IT in Hospitals: More Protection Urgently Needed

Healthcare data is particularly sensitive and yet in many cases not adequately protected. This was the result of a statistical survey on the IT security of hospitals in Germany by LocateRisk. In addition to existing standards in the healthcare sector, the EU directive NIS2 will place even greater obligations on operators of critical infrastructures from 2023. The new requirements are designed to ensure that patient data in hospitals and other medical facilities is better secured against cyberattacks and data breaches. Among the obligations are timely updates, conducting security audits, cybersecurity training, and measures to improve supply chain security.

IT Security from an External Perspective: Hospitals in Germany

Data survey on the IT security situation of hospitals reveals weaknesses
The more central the system-maintaining and social importance of a facility is, the higher the risk that it will be targeted by cybercriminals - often combined with high ransom demands. A rapid increase in hacking attacks on healthcare facilities, not just since the Corona pandemic, shows how real the threat is. Since January 2022, the Patient Data Protection Act (PDSG) has required medical facilities to take appropriate organizational and technical IT security precautions in accordance with the state of the art.

The audit of 1,286 hospitals shows considerable need for action in IT security. Data was collected by gathering and processing information from publicly available sources. 

The Results 

Protected Mail Dispatch
Fifty-eight percent of the hospitals reviewed sent email partially unprotected (without an SPF record), making it easier for attackers to launch spam and phishing attacks through mail forgery.

Accessibility of the System Interfaces
44 percent do not adequately protect all database systems that belong to the hospital from cyberattacks. Unsecured systems that can be accessed from the outside make it easier for hackers to gain access to sensitive data.

Data Transmission Security
In addition, 90 percent allowed data transmission using outdated transport encryption, which encourages data theft.

Obsolete Applications
At least one application with a potential security vulnerability of high criticality was found in 41 percent. Applications with missing security updates are a welcome gateway for attackers.

GDPR Compliance
20 percent of hospitals used tracking cookies without user permission. In these cases, warnings and fines can threaten.

 

Gain Clarity on Your Medical Facility's External IT Attack Surface

IT managers do their best to ensure the security of their IT infrastructure. But how can the current security status be continuously verified? With LocateRisk's IT security analysis, it's easy, safe and fast. Interested organizations can receive a security assessment of their IT landscape, including a 30-minute initial meeting with insight into the details, free of charge at: Tel. 06151 6290246 or email to: em@LocateRisk.com

 

 

---