ePA

How secure is the Electronic Patient Record?

Since the beginning of the month, the Electronic Patient Record has been available in Germany, in which insured persons can store and manage their data in a central location. The central storage of their health data is intended to facilitate communication between patients and doctors. In the initial phase, however, patients will have to take care of filling their digital files themselves. There are also still data protection concerns: Patients will not be able to select which doctor has access to which parts of the medical record until 2022. For the time being, anyone who wants to use the Electronic Patient Record provides their doctor with all the information it contains – or none at all.

What is an Electronic Patient Record?

The Electronic Patient Record allows patients to voluntarily store their health and diagnostic data centrally in one place. The information it contains can be shared with doctors, pharmacies, and hospitals to shorten treatments. Or prevent duplicate examinations. In the future, patients will also be able to use the app to manage the information it contains. They can then decide which doctor can see which information. The digitization of bonus books, vaccination cards, and maternity records is also planned for the future.

When does the Electronic Patient Record come into effect?

Patients will be able to have their health insurers issue the Electronic Patient Record from the beginning of 2021. For the time being, however, they will have to fill it out themselves. Until July, it will only be available to around 200 practices and hospitals on a trial basis; only then will its use be extended to the whole of Germany. The health insurers, on the other hand, have no insight into the stored data, even though the Electronic Patient Record is intended to provide communication channels to their own health insurer. This prevents the insured person from suffering any disadvantages as a result of diagnoses or findings.

How secure is my data?

The Electronic Patient Record stores patient data in encrypted form. Data is exchanged with doctors and other healthcare facilities via the so-called telematics infrastructure network. However, critics have still identified security deficiencies here: For example, the TI’s virus protection is said to be insufficient to actually protect sensitive health data reliably. Also, too lax IT security measures in medical practices can be a security risk. Easy-to-guess passwords or shared admin and access rights are unfortunately still commonplace in many medical practices. You can also read a comprehensive review of the current data security in healthcare as well as the criticism of the telematics infrastructure in our blog post here.

Cases from abroad, such as a successful hacker attack in Finland, have also shown how weakly protected our sensitive healthcare data still is. Experts, therefore, advise being selective about what information you want to include in the Record. The inclusion of psychotherapeutic documents is currently not advisable. This is because such data could have negative consequences for those affected when looking for new insurance companies or employers, should this data fall into the hands of third parties without authorization.

Unfortunately, the risks and benefits of the Electronic Patient Record must be weighed up here as well. On the one hand, centrally stored data enables faster and more favorable treatment success. This saves time, costs, and nerves on both sides. However, if this sensitive data falls victim to a cyberattack, the insured person may suffer disadvantages, the consequences of which cannot yet be assessed.

Will you use the Electronic Patient Record? Join the discussion here.

DDoS-Angriff auf Impfportal

DDoS attack on vaccination portal

At the end of December, vaccination against the COVID-19 virus began in the European Union; it has now become known that a cyberattack on the vaccination portal of the Association of Statutory Health Insurance Physicians in Thuringia and the Thuringian Ministry of Health had already occurred in December. This was probably a so-called DDoS (Distributed Denial of Service) attack. As the vaccination center announced, the servers were overloaded by a high number of requests and collapsed as a result. Booking vaccination appointments via the site was therefore initially not possible.

What is a DDoS attack?

This form of cyberattack is an attempt to paralyze a server, a website, or even just parts of a website. For this purpose, countless (and pointless) requests are sent to the respective server within a very short time. How many requests are necessary depends on the server’s capacity. In Thuringia, about 158,000 requests were necessary.

The requests are usually sent by a mixture of botnets and reflectors. Botnets are infected devices that can be directly controlled by the hacker by means of malware. These “zombie” computers then send misleading connection requests to other computers, which are then called reflectors. These reflectors do not necessarily have to be infected themselves. Because here, hackers exploit the characteristics of our modern devices to also want to “answer” queries. In this way, they manage to build up a comparatively small botnet and also cover their tracks, since devices that are not involved in themselves now also support the attack.

