospitals are well protected from the outside. There are 0.53 critical vulnerabilities per examined host. In other words, a critical vulnerability was present on every second system. Significant vulnerabilities were present on average 6.21 per system. This means that it is relatively difficult for an attacker from the Internet to get into the internal hospital network. This is also in line with the findings from the Swiss Vulnerability Report 2015, although attacks via social engineering or phishing are not taken into account here.

From the inside "as full of holes as Swiss cheese

The situation is quite different for security in the internal networks of hospitals, where there are serious vulnerabilities. Very outdated and no longer supported operating systems, standard passwords, unprotected test servers - these are the most frequent gateways for attackers.

Measurements taken internally show that 1.01 serious vulnerabilities exist per host examined. In other words: On average, there was one critical vulnerability on each system. Significant vulnerabilities averaged 2.85 per system.

There are over 70,000 vulnerabilities in various operating systems and software components, with over 10,000 vulnerabilities classified as critical. The trend of newly discovered vulnerabilities is pointing steadily upward.

It is also exciting to ask whether there have already been targeted attacks on hospital IT infrastructures. In the U.S., the most common cause of data breaches is cyberattacks, which have increased dramatically over the past five years. The master's thesis is not just about collecting data, it also provides best practices on how to effectively protect against cyberattacks:

1. Define and also enforce IT policies, define and follow processes.
2. Train employees (raise awareness of phishing / social engineering attacks).
3. Create security concept with different zones and rights.

Last but not least, the regular use of vulnerability management tools contributes to the security of a hospital IT system.

Source: Martin Darms, mdarms@gmx.ch, thesis, MBA studies, at the Johner Institute for Healthcare IT