A comment by Arved Graf von Stackelberg, CSO at DRACOON
Regensburg, 22ndNovember 2018 – During the last week a devastating IT-security incident occurred in a German hospital. The clinic Fürstenfeldbruck in Bavaria had to put up with heavy disturbances in the operating procedures due to an e-mail attachment contaminated with malware. Temporarily none of the 450 computers in the clinic could be operated normally and only little by little the individual computers could resume their normal service. Initially, the medical care was unaffected but every new patient meant a considerable amount of extra work. For example, every single blood sample that was intended for the lab had to be labelled by hand – and all medical findings and patient data had to be internally passed on in paper form. In the end, the clinic was singed off the integrated first-aid station and emergencies were redirected to surrounding hospitals.
This malware-attack against the Bavarian clinic is by no means an isolated case – especially within the last three years incidents like this have become more frequent, e.g. in wake of the ransom-wave “WannaCry”. How many health care institutions have fallen victim to cybercriminals is hard to quantify, as the reporting obligation for IT-security incidents only concerns the biggest clinics. These only make up 10 percent of all the institutions. A small inquiry commissioned by the SPD in the Hessian Landtag gives some indications: from the 40 answers received from the hospitals, one in four stated to have recorded at least one cyber-incident in the last two years. The by far more large-scale study “Krankenhausstudie 2017” by the consultancy Roland Berger showed that already 64% of 500 questioned hospitals had become victims of hacker-attacks.
Those responsible in the healthcare-sector have to adapt the level of protection according to the sensitivity of the data and must not underestimate the danger, so as not to be affected themselves. It is important to combine security and efficiency and by no means neglect one aspect for the other. Especially within the healthcare sector a fast and secure transmission and a continuous availability of data is of key importance. It is crucial for clinics to exchange big data quantities without time losses and to quickly make examination results accessible. Nevertheless, it is an absolute must that these- mostly personalised data – are protected on the highest security level so that no information ends up in the hands of unauthorised third parties and an ideal treatment of the patients can be guaranteed at any time.
With help of a certified and data protection safety-conform Enterprise-Filesharing-Solution that effectively and safely supports the health workforce with their daily challenges, enterprises in the health care sector are well equipped. Certificates decision-makers should look out for, are for example the norm ISO 27001 or the European Privacy Seal (EuroPriSe). In order to achieve maximum data safety, the data should already be encrypted at the terminal-device. Solutions that provide their encryptions at an open-source offer a further advantage – this way administrators can convince themselves that the encryption is seamless. Lastly, a storage-ransomware-protection is particularly useful. This way encrypted data can be restored without time-loss through the paper basket as all data is automatically saved, in case of a hacker-attack.
As a provider of an Enterprise-Filesharing-Solution we already concentrated on safety-requirements in the area of KRITIS early on. The fact that the biggest clinic groups Sana and Helios put their trust in our solution shows that there is only one highly secure solution for the data exchange to pave the way to the “hospital 4.0”. Furthermore, our solution is being used for international research projects in the fields of E-Health and for the Remote Monitoring of patient data. In this field we are currently working on creating new standards and are confident, that the decision-makers in the healthcare-sector will recognise the urgency of the issues of data safety an data protection and will act accordingly.