Who is the target of DDoS attacks?

The good news, if you will, upfront: the target of such attacks is not private individuals. Such attacks usually target large websites and opinion leaders – but also, as the current case shows, the healthcare sector, governments, or banks. In other words, important and critical infrastructure. This is why some security experts classify DDoS attacks in the realm of digital warfare, as they can paralyze critical civilian networks and thus harm society.

It is important to note, however, that a DDoS attack does not primarily have monetary goals. It is often about protesting against a site that does not correspond to one’s own political opinion. Or even just to prove that one has the skills to carry out such hacks. These attacks become really critical when the primary goal is not to cripple the site, but other actions are running in the background. The superficial distraction facilitates the cover-up of a more serious hack in the background. If critical infrastructures are affected, a ransom demand can also follow in order to release the server as quickly as possible and get it up and running again.

For the current case, however, the background of the act is not further known.

How can you protect yourself from a DDoS attack?

Since you as a private individual are not the primary target of such an attack, the sobering answer here is: very little to nothing. However, your primary goal should always be to protect your PC as best as possible against malware being installed. After all, this is how you can at least prevent yourself from becoming part of the botnet. Therefore, always update your virus software on the devices you use in a timely manner. The router also plays an important role in protecting your network and should therefore always be up to date. The same applies to your passwords. Wherever possible, set up modern password protection with multifactor authentication. A password manager can help you keep track of your passwords.

As a web administrator, you basically have options available to defend against such attacks. For example, if you notice an unusual data stream in time, you can redirect it to a “black hole” (= a non-existent server). A bandwidth management tool as well as good virus software will help you in advance to fend off simple DDoS attacks if necessary. The last option is to rent a higher bandwidth to ensure availability despite high traffic. For your users, unfortunately, the only option is to wait until your service is available again.

Digital Transformation

Digital Transformation and Cybersecurity

Digital transformation and the associated (IT) change management have evolved from buzzwords to important drivers in companies. German SMEs are also catching up with these important developments, albeit still hesitantly. Many entrepreneurs shy away from major upheavals in their IT landscapes. Often, they are also faced with the question of how they can drive these important fields forward – without the important topic of cybersecurity falling behind?

The increasing networking of all machines, as well as business processes, means that entire IT landscapes are at risk from external influences. Therefore, in addition to a digital strategy, a security strategy based on it should also be introduced in the company. This also means that the budgets for corporate IT must be adjusted. After all, a technical upgrade without security measures in the background is on shaky ground.

Here are some important tips

Dismantle isolated solutions

IT structures are usually evolved solutions that have been expanded and supplemented whenever necessary for the respective business model. These isolated solutions are sometimes better, sometimes worse connected via different interfaces – but sometimes they exist side by side so that each branch or subsidiary has its solution. It is obvious that not only the application structure is confusing, but also the security of the systems is often rather nebulous in such a landscape. Each system must be protected separately, and if – for example when an employee leaves – the network and security plans have not been properly documented and passed on, it is also possible that important protection and security measures may not have been properly checked and adapted.

In addition to economic reasons, the security aspect should also be reason enough for most companies to dismantle these heterogeneous, poorly networked IT landscapes and replace them with an end-to-end application and network landscape. This saves costs and resources in setting up and maintaining company networks and ensures uniformly high-security standards in your company.

Do not rely on top-down communication

When describing the approach of German companies to digitization, one often encounters the terms “hesitant,” “slow” and “risk-averse.” Nevertheless, it is clear that something is happening – but also that SMEs, in particular, are having a hard time. Especially when it comes to introducing new systems, which may also entail the introduction of new processes. Especially at the management level, people are too attached to the old, which they then want to transform into the new. This does not work! Particularly because the employees are not included in the process. Because digital transformation and change management thrive on the dialog. And especially from down-top communication. Yes, you read that correctly. Your employees are the key to the success of your digital transformation process.

Therefore: Take your employees with you

This means two things: learn from your employees. The younger, tech- and IT-savvy generation, in particular, wants to, and especially can, get involved. They contribute ideas. And more importantly, they will provide and implement knowledge. At the same time, it is also important to take along those employees who are rather critical of new technology and the associated change. Take their concerns seriously and address them in your IT and security concept.

But it also means that you should invest in your employees’ knowledge of cybersecurity. Important here: all employees who work in your network and access at least one of your systems or one of your deployed applications. Because no matter how well your company is technically positioned in terms of cybersecurity, the biggest weak point in your security network is the human factor: phishing and social engineering attacks are becoming increasingly sophisticated. That’s why you should optimally prepare your employees for such an emergency through training and testing. In this way, you can proactively close gaps for attackers in the best possible way.

Be proactive

Many companies, but also private individuals, still underestimate how important it is to invest in preventive security measures. As a result, the budget for digital transformation in companies is often large, but the budget for the associated security mechanisms is incomparably smaller. This “what’s going to happen to us” mentality can quickly become very expensive. Even if it doesn’t seem like it at first: investing in security upfront is much cheaper than reacting to damage that has occurred.

Have you been hacked? That means downtime, possible data loss, but even worse: loss of reputation and, in the worst case, dwindling order numbers due to late deliveries or due to your customers’ lack of trust in you and your compliance.

You see: Action pays off. And the reaction can therefore only be the last resort.

Your benefits from a digital transformation based on Cybersecurity

Application and data security and availability

High-security standards ensure that your employees always have access to the applications they need. This is the only way to ensure that business processes run smoothly. At the same time, you protect your company’s data and that of your customers. In addition to operational processes, this is also more than necessary concerning legal regulations.

Best user experience, first-class compliance management, and cost-efficiency

Networked systems allow your employees to quickly and easily switch between applications with similar user interfaces. This saves a lot of time when learning new programs, but also in the daily workflow. At the same time, with such networking, these systems must be adequately protected so that they cannot be compromised. This sounds costly at first, but imagine the effort if you had to install and maintain security mechanisms at the same high level on every single application. This way, you make things easier for your IT, as well as for the end-user at the workstation. And you can deliver a higher security standard for a lower budget.

Corona vaccine

Corona vaccine data targeted by hackers

On Wednesday evening, unknown hackers managed to penetrate the system of the European Medicines Agency (EMA). In doing so, they were able to capture individual pieces of information on a Corona vaccine that is currently in the approval process. The authority is currently reviewing the approval of the vaccine developed by the Mainz-based company Biontech and the US pharmaceutical giant Pfizer. EMA has not yet disclosed exactly how many and which data are involved.

Who has an interest in data on the Corona vaccine?

It is also still unclear who is responsible for the attack. Experts suspect that secret services, for example from Russia or China, are behind the attack. However, this has not yet been proven. Nevertheless, there are indications that this was a state-initiated attack; The initial approval of an effective and low-risk Corona vaccine is more than just a prestige project for a nation; it is of great economic value. For one thing, patent sales have a direct impact on the national economy. For another, an effective vaccine can ease lockdown regulations, which additionally allows the national economy to recover more quickly.

Biontech and Pfizer emphasize that no data were stolen that would allow conclusions to be drawn about individual test subjects. EMA also announces that the incident has no impact on the further approval process.

Can such attacks be prevented in the future?

Nevertheless, the cyberattack shows how important increased IT security standards are for all organizations in a chain: Biontech and Pfizer’s IT systems are very well secured, experts say. The company emphasizes that it could not notice any activity on their systems. This shows that the hackers did not focus on the well-secured private sector systems. But on the less well-secured ones of the EU authority.

Data protection experts have previously complained, particularly for the healthcare sector, that important data is often only secure in the government’s own system. It is not advisable to assume that upstream and downstream systems meet the same security requirements. This has been proven once again by the current incident. The introduction of a uniformly high-security standard in public institutions as well would therefore be beneficial.

You can read more about data protection problems in IT in the German healthcare sector here.

In this blog article, we have summarized why the healthcare sector is coming under the scrutiny of hackers, especially in times of a pandemic.

Critical Infrastructure

Critical infrastructure – Critical cybersecurity

Critical infrastructure in Germany is currently particularly at risk when it comes to cybersecurity. According to the Frankfurter Allgemeine Sonntagszeitung, 141 successful cyber attacks were reported until the beginning of November 2020. Of these, 43 were directed at healthcare providers. Last year there were 121 successful attempts in the critical infrastructure report and only 62 in 2018.

In addition to the healthcare sector, energy and water suppliers, banks, and insurance companies are also affected. In most cases, such incidents are so-called ransomware attacks, which result in a ransom demand for the decryption of data.

Experts cite the crisis resulting from the Corona pandemic as one of the reasons for the increased number of cyberattacks on companies in the so-called critical infrastructure. Medical institutions in particular still have an increased need for action in the area of IT and cybersecurity. At least 15 percent of IT investments should be spent on IT and cybersecurity.

In this article, we have summarized why the healthcare system is so at risk and what exactly such an investment could look like. Viruses in hospitals – Cybersecurity in the Corona pandemic

Because, of course, similar protection scenarios apply to critical facilities as to the health care system.

CRITIS as a worthwhile target

The advance of digitalization also opens up potential security gaps for attackers. While states were initially particularly interested in overriding the security mechanisms of “enemy” states, this is now increasingly being observed by private groups. Securing the IT systems of CRITIS operators is not an easy task. On the one hand, these are private-sector companies of various sizes. On the other hand, the IT structures used have a long life cycle, which is why they often do not have the necessary security updates or do not have them promptly. Since 2016, all operators of companies that are part of CRITIS have been required to provide a 2-year security proof of their infrastructure. However, considering the frequency with which malicious software is developed, it is strongly recommended that relevant security updates be carried out more frequently. And to initiate in-depth preventive measures to secure your systems.

Especially the protection of the attack target “human” is part of a valid security concept. Because often the technical security measures are high and strong; but they do not protect against the intervention of the (inexperienced) user. These include successful phishing attacks, especially so-called spear-phishing campaigns, which make targeted use of social engineering techniques. We, therefore, recommend regular and in-depth employee training. As well as the establishment of strong multi-factor authentication rules to protect your system from the human factor in the best possible way.

Webinar

Webinar – Cybersecurity for the “human factor” in medium-sized businesses

Surely you have already encountered the terms “social engineering”, “phishing” or “CEO fraud” and you have a rough idea of the consequences of such attacks on your company. But how do hackers operate? How severe is the threat of Social Engineering for German SMEs? And above all: What measures should you take to increase your cybersecurity?

In our webinar, we will give you an overview of the threats so that you can make a realistic risk assessment. The focus of this webinar will be the human factor, without which cyber attacks today can hardly be performed.

We will show you typical manipulative procedures as well as simple and straightforward measures for prevention and protection. After all, it is important to act proactively to prevent a Cyberattack: That saves you time, money, and nerves!

 

Date: 11.12.2020

Time: 11:00 AM

Place: online

Referent: Marc Pantalone, Business Development Manager, HWS Informationssysteme GmbH

Register by writing an email to

 

The webinar will be in the German language.

We are looking forward to meeting you!

Mimikatz

Mimikatz – a cute name, but a dangerous Offensive Security Tool

The Windows security tool Mimikatz may have a cute name – but it also has a great potential for damage. It was originally developed to demonstrate the security vulnerabilities of Windows systems, as there is a gap in the authentication process. It quickly evolved from a tool for white-hat hackers to one for black-hat hackers. Nevertheless, even today, admins still use the tool to detect and then close security holes in their own systems. Therefore, Mimikatz is one of the best known Offensive Security Tools (OST), which is freely available as open-source.

How does Mimikatz work?

With the help of Mimikatz, it is possible to read passwords, PINs, and Kerberos tickets from Windows systems, which is why it is often used by malware attackers. For this purpose, Mimikatz uses the Windows Single-Sign-On function, which has the so-called “WDigest” feature. This feature is used to load encrypted passwords and their keys into memory. Especially companies or other organizations use this feature to authenticate user groups. Although WDigest is disabled by default in Windows 10, anyone with administrative rights can enable it. And thus read out the passwords of the user groups using Mimikatz.

This makes the software a powerful tool for hackers

Root Access is required to successfully introduce Mimikatz into a system. Once the software is in the system, there are different ways how Mimikatz can work:

Pass-the-hash – In earlier versions, Windows saved passwords in a so-called NTLM hash when logging in. Attackers can therefore use Mimikatz to copy this exact hash string and use it on the target computer to log in. The password does not even have to be known for this, since this character string is sufficient for authentication.

Pass-the-Ticket – Newer versions of Windows no longer use an NTLM hash for authentication, but so-called Kerberos tickets. Mimikatz is now able to read this ticket and pass it on to another computer so that you can log in there as this user.

Over-Pass the Hash (Pass-the-Key) – With the help of the key obtained in this way, hackers can pretend to be users who can be accessed via a domain controller.

Kerberos Golden Ticket – A golden ticket gives you domain administration rights for each computer on the network. Perfidious: Golden tickets do not expire.

Kerberos Silver Ticket – Kerberos gives a user a TGS ticket that is used to log on to all services on the network. This is possible because Windows does not check TGS tickets at every login.

Pass-the-Cache– In general, this is the same tactic as a pass-the-ticket attack. However, no Windows system is compromised here, but the stored and entered login data is used on a Mac, UNIX, or Linux system.

To protect your system

Ideally, Mimikatz should not be able to access your system at all. A prerequisite for an initially secure Windows system is an upgrade to Windows 10 (or at least 8.1). If this is not possible, it is at least advisable to disable WDigest manually, although this should probably only be a small hurdle for a skilled attacker. Regardless of the Windows version used, a configuration of the Local Security Authority (LSA) is necessary.

Unfortunately, an overriding admin password is still common practice in companies today, although this is a well-known security hole. Every Windows machine needs its own unique administrator password. The combination of LSASS and safe mode makes Mimikatz ineffective under the newer Windows versions.

You should also educate your employees about the dangers of phishing emails and limit the use of macros,

Discover mimic cat

Detecting facial expressions is a difficult task since most detection solutions do not work with the software. The only real solution to reliably identify Mimikatz is to specifically examine your own system for it. The use of a manual network monitoring component is therefore highly recommended.

So what to do?

In the end, Mimikatz remains a highly dangerous and efficient tool for hackers that can easily slip past automated security checks. It is therefore the human being’s duty to remain vigilant. Simple security installations like unique admin passwords for each machine. Only necessary admin and remote access and multi-factor authentication, which does not work with the logic of Windows systems, form a strong hurdle.

Black Friday

Black Friday – How Cybercriminals are hunting for your data

It’s the end of November and thus bargains time for most of us: Under names like Black Friday, Black Week, Cyber Week, Cyber Friday – or other creative names – companies are now luring us bargain hunters in the fight for pre-Christmas business. But the bargains not only attract us as consumers but also cybercriminals. And these in turn lure us with “offers” via e-mail or online ads, to elicit our data unnoticed. The British National Cyber Security Centre (NCSC) has now renewed its warning on the occasion of the Shopping Week to be careful when shopping online. Consumers should be particularly careful where they store and what data they disclose when they do so, especially in the rush to buy and find bargains.

Black Friday offers via phishing e-mails

However, this mindfulness begins even before the actual shopping experience. Because under the flood of actual offer e-mails from various providers, one or the other phishing e-mail can also be hidden. Of course, everyone wants to participate in the pre-Christmas business, but these phishing emails are out to get usernames, passwords, or credit card information – for nothing in return, of course. You’d better be wary of receiving offers from merchants you don’t know. Or when direct links to bargain items are offered. In any case, it’s better to manually enter the merchant’s site into the search box to make sure you end up on the right homepage. The offer will be there already if it is a real offer from the dealer. Because often enough the rule is: If the offer is too good to be true, then it probably is!

More information?! – Then better no information

There is nothing to be said against trying out smaller and unknown retailers and not always buying from the same well-known multinational supplier. But there are a few clues that help to distinguish serious websites from dubious ones. For example, the payment process should be clearly arranged and no personal information should be requested that is not necessary. Additional security details such as a codeword or a secret question may sound trustworthy at first – but they are not at all. During the payment process, you should really not be asked for your mother’s maiden name, your first pet, or your brother’s place of residence. At this point at the latest, you should cancel the purchase process. Ideally, before you have given your bank details.

Check the security of the payment process

Completely different from an unnecessary security query, the question of multi-factor authentication is to be evaluated. Multi-factor authentication serves to identify you as the buyer. Without entering a second factor in addition to the password – usually, a code sent to you by e-mail or SMS – nobody can place an order. This ensures that only those who have access to your e-mail address or your smartphone can carry out this process. However, not all serious online stores offer this: If you want at least a little security, check the address bar of your browser before entering your data. If there is a padlock symbol there, it means that the connection to the merchant is secure. Of course, this does not mean that the dealer is legitimate, but at least the connection is secure.

And if the store asks you to save your payment data, do so only if you are really sure that you want to order there again. Otherwise, this information is absolutely unnecessary. And creates another factor of low security.

Black(out) Friday and Amazon Phishing Day

A similar phenomenon as around Black Friday can also be found on Amazon Prime Day: Here, too, cybercriminals take advantage of an event and the bargaining mood of the customers around it to obtain passwords, credit card data, and the like. In their phishing campaigns, cybercriminals use a similar structure to their fake Amazon site and often use similar actions as the “real” Amazon. These actions are especially perfidious because the URLs also want to come as close as possible to the original and have at least “amazon” in their name. Often the URL is unnecessarily long so that it is not obvious at first glance that this is a completely different page, which seems to belong to Amazon, but is ultimately hosted somewhere else.

You should always be suspicious if you are not supposed to enter a password at Amazon – but other personal information, including your credit or debit card number. Security experts therefore strongly recommend that you always start on the actual page and never from an email link, even for special promotions such as Amazon Prime Day or Black Friday. Also, if you enter your information differently than usual, you may be dealing with a fraudulent fake site. And pay attention to details: Does the page look the way you are used to? Is the shopping cart icon in the same place as usual? Are all pictures in focus? Can you get to the store’s homepage by clicking on the store’s logo? Is continuous navigation in the store possible? Is the URL complete and logical? Only when all these things are correct should you start the payment process.

cybersecurity in the healthcare system

Data protection and cybersecurity in the healthcare system

The digitalization of our healthcare system is progressing massively: The German federal government is promoting the networking of medical facilities through the so-called telematics infrastructure Telematik Infrastruktur, TI). As a result of the corona crisis, the need for online communication between doctors and patients has increased. In addition to these developments, the electronic patient file will be introduced in January 2021.

With such networking of our healthcare system, it is time to take a critical look at the security of the systems and thus of our data. The importance of cybersecurity for the protection of patient records is unfortunately demonstrated by those cases in which attackers have succeeded in penetrating an institution’s system, paralyzing it, or – in the worst case – even stealing data records.

There have also been many reports of major attacks on hospital IT worldwide in recent times. However, it should not be forgotten that cyberattacks can affect not only large medical institutions. It also affects small, independent doctor’s offices – such a singular attack can threaten their existence for various reasons. And it also involves risks for us consumers.

Securing IT structures in the healthcare system properly

Basics of secure IT systems

First of all, medical institutions, more than any other, must carefully select and maintain their IT infrastructure. An up-to-date operating system with all relevant security updates, a functioning hardware firewall, and an up-to-date and intelligent anti-virus program should be standard. Besides, there should be regular security updates and, ideally, daily backups that cannot be processed from the system. In this way, facilities can be up and running again quickly in the event of a ransomware attack. And the loss of data in your own systems is at least limited.

But password security is also an important point that all too often gets lost in everyday professional life: For many physicians in private doctor’s office, it is necessary to find a compromise between security and practicability. Especially because computers at reception or in laboratories may be used by several people. Nevertheless, even these shared passwords should comply with security standards and be renewed regularly. We also recommend the introduction of a practicable multi-factor authentication.

Since this is a sensitive infrastructure, clear rules for IT use in the workplace should also be established: May private mails be checked? Are online purchases or other surfing behavior allowed? May own storage media be brought and used? Are there special devices that are not connected to the doctor’s office network? It is important here to increase awareness of possible security gaps that could arise from this behavior. Employee training courses on cybersecurity, phishing, or social engineering should therefore be held regularly.

Cyber insurance can also minimize the (financial) risks that arise after an attack has taken place. Often good security concepts ensure that the contribution is minimized, and only the compulsion to deal with this topic creates good conditions for the actual implementation of plans.

Increased security thanks to telematics infrastructure (TI)?

With the large-scale introduction of the telematics infrastructure (TI) in German medical doctor’s offices since 2018, the security of the systems was to be further increased. Patient information was to be made available quickly and securely via this secure channel to reduce treatment costs through repeated examinations. However, reports are accumulating that the connection to the network is not as secure as announced.

Which security gaps in TI are described?

Although the TI has been forced to connect to the network, liability in the event of cyber-attacks in particular – and thus for data protection issues – has not been sufficiently clarified. Last year, the IT-expert Jens Ernst from happycomputer already revealed considerable data protection deficiencies when connecting to the telematics infrastructure.

This starts with the way the TI connector is integrated into the network of doctor’s offices. This is where you have the option of choosing between serial and parallel integration. Although serial integration initially requires more installation effort, it offers the advantage that all devices in the doctor’s offices are included in the federal security network. Extra protection on the part of the doctor’s office owners is not necessary according to information of the Gematik. Parallel integration, on the other hand, requires that the physicians make their own efforts to secure their existing systems and devices. This actually only makes sense for larger units that have already integrated many devices into their system before.

Nevertheless, it seems that most units were connected in parallel operation. In this case, the doctor’s office owners themselves would now have to ensure that their own systems were secured. However, many claims that they have not been sufficiently informed about this by their IT provider. Ernst describes that even with the few facilities that have been connected serially, security systems do not function correctly. This is because the firewall of the TI connector in use would not be sufficient to detect an anti-virus test file that he had installed. This means that even in this case there is no security against access by third parties without further security measures. In the vast majority of doctor’s offices, there is therefore no hardware firewall, regardless of how they are integrated. Besides, the virus protection on the computer and the software firewall, which every computer has today, was often switched off.

How can the healthcare system guarantee cybersecurity?

Ernst calls for an open approach to the topic of cybersecurity, which basically rests on three pillars:

  1. A doctor’s office needs a higher security level than just a router, as is often the case today.
  2. Sensitive data should not be sent via a WIFI network. The connector’s LAN network sends data unencrypted; by intruding into the WIFI, it is possible to “listen in”.
  3. Devices that cannot be sufficiently protected due to their design should not be used or operated in a DMZ (Demilitarized Zone).

He also proposes the development of a DMZ in which all TI systems are included. This is currently not even the case for the telematics infrastructure itself. He also criticizes the fact that IT specialists do not need a separate certificate from Gematik to connect the TI. This would ensure that only trained personnel are allowed to carry out the installation and that sufficient educational work is done with the liable physicians.

In summary, Ernst states that the security of all systems can only be guaranteed if the vast majority of surgeries completely remove their computers and devices from the network. Neither the TI connectors nor their own systems would offer any protection whatsoever to safely store consumer data.

As security experts, we too say that security should clearly be the most important starting point for digitization. The security of the systems must be guaranteed before any equipment is connected.

What do you think? Discuss with us.

Cybersecurity in hospitals

Viruses in hospitals – Cybersecurity in the Corona pandemic

The corona pandemic is pushing hospitals and care facilities to their limits. And this also affects the cybersecurity of many facilities. According to Interpol, an increasing number of attacks on the IT network of hospitals has been reported in recent months.

Particularly in the USA, the FBI has been warning since October about increasing cyber attacks on hospitals and the service providers connected to them. At the end of October, various facilities were successfully infected with so-called ransomware. Due to data encryption, the normal operation of the hospitals was no longer possible. Read more here.

But why do hospitals in particular offer such good targets for cyberattacks?

IoT implementation despite low security standards

Hospital IT is one thing in particular: historically grown. And that is exactly problem, in two respects. Historical means that sometimes not all operating systems and application structures are state-of-the-art. Often important security updates or patches are missing to protect the systems. At the same time, the technical infrastructure in the healthcare sector is growing rapidly due to the digitalization of various processes.

This affects medical devices that can communicate via IoT, but often also with the office network. The latter is potentially high-risk since an attack on office computers also affects the IoT devices in the background. Portable medical devices that remotely monitor patients’ vital signs could fail under certain circumstances. A cyber attack would therefore be life-threatening for patients.

Also, hospitals are using opportunities for further digital expansion in the area of office IT: new PCs, tablets, or other smart devices are being purchased that can be used to communicate patient data internally. However, these devices may not even be designed for use in a highly sensitive environment such as a hospital and do not comply with data protection laws or cybersecurity standards. Weak points in their security systems are therefore also ideal starting points for compromising the technical infrastructure.

Besides, some institutions are forced to cut costs and often lack the budget for adequate security of their IT systems. Although they invest in the latest technology, they lack the money and know-how for the corresponding security. And sometimes the clinics themselves are not in control of security installations. Whenever they are connected to third-party providers and their systems. Because even if their own IT has very good security standards, this is not necessarily right for external providers.

Cybersecurity – not just a matter of time

Lack of personnel and thus lack of time are unfortunately everyday life in the medical and nursing professions. Often there is not enough time for the actual work – so where do they get the time to deal with cybersecurity? Most people are probably familiar with simple rules such as switching on a lock screen as soon as you leave your desk or checking the sender of an e-mail. But often the necessary time and/or awareness of the dangers involved is lacking in everyday business life. Employee training courses on cybersecurity could help here – if only time and budget were available.

However, increased attention would make sense. Hospitals are public institutions and therefore easily accessible. Even if the measures in the corona period make access more difficult, it should at least be noted that reception in particular poses a potential cybersecurity risk. In an unattended moment, a potential attacker could enter the hospital’s IT system and could unnoticed install malware on the reception PC via a USB stick.

Also, modern hospitals themselves act as IT service providers. WIFI access is provided for patients and visitors. If the systems are not detached from the actual company network, a potential gateway for hackers is left open.

Increasing the endpoint security of the diverse hospital IT landscape

As you can see, hospitals and other medical facilities already have a diverse IT landscape as a unit. These interwoven areas make the entire IT system vulnerable as soon as a weakness becomes apparent. Due to the sensitivity and criticality of the data and the associated devices and procedures, they require very high security standards. Increasing the endpoint security of KRITIS facilities should therefore be a concern.

A mantra that not only we repeat again and again is the active training of employees, which as an organizational unit belongs to endpoint security: Education creates an awareness of possible sources of danger and how to prevent them. A well set up mail protection is also mandatory for a KRITIS institution.

Besides, Internet access should only be available on those devices that need it. RDP ports (Remote Desktop Protocol) should be secured in such a way that access from outside is not possible. And above all: business-critical areas and the visitor and patient WIFI should not be connected under any circumstances!

And – we can’t repeat this often enough – activate Multi-Factor Authentication (MFA) for all applications connected to business-critical networks. This provides a high hurdle against intrusion by unauthorized third parties and above all against compromising the systems by them.